nanog mailing list archives
Re: EFF gets into the CPE router software business..
From: charles () thefnf org
Date: Fri, 25 Jul 2014 13:11:29 -0500
On 2014-07-25 12:22, Valdis.Kletnieks () vt edu wrote:
On Thu, 24 Jul 2014 22:06:38 -0700, George Herbert said:Any idea how well CeroWRT stands up to nation-state level intrusion efforts?If they are as determined as FBI v Scarfo (the FBI pulled a black bag job to install a keystroke logger in a mobster's PC to capture his PGP passphrase), it's pretty much "game over". Isn't much the average router-class hardwarecan do to protect itself at that point.
Of course. Physical access is root access. We know this.
The second big challenge is that to the best of my knowledge, there existno router-class hardware that includes a TPM chip,
OpenWRT x86? Run it on a decently specced laptop a couple gens old (like a Dell Latitude 6500 or so). That's got TPM, plenty of ram. Of course you can run on a server board (Dell Poweredge or something). I prefer pfsense myself for full blown kit.
which means that you're
not going to be able to implement a trusted boot environment. This means that we're stuck with trusting at least part of the boot process (though we can probably trust the first stage boot loader on a 3800, as that appears to be in an actual ROM, and we'll have to trust the bootstrap code on the flash, but if we use a signed kernel, everything after that can have some trustattached.)
Right.
There's a number of attack surfaces left on CeroWRT, starting with the usual "find a 0-day and point it" - good targets there are the Linux network stack, the IPtables code, dropbear (which is nice, but almost certainly not audited as heavily as OpenSSH), and Luci. And yes, reflecting an attack off a browser behind the router is *very* much in scope - *most* of the pwned router attackswe see come from javascript or other executables pointed at the usually well-known router address from a PC behind the router.
Agree 100%
All the way to pulling a MITM on downloads from Dave Taht's repositories. The combination of DNSSEC, trusted crypto signatures on the dowload package, and OpeWireless's plans to use Tor to do the software download should make it a*lot* harder to attach via that route.
Oooo. I'll have to clone that methodology for the FNF downloads.
Current thread:
- EFF gets into the CPE router software business.. Valdis Kletnieks (Jul 24)
- Re: EFF gets into the CPE router software business.. Livingood, Jason (Jul 24)
- Re: EFF gets into the CPE router software business.. charles (Jul 24)
- Re: EFF gets into the CPE router software business.. George Herbert (Jul 24)
- Re: EFF gets into the CPE router software business.. charles (Jul 25)
- Re: EFF gets into the CPE router software business.. Valdis . Kletnieks (Jul 25)
- Re: EFF gets into the CPE router software business.. charles (Jul 25)
- Re: EFF gets into the CPE router software business.. Valdis . Kletnieks (Jul 25)
- Re: EFF gets into the CPE router software business.. Charles N Wyble (Jul 25)
- Re: EFF gets into the CPE router software business.. George Herbert (Jul 24)