On 2014-07-25 12:22, valdis.kletni...@vt.edu wrote:
On Thu, 24 Jul 2014 22:06:38 -0700, George Herbert said:
Any idea how well CeroWRT stands up to nation-state level intrusion
efforts?
If they are as determined as FBI v Scarfo (the FBI pulled a black bag
job
to install a keystroke logger in a mobster's PC to capture his PGP
passphrase),
it's pretty much "game over". Isn't much the average router-class
hardware
can do to protect itself at that point.
Of course. Physical access is root access. We know this.
The second big challenge is that to the best of my knowledge, there
exist
no router-class hardware that includes a TPM chip,
OpenWRT x86? Run it on a decently specced laptop a couple gens old (like
a Dell Latitude 6500 or so). That's got TPM, plenty of ram.
Of course you can run on a server board (Dell Poweredge or something). I
prefer pfsense myself for full blown kit.
which means that you're
not going to be able to implement a trusted boot environment. This
means that
we're stuck with trusting at least part of the boot process (though we
can
probably trust the first stage boot loader on a 3800, as that appears
to be
in an actual ROM, and we'll have to trust the bootstrap code on the
flash,
but if we use a signed kernel, everything after that can have some
trust
attached.)
Right.
There's a number of attack surfaces left on CeroWRT, starting with the
usual
"find a 0-day and point it" - good targets there are the Linux network
stack,
the IPtables code, dropbear (which is nice, but almost certainly not
audited
as heavily as OpenSSH), and Luci. And yes, reflecting an attack off a
browser
behind the router is *very* much in scope - *most* of the pwned router
attacks
we see come from javascript or other executables pointed at the usually
well-known router address from a PC behind the router.
Agree 100%
All the way to pulling a MITM on downloads from Dave Taht's
repositories. The
combination of DNSSEC, trusted crypto signatures on the dowload
package, and
OpeWireless's plans to use Tor to do the software download should make
it a
*lot* harder to attach via that route.
Oooo. I'll have to clone that methodology for the FNF downloads.
