We know many Chinese routers contain hidden backdoors to control devices , this truly worries me as I ensured to flash openwrt on the router for privacy control. I hope to put my modem/router combined router in bridge mode and connect it to the wan port , Am I at risk?
Which routers contain malware? And what type?
If it is in the boot loader it could still exist I guess?
1 Like
Almost all (and I mean almost all) compromised router malware does not survive a reboot.
That said:
There is a reason all those agencies do not trust Chinese hardware, but, if it makes you feel better, they suck at designing chips.
But I sense this is very important to you; so set get a wall timer and shut down your router for about five minutes at a time you are least likely to need it and have the timer come back on 5 minutes after.
Why a wall timer?
Because even if they come in while you are away, they cannot hack a wall timer.
^2 What I suggested might get lost in translation so let me go General Patton and say it so it cannot be misunderstood:
Once a day, for five minutes, turn it off, then back on. Or the shortest resolution your timer has over 5 minutes.
1 Like
Okay, I did a deep dive and there are routers that have backdoors that come from China.
It is at the firmware level.
So, OpenWrt is not vulnerable.
However they exploit this by pinging routers and router that "Accepts" a ping, with their firmware, allow them in.
By default OpenWrt rejects pings. So you should be safe. If you want you can drop pings all together but I was told it could tie up someone else's recourses trying to make a legitimate ping.
I, confidently, think you are safe but I hate saying something and being wrong (like I just did) and I'm going to put a couple hours more into it just to be sure it cannot survive OpenWrt.
Do me a favor and next time you want to know about backdoors, don't call it malware out of the gate.
I really felt bad I had not caught what was lost in translation.
Lost in translation happens a lot here.
1 Like
Okay:
This says they are compromising Cisco with stolen certificates used by subsidiaries (Cisco, by another name) to exploit Cisco's own backdoors they provide those subsidiaries that grants access for easier deployment of patches etc.
Cisco denies this but it means that the exploit is there by cisco. And it is at a firmware level.
Then I went to the ArsTechnica forum (which, I believe, you must have an account for)
because they tend to cut through the BS, even on articles written or posted on Ars.
The general consensus is: if OpenWrt has an official procedure page for your device and you follow it, your install is safe.
That said, they did not argue just being supported meant the same thing; they went out of their way to debate and agree if your device has a fully developed page with issues and workarounds included (I do not know how else to put it other than supported does not mean 'approved' because they feel that much effort would include looking at the eeprom/bootloader) they trust OpenWrt.
Hope that helps.
If you want to check for open ports go here click proceed and then wait for page to fully load and click 'all service ports'.
It will say fail but they want everything dropped.
Last edit:
IoT are much more dangerous and should be pounded with a sledgehammer until they float away in a mist.
1 Like
No we don’t, the wan firewall rule is actually called ‘Allow-ping’ and it is really at the top of the rules list.
3 Likes
No, he can not.
Yesterday I was just looking at the contents of the bootloader from this router in a disassembler.
booting process on AX3000T
try_value = 0i64;
_flag_try_sys1_failed_s = getenv("flag_try_sys1_failed");
if ( _flag_try_sys1_failed_s )
_flag_try_sys1_failed = str2ull(_flag_try_sys1_failed_s, 0i64, 10);
else
_flag_try_sys1_failed = 0i64;
_flag_try_sys2_failed_s = getenv("flag_try_sys2_failed");
if ( _flag_try_sys2_failed_s )
_flag_try_sys2_failed = str2ull(_flag_try_sys2_failed_s, 0i64, 10);
else
_flag_try_sys2_failed = 0i64;
check_reset_fw();
if ( (unsigned int)check_factory_mode() == 1 )
{
setenv("uart_en", "1");
setenv("boot_wait", "on");
}
if ( a3 == 2 )
{
boot_fw_num = str2int(*(_BYTE **)(a4 + 8), 0i64, 10i64);
}
else
{
flag_try_sys1_failed_s = getenv("flag_try_sys1_failed");
if ( flag_try_sys1_failed_s )
flag_try_sys1_failed = str2ull(flag_try_sys1_failed_s, 0i64, 10);
else
flag_try_sys1_failed = 0i64;
flag_try_sys2_failed_s = getenv("flag_try_sys2_failed");
if ( flag_try_sys2_failed_s )
flag_try_sys2_failed = str2ull(flag_try_sys2_failed_s, 0i64, 10);
else
flag_try_sys2_failed = 0i64;
flag_ota_reboot_s = getenv("flag_ota_reboot");
if ( flag_ota_reboot_s )
flag_ota_reboot = str2ull(flag_ota_reboot_s, 0i64, 10);
else
flag_ota_reboot = 0i64;
flag_last_success_s = getenv("flag_last_success");
if ( flag_last_success_s )
flag_last_success = str2ull(flag_last_success_s, 0i64, 10);
else
flag_last_success = 0i64;
if ( flag_ota_reboot > 1 || flag_last_success > 1 )
{
boot_fw_num = 0;
}
else
{
if ( flag_try_sys1_failed )
try_sys_is_OK = flag_try_sys2_failed == 0;
else
try_sys_is_OK = 1;
if ( !try_sys_is_OK )
log("Boot failure detected on both systems\n");
if ( flag_ota_reboot )
{
boot_fw_num = 1 - flag_last_success;
flag_boot_success_s = getenv("flag_boot_success");
if ( flag_boot_success_s )
{
if ( str2ull(flag_boot_success_s, 0i64, 10) )
{
zero_param = "flag_boot_success";
}
else
{
log(" INFO: ota reboot failed, swap to old firmware! \n");
setenv("flag_ota_reboot", "0");
boot_fw_num = flag_last_success;
zero_param = "flag_upgrade_push";
}
setenv(zero_param, "0");
}
}
else
{
if ( flag_last_success )
_try_sys = flag_try_sys2_failed > 5;
else
_try_sys = flag_try_sys1_failed > 5;
try_sys = _try_sys;
boot_fw_num = 1 - flag_last_success;
if ( !try_sys )
boot_fw_num = flag_last_success;
}
}
}
v11 = sprintf_s(cmdline, 256i64, "%s", "console=ttyS0,115200n1 loglevel=8 swiotlb=512 rootfstype=squashfs");
v12 = (unsigned int)sprintf_s(&cmdline[v11], 256i64 - v11, " firmware=%d", boot_fw_num) + v11;
v13 = v12;
if ( boot_fw_num )
fw_num_s = sprintf_s(&cmdline[v12], 256 - v12, " mtd=ubi1");
else
fw_num_s = sprintf_s(&cmdline[v12], 256 - v12, " mtd=ubi");
*(_QWORD *)&v15 = (unsigned int)(fw_num_s + v13);
uart_en_s = getenv("uart_en");
_uart_en_s = (const char *)uart_en_s;
if ( uart_en_s && (unsigned int)sub_41E63510(uart_en_s, (__int64)"0") )
*(_QWORD *)&v15 = v15 + (unsigned int)sprintf_s(&cmdline[v15], 256i64 - v15, " uart_en=%s", _uart_en_s);
if ( (unsigned int)check_factory_mode() )
{
sprintf_s(&cmdline[*(_QWORD *)&v15], 256i64 - *(_QWORD *)&v15, " factory_mode=%s", "1");
setenv("uart_en", "1");
setenv("boot_wait", "on");
}
setenv("bootargs", cmdline);
if ( boot_fw_num )
{
setenv("flag_boot_rootfs", "1");
sprintf_s((char *)&try_value, 8i64, "%ld", _flag_try_sys2_failed + 1);
try_name = "flag_try_sys2_failed";
}
else
{
setenv("flag_boot_rootfs", "0");
sprintf_s((char *)&try_value, 8i64, "%ld", _flag_try_sys1_failed + 1);
try_name = "flag_try_sys1_failed";
}
v19 = setenv(try_name, &try_value);
saveenv(v19, v20);
log(
"Booting System %d, sys1_failed = %d, sys2_failed = %d\n",
boot_fw_num,
_flag_try_sys1_failed,
_flag_try_sys2_failed);
sub_41E24594();
if ( boot_fw_num )
target_ubi = "ubi1";
else
target_ubi = "ubi";
v22 = bootm(target_ubi);
2 Likes
Thank you so much remittor I am assuming you mean the router cannot contain malware , can you please explain this a little bit more as I am very new to the bootloader and its my first time seeing it.
They dug into the most basic part of the router, its heart, so to speak. Everything starts there.
They did you a great service and called it clean.
And PLEASE stop calling it malware when you are, really, concerned about backdoors!
1 Like
The worst part:
"The affidavit said elsewhere that the prevention measures would be neutralized if the routers were restarted. These devices would then be once again vulnerable to infection".