[plug] Safely using an untrusted router

Dirk justanothergreenguy at gmail.com
Wed Oct 21 06:33:23 UTC 2015


Hi Pavel,

Thanks for your input!

As mentioned before, I don't have a problem with ISPs (recording my online
activities, metadata, etc).  I just have a problem with hackers, and anyone
else fiddling with our security updates and TLS sessions;  as we all do, no
doubt.

The last time I looked into using OpenWRT, Tomato and DD-WRT (a few years
ago), I noticed their firmware image files (on their websites) were very
out of date (more-so than regular consumer router firmware), some were
2+ years old, so I assumed they weren't being actively patched at all.
Do you get regular updates with OpenWRT?  E.g. did you, following the
various OpenSSL vulnerabilities?




On Wednesday, 21 October 2015, Pavel Volský <pavel.volsky at gmail.com> wrote:

> Hi Dirk,
> ever heard about OpenWRT?  I'm running it without any problems for last 3+
> years at home.
> List of supported devices is here -> http://wiki.openwrt.org/toh/start
>
> No one can ensure you that your connection to your ISP is super secure.
> They will do their best (the least minimum to sell the product) to keep you
> happy.
>
> If you have trust issues I suggest to "bypass" the ISP. Get a VPS at any
> hosting you trust and build your VPN server there.
> With the OpenWRT it is easy to setup a site-to-site VPN  and tunnel
> everything there.
> Additionally do packet inspection.
>
> Good luck!
> Pavel
>
>
>
> On 21 October 2015 at 12:43, Dirk <justanothergreenguy at gmail.com
> <javascript:_e(%7B%7D,'cvml','justanothergreenguy at gmail.com');>> wrote:
>
>> No, I don't trust my modem router (and nobody should IMHO) given how
>> easily they're getting hacked, and how infrequent the firmware is updated
>> (if at all).  Router security has been found time and time again to be
>> poorly implemented (eg. in some cases you can't disable UPnP (despite
>> ticking the checkbox), can't disable WAN-side admin (despite ticking the
>> checkbox), WPS is broken, port 32764 funny games, services running inside
>> the router that shouldn't be, etc etc).  Anyway, best not to trust a
>> consumer router.  It's an easy target for hackers these days.  Better to
>> treat it like a public wifi hotspot.
>>
>> I trust my ISP a lot more than my modem router.  I rely on a reduced set
>> of valid TLS certs (including OCSP verification) to ensure I'm connecting
>> to the right destinations.  I trust my ISP pays far more attention to
>> maintaining its network security, than router manufacturers do in
>> maintaining their products after purchase.  I think that's a reasonable
>> position to take.
>>
>> I agree with you that security can be broken anywhere along the line
>> (stolen private TLS certs, malverts served up, etc), but we're all in the
>> same boat.  We're all relying on TLS certs, strong encryption,
>> strong server-side user authentication, etc).
>>
>> Agreed, RPi firmware may already contain a backdoor.  Just an option I
>> was going to look into down the track, for defeating persistent threats
>> like BIOS malware.
>>
>> At the end of the day, I should at least be able to fetch uncorrupted
>> package lists and security updates for my Linux OS.
>>
>> I still suspect my router, and was hoping a VPN to a trusted ISP would be
>> an easy solution, to defeat any funny games inside my home router.
>>
>> What do you all do to ensure you're getting a trustworthy connection to
>> your ISP?
>>
>> Do you all trust your home routers?
>>
>>
>>
>>
>>
>>
>> On Wednesday, 21 October 2015, Brad Campbell <brad at fnarfbargle.com
>> <javascript:_e(%7B%7D,'cvml','brad at fnarfbargle.com');>> wrote:
>>
>>> On 20/10/15 13:17, Dirk wrote:
>>>
>>>> Oops, my error, I think I'm already using PPPoE.  But don't you lose the
>>>> firewall of NAT (re unsolicited traffic) in pass-through mode? ...and a
>>>> MITM in the modem could still play funny games if your traffic isn't
>>>> encrypted from your computer.
>>>>
>>>
>>> In my case NAT is performed on the server that handles the PPPoE
>>> connection. You appear not to trust your modem, but seem to have implicit
>>> trust in your ISP and everything between the ISP and what you are
>>> connecting to.
>>>
>>> Am I wrong in thinking a VPN (set up on the PC, not in the
>>>> router) would offer far greater security through an (any) untrusted
>>>> router?  I mean, isn't that what is recommended for people logging into
>>>> their corporate network remotely (say from a hotel, etc)...?
>>>>
>>>
>>> As I said above, if the only piece of untrusted gear is your home
>>> router, then yes the VPN will help. Your faith in everything else being
>>> completely trustworthy is misplaced however.
>>>
>>> As far as I know, the RPi incorporated the GPU driver with the OS in the
>>>> one big blob that goes on the SD card.  As such, you can verify the
>>>> integrity of everything volatile / rewriteable before using it, with a
>>>> simple MD5 checksum across the whole SD device. ...but I may be
>>>> mistaken  :)
>>>>
>>>
>>> So what if the blob already contains a backdoor? No point verifying the
>>> MD5 of a compromised blob.
>>>
>>> If you are really concerned, talk to some real IT security professionals
>>> and do a proper Threat, Vulnerability & Risk Assessment (TVRA). Manage the
>>> real risks rather than the perceived risks.
>>>
>>> I get the idea you seem to think your highest level risk is a firmware
>>> compromise. Lets start from basics. What are you actually trying to protect
>>> against? (ie what threat are you mitigating by cutting the router out of
>>> the loop?)
>>>
>>>
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> http://lists.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.org.au
>>> PLUG Membership: http://www.plug.org.au/membership
>>>
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> <javascript:_e(%7B%7D,'cvml','plug at plug.org.au');>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> <javascript:_e(%7B%7D,'cvml','committee at plug.org.au');>
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151021/7bc03ee9/attachment.html>


More information about the plug mailing list