Generally, I think it is the question, that covers all routers, but, that is the one place I know to ask such question. So, if, for some reason hacker will be able to access web interface, he can flash images. And he can flash absolutely anything to it, to any partition. So what if he flash some low-level partition, that openwrt will not cover, for example, bootloader. So he will be able to integrate into bootloader some kind of remote access server and realization of port knock daemon. So for me it will look just like some glitch, but after such operation, even if I reflash openwrt, he still will be able to control my device. And I will never be able to discover his server, as I don't know port knocking combination and for me, port will be closed. Is such or similar scenario with other partitions possible?
Well, the main problem of installing a rootkit inside a router is that the bootloader does not run in a custom, undocumented CPU that runs before the main CPU. That is a problem with x86 and it's EFI/BIOS and Intel ME. Particularly, Intel ME runs inside a hidden CPU, with a hidden OS, inside the CPU and sends encrypted packages throu any network interface without the OS even noticing.
Problems like DMA corruption using Thunderbolt ports (which requieres a patched kernel and a CPU with IOMMU to be fixed) are also problems specific of how x86 works.
In ARM (the bast majority of modern routers) there are not that much of resources. See, your main CPU is probably the only general purpose CPU in the router. WLAN and crypto engines have their own CPUs but it's not general purpose. Downloading a firmware to do something nasty to it it's not trivial.
By dowloading a custom bootloader, what can be done is to patch the kernel before it loads, because in ARM, once the kernel takes control of the CPU, the bootloader code is discarded and cannot be run until the next CPU reset (because Linux overrides the interrupt vector table) and then it enables address space layout randomization.
The bootloader is small and it does not has too much space for doing fancy patches to a kernel. It may not be trivial to patch a kernel with so little resources. Remeber that you will have to store the patcher and the patch itself.
So maybe it's not as easy to do as it might seem. Of course, smart people will totaly do it. There are a lot of consoles, Android phones and old iPods whose firware has been corrupted by a non-malicious rootkit that unlocks the device.
One more thing: if you have physical access to the device, you can discover anything that is sent to the network, that's it, you will know that something you've not programmed is sending/downloading things from the Internet.
In fact, that's how Intel ME was discovered to send encrypted packages to some random Intel server...
Huge thanks for information!
- By discovering anything in case I have physical access do you mean sniffing all packets by any external device?
- I see that OpenWrt doesn't flash bootloader partition, so, is it possible to find anywhere original bootloader of my router and reflash it manually. For example I use tp-link router, maybe original firmware that is placed on their web site, contain bootloader.
This is highly dependent on particular router model. Often, only firmware partition is flashed by router upgrade via web-interface. Though, of course attacker can try to flash an image which then replaces the bootloader as well, after reboot.
Anyway, many router models have open source bootloaders which can be compiled and installed along with OpenWrt, but it has to be done manually and of course, incorrectly flashed bootloader would brick the router so it could be recovered only via JTAG/programmer.
Check the history of TP-Link backdoors before considering that to be a security enhancement.
Is there any automatic tool to dump the router bootloader from ROM (flash or whatever should I call it) and check it against a legit bootloader ??
Manually, cat, dd, nanddump, diff, various hash tools. Automatically, doubtful. Even if there were, how do you even know your “reference” is not compromised?
Personal opinion - Most home routers are like shooting fish is a barrel. It’s not worth the time to try to hide something in the boot loader partition.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.