[plug] Safely using an untrusted router

Pavel Volský pavel.volsky at gmail.com
Wed Oct 21 05:23:12 UTC 2015 

Hi Dirk,
ever heard about OpenWRT?  I'm running it without any problems for last 3+
years at home.
List of supported devices is here -> http://wiki.openwrt.org/toh/start

No one can ensure you that your connection to your ISP is super secure.
They will do their best (the least minimum to sell the product) to keep you
happy.

If you have trust issues I suggest to "bypass" the ISP. Get a VPS at any
hosting you trust and build your VPN server there.
With the OpenWRT it is easy to setup a site-to-site VPN  and tunnel
everything there.
Additionally do packet inspection.

Good luck!
Pavel



On 21 October 2015 at 12:43, Dirk <justanothergreenguy at gmail.com> wrote:

> No, I don't trust my modem router (and nobody should IMHO) given how
> easily they're getting hacked, and how infrequent the firmware is updated
> (if at all).  Router security has been found time and time again to be
> poorly implemented (eg. in some cases you can't disable UPnP (despite
> ticking the checkbox), can't disable WAN-side admin (despite ticking the
> checkbox), WPS is broken, port 32764 funny games, services running inside
> the router that shouldn't be, etc etc).  Anyway, best not to trust a
> consumer router.  It's an easy target for hackers these days.  Better to
> treat it like a public wifi hotspot.
>
> I trust my ISP a lot more than my modem router.  I rely on a reduced set
> of valid TLS certs (including OCSP verification) to ensure I'm connecting
> to the right destinations.  I trust my ISP pays far more attention to
> maintaining its network security, than router manufacturers do in
> maintaining their products after purchase.  I think that's a reasonable
> position to take.
>
> I agree with you that security can be broken anywhere along the line
> (stolen private TLS certs, malverts served up, etc), but we're all in the
> same boat.  We're all relying on TLS certs, strong encryption,
> strong server-side user authentication, etc).
>
> Agreed, RPi firmware may already contain a backdoor.  Just an option I was
> going to look into down the track, for defeating persistent threats
> like BIOS malware.
>
> At the end of the day, I should at least be able to fetch uncorrupted
> package lists and security updates for my Linux OS.
>
> I still suspect my router, and was hoping a VPN to a trusted ISP would be
> an easy solution, to defeat any funny games inside my home router.
>
> What do you all do to ensure you're getting a trustworthy connection to
> your ISP?
>
> Do you all trust your home routers?
>
>
>
>
>
>
> On Wednesday, 21 October 2015, Brad Campbell <brad at fnarfbargle.com> wrote:
>
>> On 20/10/15 13:17, Dirk wrote:
>>
>>> Oops, my error, I think I'm already using PPPoE.  But don't you lose the
>>> firewall of NAT (re unsolicited traffic) in pass-through mode? ...and a
>>> MITM in the modem could still play funny games if your traffic isn't
>>> encrypted from your computer.
>>>
>>
>> In my case NAT is performed on the server that handles the PPPoE
>> connection. You appear not to trust your modem, but seem to have implicit
>> trust in your ISP and everything between the ISP and what you are
>> connecting to.
>>
>> Am I wrong in thinking a VPN (set up on the PC, not in the
>>> router) would offer far greater security through an (any) untrusted
>>> router?  I mean, isn't that what is recommended for people logging into
>>> their corporate network remotely (say from a hotel, etc)...?
>>>
>>
>> As I said above, if the only piece of untrusted gear is your home router,
>> then yes the VPN will help. Your faith in everything else being completely
>> trustworthy is misplaced however.
>>
>> As far as I know, the RPi incorporated the GPU driver with the OS in the
>>> one big blob that goes on the SD card.  As such, you can verify the
>>> integrity of everything volatile / rewriteable before using it, with a
>>> simple MD5 checksum across the whole SD device. ...but I may be
>>> mistaken  :)
>>>
>>
>> So what if the blob already contains a backdoor? No point verifying the
>> MD5 of a compromised blob.
>>
>> If you are really concerned, talk to some real IT security professionals
>> and do a proper Threat, Vulnerability & Risk Assessment (TVRA). Manage the
>> real risks rather than the perceived risks.
>>
>> I get the idea you seem to think your highest level risk is a firmware
>> compromise. Lets start from basics. What are you actually trying to protect
>> against? (ie what threat are you mitigating by cutting the router out of
>> the loop?)
>>
>>
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151021/a983ca91/attachment.html>

More information about the plug mailing list