Fancy Bears versus LEDE-OpenWrt


#1

The FBI and Department for Homeland Security (DHS), in association with the UK's National Centre for Cyber Security (NCSC), have issued a joint Technical Alert about malicious cyber activity carried out by the Russian Government. In summary the alert says:

Specifically, these cyber exploits are directed at network infrastructure devices worldwide such as routers, switches, firewalls, and the Network Intrusion Detection System (NIDS).

So a simple question, how does the Lede community rate the robustness of Lede-OpenWrt in the light of state sponsored cyber attacks?

You can read the Techncal Alert here: https://www.ncsc.gov.uk/alerts/russian-state-sponsored-cyber-actors-targeting-network-infrastructure-devices

Fancy Bears who? https://en.wikipedia.org/wiki/Fancy_Bear


#2

I'm not going to represent that I am an expert on the attack and its vectors.

The most likely weakness is lack of proper configuration of the device; its firewall, exposed services, and login credentials. Failure to follow best practices here means any "hardening" of OpenWRT (or any other OS) isn't going to help. This also includes updating the kernel within days of a new release (if possible), as well as keeping all packages current. This is something of a challenge with OpenWRT, though is significantly better now than it was a couple years ago.

The second most likely weakness, in my opinion, is that relatively "soft" services are provided by default OpenWRT installs, primarily due to the storage constraints of the devices involved. Upgrading to OpenSSH over dropbear, in my opinion, is a valuable step. This also should involve preventing "root" login through SSH.

Protocols targeted in this scanning include:
• Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.);
• Hypertext Transport Protocol (HTTP, port 80);
• Simple Network Management Protocol (SNMP, ports 161/162); and
• Cisco Smart Install (SMI port 4786).

In most current installs of OpenWRT, telnet is not supplied, nor is SNMP or SMI. It hopefully goes without saying that any web server shouldn't be exposed on the "WAN" interface.


#3

Is there anything that points to OpenSSH being more secure than dropbear?


#4

At least in my opinion, OpenSSH/OpenSSL is much more widely examined and tested by professional organizations that are held responsible for their security than is dropbear. Since neither of us likely has the time or expertise to examine the dropbear code for security defects, that is a strong argument for me.

OpenSSH is also much more configurable, from what I know, with respect to access and functionality, in general. The ability to control the cipher and key-exchange methods is crucial, in my opinion. I also appreciate OpenSSH's ability to to provide command-specific, keyed access. While dropbear may provide these functions as well, I have not found any reliable documentation on how to do so, nor do I believe that dropbear supports the current "best-practices" keys, ciphers, and key-exchange methods.

As one recent reference http://www.isg.rhul.ac.uk/~kp/surfeit.pdf

As my boxes have sufficient flash available, I build with OpenSSH/OpenSSL and without dropbear. Failsafe can be patched to use OpenSSH with https://github.com/openwrt/openwrt/pull/865 or something that better pleases jow at some time in the future.


#5

This has to do with totally broken stock firmware, not really OpenWrt. At least not in any default capacity.


#6

I've seen a few people make that argument lately, yet there is little merit to it.

  • Dropbear has a much smaller codebase than OpenSSH. It's open source as well, just like OpenSSH. Bigger codebase means deeper crevices, more holes crappy code might be hiding in. Sure, I do trust the OpenBSD people to do a thorough job. On the other hand, tons of 'professional' organisations (OEMs selling network equipment!) are using OpenWrt (and Dropbear) as well.
  • You can disable password logins rather easily with Dropbear, which would be the main weakness short of any exploits afaik.
  • Dropbear has a much more limited feature set than OpenSSH, and as such is harder to misconfigure (or break) - and we all remember what Debian did to OpenSSL's RNG right? We also remember why people were complaining about OpenSSL and its poor state in general: large codebase, underfunded, few vendors actually willing to sponsor it but everybody using it. And now everybody's forking it, instead of funding it (Google e.a.).

If anything, I'd rather stick with Dropbear over OpenSSH for embedded. I do have an x86 OpenWrt setup myself with plenty of space to install OpenSSH, but I'm sticking with Dropbear: it does the job, and I won't bother configuring different SSH daemons on multiple devices. My time is valuable as well. Similarly, space constraints were the main reason for OpenWrt to pick Dropbear afaik, and it will remain the main reason for quite a while. Low flash devices aren't going away, really; they'll be around for years to come, as people will keep buying budget, entry level hardware.

I can perfectly understand why you're happy with OpenSSH, but quit promoting it as a viable Dropbear replacement. It isn't, unless you have plenty of space. And most people don't.


#7

The "main" issue for not using OpenSSL and/or OpenSSH is mainly due to size. I don't think @jeff is wrong by saying that it's more often audited therefore "better quality" however that doesn't necessarily mean that it's better / more safe just because. Just expect X to be just as bad or good depending on your point of view unless it's proven :wink:

There's also another SSH(d) available called tinyssh https://tinyssh.org/ which may potentially be suitable for devices with very limited storage such as most mips based devices however that uses yet another crypto lib and requires inetd/tcpserver or similar software. It's not really an issue on ARM devices in general however that's a very small percentage compared to MIPS I'd imagine.

That said, replacing "core" components in OpenWrt can a bit of chore and potentially break functionality such as LuCI/UCI to some extent.

In an ideal world, a SSH daemon that used mbedtls would be a good tradeoff but that's not available to my knowledge.


#8

State sponsored cyber attacks... Russian government? Really?! Nice cover to hide your actions, just blame it on Russia... People keep forgetting about PRISM back in the days.

In any case I believe there's almost no protection against intelligence services hackers. I'm pretty convinced that attacks like spectre and meltdown or similar were already known to state actors for quite a while.


#9

Footnote: Four Fancy Bears, a.k.a the GRU, were caught by the Dutch on a wireless fishing trip to the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague.

In their cyber arsenal was a directional Wifi aerial, a 2.4GHz signal booster and an Atheros based TP-LINK TL-WN722N high gain USB dongle; possibly running Kali Linux? And I was thinking neo-cyber spies use Apple watches from department 'Q'.

:bear: Please visit our fancy ebay auction...

:penguin: We think you guys might need to miniaturize your spy computer system?


#10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.