EFF gets into the CPE router software business..

charles at thefnf.org charles at thefnf.org
Fri Jul 25 18:11:29 UTC 2014

On 2014-07-25 12:22, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 24 Jul 2014 22:06:38 -0700, George Herbert said:
>> Any idea how well CeroWRT stands up to nation-state level intrusion 
>> efforts?
> If they are as determined as FBI v Scarfo (the FBI pulled a black bag 
> job
> to install a keystroke logger in a mobster's PC to capture his PGP 
> passphrase),
> it's pretty much "game over".  Isn't much the average router-class 
> hardware
> can do to protect itself at that point.

Of course. Physical access is root access. We know this.

> The second big challenge is that to the best of my knowledge, there 
> exist
> no router-class hardware that includes a TPM chip,

OpenWRT x86? Run it on a decently specced laptop a couple gens old (like 
a Dell Latitude 6500 or so). That's got TPM, plenty of ram.
Of course you can run on a server board (Dell Poweredge or something). I 
prefer pfsense myself for full blown kit.

  which means that you're
> not going to be able to implement a trusted boot environment.  This 
> means that
> we're stuck with trusting at least part of the boot process (though we 
> can
> probably trust the first stage boot loader on a 3800, as that appears 
> to be
> in an actual ROM, and we'll have to trust the bootstrap code on the 
> flash,
> but if we use a signed kernel, everything after that can have some 
> trust
> attached.)


> There's a number of attack surfaces left on CeroWRT, starting with the 
> usual
> "find a 0-day and point it" - good targets there are the Linux network 
> stack,
> the IPtables code, dropbear (which is nice, but almost certainly not 
> audited
> as heavily as OpenSSH), and Luci.  And yes, reflecting an attack off a 
> browser
> behind the router is *very* much in scope - *most* of the pwned router 
> attacks
> we see come from javascript or other executables pointed at the usually
> well-known router address from a PC behind the router.

Agree 100%

> All the way to pulling a MITM on downloads from Dave Taht's 
> repositories.  The
> combination of DNSSEC, trusted crypto signatures on the dowload 
> package, and
> OpeWireless's plans to use Tor to do the software download should make 
> it a
> *lot* harder to attach via that route.

Oooo. I'll have to clone that methodology for the FNF downloads.

More information about the NANOG mailing list