DEF CON SOHOpelessly Broken Router Hacking Contest

Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.

Source: DEF CON SOHOpelessly Broken Router Hacking Contest | Threatpost | The first stop for security news

Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.

This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side.   Making admin changes should happen rarely.  One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want.  Devices typically get a DNS address when they obtain an IP address from the router via DHCP.

Kicking the SOHO router seems to be a hot topic today.  From:  The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica

The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.

Home Routers Pose Biggest Consumer Cyberthreat

Of the small-office, home-office routers evaluated, every one could be compromised with relative ease by hijacking DNS connections, exploiting HTTPS flaws, weaknesses in Universal Plug and Play services, cross-site-scripting attacks, file-traversal and source-code vulnerabilities, weaknesses in WiFi Protected Setup (WPS), buffer overflows or simply bypassing authentication requirements.

via Home Routers Pose Biggest Consumer Cyberthreat.

During late 2013 and early 2014, gangs of Polish hackers have robbed thousands of consumers by attacking home routers and changing DNS settings so they point at the attackers’ DNS servers rather than legitimate servers.

DNS is a big problem.  Usually devices behind a SOHO router will receive their DNS info from the router via DHCP.  The router has been configured by the owner using DNS settings from their ISP or they could use one of Google’s servers like  A user of their home network should expect a higher level of security unlike the open wifi people use on the road.

The simplest remedy is never allow router management access from the Internet.  This is usually turned off by default.  Routers should be set and forget so using the maintenance interface should be a rare occurrence.  The TP-LINK outlined here requires a user to click a malicious link while in a management session according to this:

Attack Requirements

  • The victim must have an active management session with the WR1043N.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Here again the user gets tricked into becoming compromised so this wouldn’t be a problem if the user simply entered the management interface of the router, made changes, and left. There’s no point lingering around in a management session.

A physical dedicated firewall sitting between the Internet and treating all routers as dumb access points makes for an added layer of security.  All SOHO routers are relatively cheap embedded devices.  It is impractical to even expect them to defend against all possible exploits.  By virtue of being on the Internet everyone gets constantly scanned by bots.  That only poses a problem if the bot sees a vulnerability and phones home listing your device as a possible target.

Hacking and Rooting SOHO Home Routers

In a previous report, we released a list of SOHO router vulnerabiltiies and showed proof-of-concept (PoC) attack code for how to exploit them. For many of these routers, those PoCs operated through the main web-based interface. In this follow up study, we addressed only the extraneous, non-router services that were present on the routers. What we found was that of the 10 routers reviewed, all 10 could be compromised from the (wireless) LAN once a router had USB attached storage connected.

via Hacking and Rooting SOHO Home Routers.

This is hardly surprising.  Currently I only use SOHO routers as dumb wifi access points and that’s it.  I don’t know why anyone would want to make one of these cheaply built devices into some kind of NAS.

Cisco Exits The Consumer Market As It Sells Linksys To Belkin

This should be a relatively smooth transition that won’t affect current customers: Belkin says it will honor all valid warranties for current and future Linksys products. After the transaction closes, Belkin will account for approximately 30 percent of the US retail home and small business networking market.

via Cisco Exits The Consumer Market As It Sells Linksys To Belkin.

These cheap home routers have become commodities.  As far as I know Belkin makes a decent product.  Cisco tried to require its home router users to be managed by its cloud platform and after that debacle it seemed all downhill from there for them.   If possible I prefer to use a real Linux box running real iptables as a gateway  using these wifi home routers as access points.