[plug] Safely using an untrusted router
Pavel Volský
pavel.volsky at gmail.com
Wed Oct 21 06:52:01 UTC 2015
They try to release a new version each year.
http://wiki.openwrt.org/about/history
Latest version 15.05 for my router was built 14/9/2015 so the frequency is
much better now.
The benefit here is you don't have to wait for them to make the firmware
and build it yourself from the source code.
On 21 October 2015 at 14:33, Dirk <justanothergreenguy at gmail.com> wrote:
> Hi Pavel,
>
> Thanks for your input!
>
> As mentioned before, I don't have a problem with ISPs (recording my online
> activities, metadata, etc). I just have a problem with hackers, and anyone
> else fiddling with our security updates and TLS sessions; as we all do, no
> doubt.
>
> The last time I looked into using OpenWRT, Tomato and DD-WRT (a few years
> ago), I noticed their firmware image files (on their websites) were very
> out of date (more-so than regular consumer router firmware), some were
> 2+ years old, so I assumed they weren't being actively patched at all.
> Do you get regular updates with OpenWRT? E.g. did you, following the
> various OpenSSL vulnerabilities?
>
>
>
>
> On Wednesday, 21 October 2015, Pavel Volský <pavel.volsky at gmail.com>
> wrote:
>
>> Hi Dirk,
>> ever heard about OpenWRT? I'm running it without any problems for last
>> 3+ years at home.
>> List of supported devices is here -> http://wiki.openwrt.org/toh/start
>>
>> No one can ensure you that your connection to your ISP is super secure.
>> They will do their best (the least minimum to sell the product) to keep you
>> happy.
>>
>> If you have trust issues I suggest to "bypass" the ISP. Get a VPS at any
>> hosting you trust and build your VPN server there.
>> With the OpenWRT it is easy to setup a site-to-site VPN and tunnel
>> everything there.
>> Additionally do packet inspection.
>>
>> Good luck!
>> Pavel
>>
>>
>>
>> On 21 October 2015 at 12:43, Dirk <justanothergreenguy at gmail.com> wrote:
>>
>>> No, I don't trust my modem router (and nobody should IMHO) given how
>>> easily they're getting hacked, and how infrequent the firmware is updated
>>> (if at all). Router security has been found time and time again to be
>>> poorly implemented (eg. in some cases you can't disable UPnP (despite
>>> ticking the checkbox), can't disable WAN-side admin (despite ticking the
>>> checkbox), WPS is broken, port 32764 funny games, services running inside
>>> the router that shouldn't be, etc etc). Anyway, best not to trust a
>>> consumer router. It's an easy target for hackers these days. Better to
>>> treat it like a public wifi hotspot.
>>>
>>> I trust my ISP a lot more than my modem router. I rely on a reduced set
>>> of valid TLS certs (including OCSP verification) to ensure I'm connecting
>>> to the right destinations. I trust my ISP pays far more attention to
>>> maintaining its network security, than router manufacturers do in
>>> maintaining their products after purchase. I think that's a reasonable
>>> position to take.
>>>
>>> I agree with you that security can be broken anywhere along the line
>>> (stolen private TLS certs, malverts served up, etc), but we're all in the
>>> same boat. We're all relying on TLS certs, strong encryption,
>>> strong server-side user authentication, etc).
>>>
>>> Agreed, RPi firmware may already contain a backdoor. Just an option I
>>> was going to look into down the track, for defeating persistent threats
>>> like BIOS malware.
>>>
>>> At the end of the day, I should at least be able to fetch uncorrupted
>>> package lists and security updates for my Linux OS.
>>>
>>> I still suspect my router, and was hoping a VPN to a trusted ISP would
>>> be an easy solution, to defeat any funny games inside my home router.
>>>
>>> What do you all do to ensure you're getting a trustworthy connection to
>>> your ISP?
>>>
>>> Do you all trust your home routers?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wednesday, 21 October 2015, Brad Campbell <brad at fnarfbargle.com>
>>> wrote:
>>>
>>>> On 20/10/15 13:17, Dirk wrote:
>>>>
>>>>> Oops, my error, I think I'm already using PPPoE. But don't you lose
>>>>> the
>>>>> firewall of NAT (re unsolicited traffic) in pass-through mode? ...and a
>>>>> MITM in the modem could still play funny games if your traffic isn't
>>>>> encrypted from your computer.
>>>>>
>>>>
>>>> In my case NAT is performed on the server that handles the PPPoE
>>>> connection. You appear not to trust your modem, but seem to have implicit
>>>> trust in your ISP and everything between the ISP and what you are
>>>> connecting to.
>>>>
>>>> Am I wrong in thinking a VPN (set up on the PC, not in the
>>>>> router) would offer far greater security through an (any) untrusted
>>>>> router? I mean, isn't that what is recommended for people logging into
>>>>> their corporate network remotely (say from a hotel, etc)...?
>>>>>
>>>>
>>>> As I said above, if the only piece of untrusted gear is your home
>>>> router, then yes the VPN will help. Your faith in everything else being
>>>> completely trustworthy is misplaced however.
>>>>
>>>> As far as I know, the RPi incorporated the GPU driver with the OS in the
>>>>> one big blob that goes on the SD card. As such, you can verify the
>>>>> integrity of everything volatile / rewriteable before using it, with a
>>>>> simple MD5 checksum across the whole SD device. ...but I may be
>>>>> mistaken :)
>>>>>
>>>>
>>>> So what if the blob already contains a backdoor? No point verifying the
>>>> MD5 of a compromised blob.
>>>>
>>>> If you are really concerned, talk to some real IT security
>>>> professionals and do a proper Threat, Vulnerability & Risk Assessment
>>>> (TVRA). Manage the real risks rather than the perceived risks.
>>>>
>>>> I get the idea you seem to think your highest level risk is a firmware
>>>> compromise. Lets start from basics. What are you actually trying to protect
>>>> against? (ie what threat are you mitigating by cutting the router out of
>>>> the loop?)
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PLUG discussion list: plug at plug.org.au
>>>> http://lists.plug.org.au/mailman/listinfo/plug
>>>> Committee e-mail: committee at plug.org.au
>>>> PLUG Membership: http://www.plug.org.au/membership
>>>>
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> http://lists.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.org.au
>>> PLUG Membership: http://www.plug.org.au/membership
>>>
>>
>>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151021/6191249a/attachment.html>
More information about the plug
mailing list