[plug] Safely using an untrusted router

Dirk justanothergreenguy at gmail.com
Wed Oct 21 07:43:36 UTC 2015 

That's interesting, looks like OpenWRT may have upped their game in light
of the recent flood of attacks on SOHO routers.

I still prefer to assume my router is compromised, and establish a secure
tunnel from my PC, but I'll have another look at open source router
firmware again.  OpenWRT may be the way to go for now.

Cheers for that Pavel.  And thanks again Brad for your input.  You've both
given me some ideas, although I was hoping for an easy OpenVPN option  :)

If anyone else has any thoughts or suggestions, please let me know!

Cheers, Dirk




On Wednesday, 21 October 2015, Pavel Volský <pavel.volsky at gmail.com> wrote:

> They try to release a new version each year.
>
> http://wiki.openwrt.org/about/history
>
> Latest version 15.05  for my router was built 14/9/2015 so the frequency
> is much better now.
> The benefit here is you don't have to wait for them to make the firmware
> and build it yourself from the source code.
>
>
>
> On 21 October 2015 at 14:33, Dirk <justanothergreenguy at gmail.com
> <javascript:_e(%7B%7D,'cvml','justanothergreenguy at gmail.com');>> wrote:
>
>> Hi Pavel,
>>
>> Thanks for your input!
>>
>> As mentioned before, I don't have a problem with ISPs (recording my
>> online activities, metadata, etc).  I just have a problem with hackers, and
>> anyone else fiddling with our security updates and TLS sessions;  as we all
>> do, no doubt.
>>
>> The last time I looked into using OpenWRT, Tomato and DD-WRT (a few years
>> ago), I noticed their firmware image files (on their websites) were very
>> out of date (more-so than regular consumer router firmware), some were
>> 2+ years old, so I assumed they weren't being actively patched at all.
>> Do you get regular updates with OpenWRT?  E.g. did you, following the
>> various OpenSSL vulnerabilities?
>>
>>
>>
>>
>> On Wednesday, 21 October 2015, Pavel Volský <pavel.volsky at gmail.com
>> <javascript:_e(%7B%7D,'cvml','pavel.volsky at gmail.com');>> wrote:
>>
>>> Hi Dirk,
>>> ever heard about OpenWRT?  I'm running it without any problems for last
>>> 3+ years at home.
>>> List of supported devices is here -> http://wiki.openwrt.org/toh/start
>>>
>>> No one can ensure you that your connection to your ISP is super secure.
>>> They will do their best (the least minimum to sell the product) to keep you
>>> happy.
>>>
>>> If you have trust issues I suggest to "bypass" the ISP. Get a VPS at any
>>> hosting you trust and build your VPN server there.
>>> With the OpenWRT it is easy to setup a site-to-site VPN  and tunnel
>>> everything there.
>>> Additionally do packet inspection.
>>>
>>> Good luck!
>>> Pavel
>>>
>>>
>>>
>>> On 21 October 2015 at 12:43, Dirk <justanothergreenguy at gmail.com> wrote:
>>>
>>>> No, I don't trust my modem router (and nobody should IMHO) given how
>>>> easily they're getting hacked, and how infrequent the firmware is updated
>>>> (if at all).  Router security has been found time and time again to be
>>>> poorly implemented (eg. in some cases you can't disable UPnP (despite
>>>> ticking the checkbox), can't disable WAN-side admin (despite ticking the
>>>> checkbox), WPS is broken, port 32764 funny games, services running inside
>>>> the router that shouldn't be, etc etc).  Anyway, best not to trust a
>>>> consumer router.  It's an easy target for hackers these days.  Better to
>>>> treat it like a public wifi hotspot.
>>>>
>>>> I trust my ISP a lot more than my modem router.  I rely on a reduced
>>>> set of valid TLS certs (including OCSP verification) to ensure I'm
>>>> connecting to the right destinations.  I trust my ISP pays far more
>>>> attention to maintaining its network security, than router manufacturers do
>>>> in maintaining their products after purchase.  I think that's a reasonable
>>>> position to take.
>>>>
>>>> I agree with you that security can be broken anywhere along the line
>>>> (stolen private TLS certs, malverts served up, etc), but we're all in the
>>>> same boat.  We're all relying on TLS certs, strong encryption,
>>>> strong server-side user authentication, etc).
>>>>
>>>> Agreed, RPi firmware may already contain a backdoor.  Just an option I
>>>> was going to look into down the track, for defeating persistent threats
>>>> like BIOS malware.
>>>>
>>>> At the end of the day, I should at least be able to fetch uncorrupted
>>>> package lists and security updates for my Linux OS.
>>>>
>>>> I still suspect my router, and was hoping a VPN to a trusted ISP would
>>>> be an easy solution, to defeat any funny games inside my home router.
>>>>
>>>> What do you all do to ensure you're getting a trustworthy connection to
>>>> your ISP?
>>>>
>>>> Do you all trust your home routers?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wednesday, 21 October 2015, Brad Campbell <brad at fnarfbargle.com>
>>>> wrote:
>>>>
>>>>> On 20/10/15 13:17, Dirk wrote:
>>>>>
>>>>>> Oops, my error, I think I'm already using PPPoE.  But don't you lose
>>>>>> the
>>>>>> firewall of NAT (re unsolicited traffic) in pass-through mode? ...and
>>>>>> a
>>>>>> MITM in the modem could still play funny games if your traffic isn't
>>>>>> encrypted from your computer.
>>>>>>
>>>>>
>>>>> In my case NAT is performed on the server that handles the PPPoE
>>>>> connection. You appear not to trust your modem, but seem to have implicit
>>>>> trust in your ISP and everything between the ISP and what you are
>>>>> connecting to.
>>>>>
>>>>> Am I wrong in thinking a VPN (set up on the PC, not in the
>>>>>> router) would offer far greater security through an (any) untrusted
>>>>>> router?  I mean, isn't that what is recommended for people logging
>>>>>> into
>>>>>> their corporate network remotely (say from a hotel, etc)...?
>>>>>>
>>>>>
>>>>> As I said above, if the only piece of untrusted gear is your home
>>>>> router, then yes the VPN will help. Your faith in everything else being
>>>>> completely trustworthy is misplaced however.
>>>>>
>>>>> As far as I know, the RPi incorporated the GPU driver with the OS in
>>>>>> the
>>>>>> one big blob that goes on the SD card.  As such, you can verify the
>>>>>> integrity of everything volatile / rewriteable before using it, with a
>>>>>> simple MD5 checksum across the whole SD device. ...but I may be
>>>>>> mistaken  :)
>>>>>>
>>>>>
>>>>> So what if the blob already contains a backdoor? No point verifying
>>>>> the MD5 of a compromised blob.
>>>>>
>>>>> If you are really concerned, talk to some real IT security
>>>>> professionals and do a proper Threat, Vulnerability & Risk Assessment
>>>>> (TVRA). Manage the real risks rather than the perceived risks.
>>>>>
>>>>> I get the idea you seem to think your highest level risk is a firmware
>>>>> compromise. Lets start from basics. What are you actually trying to protect
>>>>> against? (ie what threat are you mitigating by cutting the router out of
>>>>> the loop?)
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PLUG discussion list: plug at plug.org.au
>>>>> http://lists.plug.org.au/mailman/listinfo/plug
>>>>> Committee e-mail: committee at plug.org.au
>>>>> PLUG Membership: http://www.plug.org.au/membership
>>>>>
>>>>
>>>> _______________________________________________
>>>> PLUG discussion list: plug at plug.org.au
>>>> http://lists.plug.org.au/mailman/listinfo/plug
>>>> Committee e-mail: committee at plug.org.au
>>>> PLUG Membership: http://www.plug.org.au/membership
>>>>
>>>
>>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> <javascript:_e(%7B%7D,'cvml','plug at plug.org.au');>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> <javascript:_e(%7B%7D,'cvml','committee at plug.org.au');>
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151021/9c734eca/attachment.html>

More information about the plug mailing list