EFF gets into the CPE router software business..

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Jul 25 17:22:03 UTC 2014

On Thu, 24 Jul 2014 22:06:38 -0700, George Herbert said:

> Any idea how well CeroWRT stands up to nation-state level intrusion efforts?

If they are as determined as FBI v Scarfo (the FBI pulled a black bag job
to install a keystroke logger in a mobster's PC to capture his PGP passphrase),
it's pretty much "game over".  Isn't much the average router-class hardware
can do to protect itself at that point.

The second big challenge is that to the best of my knowledge, there exist
no router-class hardware that includes a TPM chip, which means that you're
not going to be able to implement a trusted boot environment.  This means that
we're stuck with trusting at least part of the boot process (though we can
probably trust the first stage boot loader on a 3800, as that appears to be
in an actual ROM, and we'll have to trust the bootstrap code on the flash,
but if we use a signed kernel, everything after that can have some trust

There's a number of attack surfaces left on CeroWRT, starting with the usual
"find a 0-day and point it" - good targets there are the Linux network stack,
the IPtables code, dropbear (which is nice, but almost certainly not audited
as heavily as OpenSSH), and Luci.  And yes, reflecting an attack off a browser
behind the router is *very* much in scope - *most* of the pwned router attacks
we see come from javascript or other executables pointed at the usually
well-known router address from a PC behind the router.

All the way to pulling a MITM on downloads from Dave Taht's repositories.  The
combination of DNSSEC, trusted crypto signatures on the dowload package, and
OpeWireless's plans to use Tor to do the software download should make it a
*lot* harder to attach via that route.

And the rabbit hole goes *much* deeper - see Ken Thompson's "On Trusting Trust",
which itself got the idea from Karger and Schell's analysis of Multics security.


Actually, Karger and Schell is a good read if you haven't done so - that *was*
a nation-state funded intrusion effort. :)


They were nice enough to go back 30 years later and tell us what we had
learned in the meantime.  tl;dr: Not much.


Hope that 15-minute analysis helps....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140725/614b0d2f/attachment.sig>

More information about the NANOG mailing list