Hardening against physical access

I need to install some OpenWrt hardware in a remote place.
I will actually use it only to log into it via ssh, and then make some network requests from there. So it will not be used as a router.

I cannot limit who has access to the device, so I would like to harden it against tampering via physical means. I know it is impossible to achieve 100% security, but any pointer for detering less sophisticated attackers? Or at least be aware of tempering attempts?

If someone wipes it, it's not a big deal. My bigger concern would be if someone can temper it in a way that I do not realize, and then use it to spy.

So I think I would need to:

  1. encrypt the storage to avoid /etc/config being read
  2. protect it from connecting via ethernet and access to Luci, etc without the password

Any pointer much appreciated.

The only remotely sensible option would be physical protection, aka cast it in concrete (respectively milder forms of this idea), hide it in the ceiling, etc.

Encryption in this scenario has one unsolvable issue (apart from not being supported by OpenWrt's early boot infrastructure), what happens if the system crashes or experiences a power cut. Unless you're willing to drive over on-site to boot it and enter the password - each and every time, you can't close that loophole in software.


I agree with @slh.

If you want to get a bit more 'tricky' with it, you could disable all unused physical ports, and for any ports that need to be available, you can set it with a VLAN ID (tagged), a random-ish LAN address, and no DHCP server. Combined with a strong password, this would stop almost all casual efforts to do anything with the router since it would require time and determination to try to figure out how to get in.

However, this leaves the failsafe mode open... so, you could do a similar thing 'baked-in' the default network configuration by making your own custom image. Keeping in mind that failsafe has no password, you'd be relying on the tagged VLAN ID and the IP address of the router to be not easily guessed or otherwise known by anyone with physical access. It won't stop someone who really wants to get in, but it would at least make it more difficult. Be careful, though -- done wrong, you will make it hard even for yourself to gain access (maybe requiring serial port access).


That might slow down a motivated attacker by 5 minutes at most, provided they have most basic experience with UN*X and embedded systems.

Heck, imagining a rented cabin the the woods scenario and all night to hack the system, even reading out the flash with a clamp and spi-nor flasher wouldn't take more than 15-20 minutes at most - not leaving any visual clues behind.


That's why I made it clear that it will only stop casual attacks. I completely agree that it is only a minor inconvenience if someone is determined.

Aren't we all forgetting the most obvious route of abusing physical proximity, the console port?

Not really, I was just pointing out the futility of this endeavour against even more involved approaches (reading the flash directly, something you can't really prevent) - everything else just makes it easier (and yes, the serial console is a easier, but if you already have the case opened up, reading the flash with a clamp is just a minor step further).

Locked cabinets with alarms exist for a reason.

But then we have the other ens of all your ethernet cables…

Indeed alarmed enclosures on both ends :wink: Optical fiber in between.

Why not some small explosive charge to destroy the router in case an unauthorized user opens the alarmed enclosure?? It seems to me that there is a lack of imagination here :rofl:


it did come to mind :rofl:

1 Like

And then, the alligator moats came up, and the discussion went downhill from there... :slight_smile:

This is standard security for any seasoned IT pro... but, maintenance of this system is a bit cumbersome and can be expensive, too.

1 Like

Alligators season their food??? I had no idea... Live and learn... :slight_smile:

1 Like

Did you not pay attention in class?? There's a reason we salt our hashes.

1 Like

Must have ditched class that day and gone gator-baitin' instead...

OP might consider IP-over-Avian-Carrier to the router if laying cables thru the moat becomes problematic (or outright lethal IMHO). This method has extremely high bandwidth; but unfortunately high latency too.

At least, if something goes wrong...you have salt to recycle the Layer 2 device. :poultry_leg:

1 Like

Why would you propose such an obsolete method? Ravens are the future...

1 Like

Ravens aren't as tasty in case of network failure.

1 Like