I need to install some OpenWrt hardware in a remote place.
I will actually use it only to log into it via ssh, and then make some network requests from there. So it will not be used as a router.
I cannot limit who has access to the device, so I would like to harden it against tampering via physical means. I know it is impossible to achieve 100% security, but any pointer for detering less sophisticated attackers? Or at least be aware of tempering attempts?
If someone wipes it, it's not a big deal. My bigger concern would be if someone can temper it in a way that I do not realize, and then use it to spy.
So I think I would need to:
encrypt the storage to avoid /etc/config being read
protect it from connecting via ethernet and access to Luci, etc without the password
The only remotely sensible option would be physical protection, aka cast it in concrete (respectively milder forms of this idea), hide it in the ceiling, etc.
Encryption in this scenario has one unsolvable issue (apart from not being supported by OpenWrt's early boot infrastructure), what happens if the system crashes or experiences a power cut. Unless you're willing to drive over on-site to boot it and enter the password - each and every time, you can't close that loophole in software.
If you want to get a bit more 'tricky' with it, you could disable all unused physical ports, and for any ports that need to be available, you can set it with a VLAN ID (tagged), a random-ish LAN address, and no DHCP server. Combined with a strong password, this would stop almost all casual efforts to do anything with the router since it would require time and determination to try to figure out how to get in.
However, this leaves the failsafe mode open... so, you could do a similar thing 'baked-in' the default network configuration by making your own custom image. Keeping in mind that failsafe has no password, you'd be relying on the tagged VLAN ID and the IP address of the router to be not easily guessed or otherwise known by anyone with physical access. It won't stop someone who really wants to get in, but it would at least make it more difficult. Be careful, though -- done wrong, you will make it hard even for yourself to gain access (maybe requiring serial port access).
That might slow down a motivated attacker by 5 minutes at most, provided they have most basic experience with UN*X and embedded systems.
Heck, imagining a rented cabin the the woods scenario and all night to hack the system, even reading out the flash with a clamp and spi-nor flasher wouldn't take more than 15-20 minutes at most - not leaving any visual clues behind.
Not really, I was just pointing out the futility of this endeavour against even more involved approaches (reading the flash directly, something you can't really prevent) - everything else just makes it easier (and yes, the serial console is a easier, but if you already have the case opened up, reading the flash with a clamp is just a minor step further).
OP might consider IP-over-Avian-Carrier to the router if laying cables thru the moat becomes problematic (or outright lethal IMHO). This method has extremely high bandwidth; but unfortunately high latency too.
At least, if something goes wrong...you have salt to recycle the Layer 2 device.