3:00 PM -- In the wake of two fairly bad stories about cross-site request forgeries (CSRF), theres a new challenge on the wind: Hack your home router! The catalysts for this challenge were some recent real-world CSRF-based attacks -- a user's domain being compromised due to a hole in Gmail, and Mexican banking customers' credentials getting stolen after their routers were compromised.
Ronald van den Heetkamp (a hacker based out of the Netherlands) has recently published a new router security challenge on the sla.ckers.org Web board. Hes looking for the nastiest bugs in home DSL routers and cable modems, which are in most every household with broadband access. The challenge has also spilled onto other sites as well, where people have already begun to post serious issues in common routers like Linksys WRT300N, and Belkin F5D7230-4.
And the challenge has only been running for three days.
One issue in the Linksys router, for instance, could allow an attacker to completely compromise the device and change its settings to the attackers DNS server, or add machines into the demilitarized zone (DMZ) -- even without knowing the targeted router's password. This is a similar flaw to the one found in the routers used in the Mexican bank pharming attack. (For the uninitiated, pharming is similar to phishing, except that it often requires actual desktop or DNS-based compromises to send people to the wrong site). Both of these types of attacks are initiated via CSRF, and all it would take was for the victim to visit a Website that was under the attackers control, or sites that allow HTML-based, user-submitted content (think social networking sites).
Why are these home routers so flawed? The people developing the hardware often don't have experience in building secure Web applications, and almost all modern routers have a Web-based administration console, which provides ease of use for the home user. Unfortunately, that combination of factors makes these devices especially easy to exploit.
Meanwhile, the home router hacking contest lasts until February 29. If you use have broadband Internet access, expect to see some upgrades in your router firmware next month.
RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading