SOHOpelessly Broken, the contest that tested router security and was run as part of the DEFCON hacker conference has announced the winner. The winner: Craig Young of security firm TripWire uncovered 11 of the 15 vulnerabilities that were found as a part of the contest. The real winners: hopefully all of us as the contest brought attention to the significant problems with SOHO routers. What happens from here is anyone’s guess.
The contest challenged contestants to demonstrate vulnerabilities and break into several routers:
- Linksys EA6500 [Version 188.8.131.52196]
- ASUS RT-AC66U (HW Ver. A2) [Version 184.108.40.206.266]
- TRENDnet TEW-812DRU (H/W: v1.0R) [Version 220.127.116.11]
- Netgear Centria WNDR4700 [Version V18.104.22.168]
- Netgear WNR3500U/WNR3500L [Version V22.214.171.124_35.0.53N]
- TP-Link TL-WR1043ND (Ver. 1.10) [Version 3.13.12 Build 120405 Rel.33996n]
- D-Link DIR-865L (HW Ver. A1) [Version 1.03]
- Belkin N900 DB (Model: F9K1104v1) [Version 1.00.23]
- EFF Open Wireless Router [Details forthcoming]
Of these routers, the ASUS RT-AC66U, Netgear Centria WNDR4700; Belkin N900, and TRENDnet TEW-812DRU were fully compromised. The D-Link DIR-865L was also compromised, although with an older version of the firmware than the contest specified. The vulnerability that was found has been patched in more recent firmware builds. There was also a full compromise demonstrated against an Actiontec gateway which is interesting as this device is widely distributed by Verizon. Despite the fact that the Actiontec device was not an official part of the contest, points were still awarded to the contestant who found the vulnerabilities.
The devices that came out of the contest unscathed should be proud, although with some level of humility. Not finding any vulnerabilities certainly does not prove that they aren’t there, and some people have even speculated that they weren’t attacked simply because the contestants could not easily find the devices with the necessary firmware.
In any case, we hope that the organizers of this event really proved their point. The true effects of this event will hopefully be seen in the near future.