[kwlug-disc] [kwlug-announce] Meeting Monday: OpenWRT

[unsolicited]

"UDPATE: confirmation of the issue (it is WAN exploitable if http admin 
is available from WAN side)"

So don't open up http on the wan in the first place. Which is ill 
advised, regardless.

If you have bad people in your home attacking your router, or 
uncontrolled external access in by which your router could be attacked 
from the inside, you have bigger issues in play to deal with than this.

e.g. Insufficient security on your wi-fi such that your neighbour is 
able to use it.

For many, most of the time, if you're not home, it don't matter. (That 
home can't do something going out your router, when you're not home, 
most of the time has little impact. i.e. No need to administer the 
router from outside the home, so no need to open the port.)

Not to say access through the router isn't useful, e.g. ssh in to inside 
machine with secure keys, then tunnel through that. Still not directly 
accessing the router in this case to be affected by the hole. If you do 
happen to need to do something with the router, you can still do so via 
the inside session.

In any case, unlikely to be an issue with OpenWRT. This is software. 
OpenWRT replaces the software. For it to be  an issue, some unchangeable 
supervising OS would have to still be running - to open the port 
independently of, and above, your OpenWRT software install.


On 14-08-14 02:19 PM, Paul Gallaway wrote:
> On Thu, Aug 14, 2014 at 11:26 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>> That one is very similar to my DLink DIR-835, but with 8MB flash instead of
>> 16MB, and making up for it by having 2 USB ports not just one like mine.
> Looking at the presentation lafter getting the router home I noticed
> you had the DLink which had MORE flash than the WDR4300 I had a doh!
> moment until I found out it was not in stock at Canada Computers
> (although also on-sale this week). I'm happy to have something that
> can work now and hopefully it's not obsoleted too quickly. 16MB in the
> DLink should be more future proof for now, but with the high end
> routers coming with 128MB of flash now, that might not even be enough.
>
>> Saw the APC BackUPS on Dell's site yesterday for $45 after a $10 off.
> That's the one.
>
>> Just curious how much was the gigabit hub?
>
> $16 unmanged 8-ports. Description says it's the metal version but the
> photo and model number are the plastic one. I'm expecting it to be the
> plastic one. I was trying to not spam the list with 'sales'
> information but since you asked!:
> https://accessories.dell.com/sna/products/Networking/productdetail.aspx?c=ca&l=en&s=dhs&cs=cadhs1&sku=A7312374
>
>> If you ever do sysupgrade, please post a followup on the steps you did
>> (sysupgrade of a xxx-sysupgrade.bin file, installing packages via opkg
>> again).
>
> Will do. I'm not there yet :)
>
>> I am deferring doing the upgrade until a stable release comes out .
>
> Everything I read indicated that there were some issues installing
> A.A. on the Version 1.7 hardware that I have but a work around had
> been reported to work for B.B. with the possibility of it working on
> A.A. So I took the path that reported it definitely worked by
> installing the most recent release candidate for B.B. (RC3 at time of
> writing). I was pleased to find that everything just worked and the
> graphical interface came right up and the work around was unnecessary.
> I'll need to do some testing before I deploy.
>
>> My DLink DIR-835 is in the basement (very close to the roof, as high as it
>> can get), and the first floor above it gets good coverage. The coverage in
>> the 2nd floor is not as good but still acceptable. This is on Wireless N
>> 2.4GHz.
>
> Same here. Currently in the ceiling of my basement. I started thinking
> about better places to put it and I think I could do some wire drops
> and put the router in a better spot. Any downside to moving the router
> 15 ft from the modem (different floors) or should I move the modem
> too? I'm planning to run it alongside the current router for a week or
> so (hopefully starting this weekend) before replacing the old one.
>
> On Thu, Aug 14, 2014 at 1:38 PM, CrankyOldBugger
> <crankyoldbugger at gmail.com> wrote:
>> Not to rain on the parade here... but I noticed a number of people
>> recommending TP-Link.  I seem to recall several months ago (maybe over a
>> year ago) a big stink about TP-Link routers having backdoors.  Here's one
>> such example (looking for more):
>> http://malwarelist.net/2013/03/15/backdoor-in-tp-link-devices/
>
> I am aware of this (or maybe an issue like this) and I would argue
> that this /could/ apply to any OEM firmware that comes in binary form
> and also why OpenWRT went from something I thought would be nice to
> have, to something I felt was a necessary feature. I think this type
> of vulnerability could exist for any hardware that uses a binary blob
> for its driver. I remember reading something on Ars:
> http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-gear-from-barracuda-networks/
>
> How many other manufactures have a similar backdoor in their hardware?
> How could we ever know about them all? I seem to recall a follow-up
> article stating that the backdoor had been fixed according to the
> vendor but hadn't been when tested.
>
>> My question is.. would openWRT negate the backdoor, or is the problem a bit
>> deeper in the router?
>
> I think it would negate the issue, and seeing as the router I just
> bought is on that list I have a vested interested in confirming it is
> not vulnerable. My thought is that since OpenWRT is compiled from
> sources using modules supplied by the linux kernel, it's about as safe
> as it can ever be made. That's why I choose OpenWRT over DD-WRT,
> Tomato, and all the other WRT variants. My understanding of the
> inner-workings of the hardware and how the kernel interacts with all
> the bits of silicon in the device is limited, so if I'm flat out
> wrong, someone please tell me!
>
> On Thu, Aug 14, 2014 at 2:05 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>> Those who have that router can test using the proof of concept that is
>> detailed here
>>
>> http://sekurak.pl/tp-link-httptftp-backdoor/
>
> Thanks Khalid. Haven't checked out the link yet but I'll see if I have
> the capabilities to test and report back the results. If I can't test
> it I will report back looking for help ;).
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>