LAS VEGAS—During his keynote and a press conference that followed here at the Black Hat information security conference, In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers. The inexpensive Wi-Fi routers commonly used for home Internet access—which are rarely patched by their owners—are an easy target for hackers, Geer said, and could be used to construct a botnet that "could probably take down the Internet." Asked by Ars if he considered home routers to be the equivalent of critical infrastructure as a security priority, he answered in the affirmative.
Geer spoke about the threat posed by home routers in advance of "SOHOpelessly Broken," a router hacking contest scheduled for the DEF CON security conference later this week sponsored by the Electronic Frontier Foundation. "Because they are so cheap, you can get a low-end router for less than 20 bucks that hasn't been updated in a while," Geer explained.
Attackers could identify vulnerabilities in particular models and then scan the Internet for targets based on the routers' signatures. "They can then build botnets on the exterior of the network—the routing that it does is only on side facing ISPs," he said. "If I can build a botnet on the outside of the routers, I could probably take down the Internet."
During his keynote, Geer had said that inexpensive routers were an example of the security risk of the "Internet of Things," because of their use of long-lived embedded software with no automatic way for vendors to distribute patches. "All embedded software should either have a remote management interface, or they need a finite lifetime," he opined, "because if they live long enough, something bad will happen. If a person lives long enough, they will get dementia—if a piece of software lives long enough, it will be taken over."
In response to a question during the following press conference, Geer admitted that remote management software for routers was a potential security risk in itself. "But absent that, there's a different set of risks," he added. By using "fuzzing"—sending bogus data to a device to try to cause a failure—Geer said that attackers could essentially discover "an unintended remote management interface. Unless you adopt [interface] strictures, it's very difficult to defend against bad inputs."