It is now 2015 and many cyber-security experts are predicting this will be a bad year for internet security. Many people have switched from insecure, proprietary software systems towards more secure open source operating systems on their PC's and phones. This is always a great move, but the weakest link in your network's security likely can be found at the source: your router.
After all, every packet that reaches each of your client devices first passes through your router. Thus, it seems to me that in a logical world, the routers security should be the primary concern of a good system administrator. If you can stop the bad packets before they ever reach your internal network, then your systems will be a lot safer. Surprisingly, this fact is often overlooked, at least in the non-technical populace.
A router, modem, or access point is an embedded system. These systems seldom get security updates, and are often used for long periods of time before they are replaced. Some of them (especially the router/modem/AP combo that Verizon or Comcast gave you), are insecure by design, containing backdoors that allow access to your network at any given time. If you are lucky, there may be a firmware update issued every year or so. But in my experience, the average person never even logs into their router to check if these updates are available. To make matters worse, typically router firmware is closed source, maintained by the company
that built the device, and full of security holes. Seldom does a
company ever update firmware on existing units yet to be sold, even when
a serious exploit is discovered. Why should they care? If your router
bricks on you, then you have to buy another router...
So the fate of embedded systems is often a dark one of becoming part of a bot-net, or maybe hosting a trogran, allowing unknown entities to spy on the owners network traffic. Sometimes these entities are Russian hackers, sometimes they are the NSA, sometimes your own ISP, and sometimes they are the same entity or company that built the device, working with law enforcement, happily giving up their encryption keys for a bribe.
I suspect that this may have happened to me recently when my TP-Link WR841N got infected by some nasty piece of malware. I tried reflashing the official firmware over and over, but the virus remained. For a week or so my router sat in my closet, and I ordered a new one. The new router, a Netgear (can't remember the model) that costed me about $70 was even worse than my $20 TP-Link. Netgear firmware is definitively the worst firmware I have ever had the displeasure of using. It was completely dumbed down, and offered less features than the cheap TP-Link did. Only your Great Grandma would benefit from such simplicity. For example, it lacked the ability to act as a WPA2 client bridge. Only WEP was offered. Now again, this is 2015. Everyone knows that WEP is broken. Why the hell does a device sold in this day and age only offer WEP as a security option for a WDS system? Pathetic! Not to mention there is no reason in hell that could justify such lameness. That hardware is fully capable of acting as a WPA2 client bridge.
So I returned the Netgear router and finally tried installing OpenWRT on my bricked TP-Link. The only time I've ever been close to as happy with my router is when I was running DD-WRT a few years ago. Since ditching the stock firmware, virtually all of the odd things happening on my network stopped. No longer are there any questionable open ports on any devices, or unexplainable, hostile looking traffic showing up on Wireshark. Everything just works.
OpenWRT is alternative, open source, 3rd party firmware that runs on the Linux kernel. It greatly increases not only the security, but the functionality of your router. It allows you to be the one in control, and not the company that sold you the box. It has been developed almost entirely by volunteer developers seeking to make their systems and networks more secure, and help others to do so as well. The self interest factor, which I have discussed before, goes a long way in the computer world. That is, if the same people who maintain a system are also the ones using it, there is an inherent self interest to make sure the system works properly. This is not so much the case with proprietary software. They just sell the stuff... (Remember how none of the Philip Morris executives smoked cigarettes?) My $20 p.o.s. now has more functionality than some routers selling for over $150!
One of the challenges in developing alternative firmware for embedded systems like routers is the lack of sufficient ROM or flash to work with. My TP-Link only has 4 MBs of flash, and 32 mbs of RAM. I have about 160 kbs of ROM left after installing OpenWRT, with the graphical interface Luci. Initially I ran into some trouble after first flashing it because I did not have a GUI to work with, as there was not enough space left to install Luci. I suppose I was just feeling lazy, because I still had a perfectly good Linux shell to work with. But rather than doing it correctly and building the firmware myself, I found a working build packaged by someone else, with the GUI (Luci) and all of functionality the stock firmware provided (and more!). After uploading the firmware, I was able to connect the router to my main access point and use it as a client bridge, with no further configuration needed. But this build came from a questionable website, was downloaded over an insecure HTTP connection, and was also somewhat outdated. Soon enough, trusty NMAP was warning me that fishy things might be happening again. So this time I found a build on Openwrt's https secured forums, with the md5sum available, and I flashed that. But after performing a factory reset, I lost the 'out of the box' WPA2 client bridge functionality!
This time, I had to learn how to configure it myself, using the bare bones ASH shell over ssh. And God damn, am I happy. It was stupid easy to configure the router as a bridge once I found a tutorial and just did it. It was honestly easier and more effective to do so using the shell, rather than the Luci GUI. Of course, having prior knowledge of how Linux works was very helpful. Perhaps even necessary, because if I had not switched to Linux on my PC two years ago, than chances are I never would have even heard of OpenWRT. Yeah, Unix based systems do that... they encourage you to use your brain and figure out how computer systems in general work.
OpenWRT runs on a variety of devices. To find out if yours is supported, consult the Table of Hardware. With abundant predictions that this year will be a bad year for computer security, why risk running shitty sub-par, outdated, and never updated firmware on any of your internet connected devices?
No comments:
Post a Comment