Deleted old topic

rj-45 · August 7, 2017, 1:32pm

really? forget about the money or jewelry, they are looking for routers ...

if you are this worried about your router, I don't want to know how you secure your house, car and stuff like that.

Console_GEEK · August 7, 2017, 1:45pm

Deleted old topic Deleted old topic

rj-45 · August 7, 2017, 2:56pm

so why do you worry about your router?

Console_GEEK · August 7, 2017, 3:03pm

Deleted old topic Deleted old topic

rj-45 · August 7, 2017, 3:41pm

really, how can guests get access to your router, while you are away and you say your house is secure

braian87b · August 7, 2017, 4:24pm

You could put a usb stick and use LUKs (cryptsetup) and /overlay to have your /etc there.

You could also modify LUCI download config file to scramble using xor, base64, gzip (without renaming .tar to tar.gz), or install openssl and encrypt using some key.

Easiest is to have a cron that checks if a URL exist and have some value on it, when you boot without that you remove the files, and if you detect link:down (someone unplugs) or you couldn't even reach the url, you rm all /etc files...

I already done something similar to this some time ago and worked just fine (the URL thing)... and another hiddden device connected using ssh to reconfigure properly the box wirelessly

If you are really paranoid you could do dd if=/dev/urandom of=/etc/fill_white_space; rm /etc/fill_white_space to fill with random data empty space on flash chip.

golialive · August 7, 2017, 4:25pm

Hey there.

I'd suggest to put a decent x86 router in a rack in the basement and keep the door locked. If you need to do repairs or give it away for repairs, just keep your SSD or HDD at home.

All access points around the house are connected by rj45 GBit vlan trunk uplinks. Use a central switch in the basement nearby the x86 router to connect all APs around the house.

If you stick to wifi with Radius instead of a single common secret per SSID, you don't even have to store wifi credentials on your APs.

On your Radius, keep pinging every AP and as soon at it becomes unresponsive for 30 seconds, revoke its unique Radius key and lock the managed switch port entirely.

Maybe go for 802.1x on wired connections.
Or treat the rj45 wires as public and go VPN from AP to router. Then you don't need to shut down switch ports but only revoke VPN certs once your AP gets unresponsive for a couple of seconds.

I think that's the best you can do.

Regards,
Stephan.

Console_GEEK · August 7, 2017, 6:10pm

Deleted old topic Deleted old topic

Console_GEEK · August 7, 2017, 6:18pm

Deleted old topic Deleted old topic

Console_GEEK · August 7, 2017, 6:23pm

Deleted old topic Deleted old topic

rj-45 · August 7, 2017, 6:45pm

interesting, what do you do when you go to work? Take the router with you?

Console_GEEK · August 7, 2017, 6:56pm

Deleted old topic Deleted old topic

rj-45 · August 7, 2017, 7:13pm

Why do you think that works on a embedded device?
Some other thought, while you are away, someone could install, lets call it, a special program on your router, which will send the key.

Console_GEEK · August 7, 2017, 7:19pm

Deleted old topic Deleted old topic

rj-45 · August 7, 2017, 7:22pm

I think there is a problem with COLD boot attack and desoldering. ... Or show me the customer router with ram modules, that can be unpluged.

braian87b · August 7, 2017, 8:51pm

Dude, you work for NSA or something ?... you could have a portable router with battery like the MR3040 hidden in a false ceiling or something, have the files in there, and share it using nfs or even better scp, and do a script to detect if link is down (wireless link) if someone remove your main router will have no access to files, if later they found your hidden one will be erased, and you even can put a 3g dongle to send sms notifying yourself. Even without internet!
You could also put a diode to a paste of phosphore and a little metal clip inside the router, if someone tries to disassembly while turned on working to access electronically to RAM data then the clip would short circuit the diode to 12v and will ignite phosphore (you can potentially put also some firework tape into the ram chip or something) IMO thermite is too much for a router.

like this: http://hackaday.com/2013/05/23/laptop-vs-thermite-slow-motion-destruction/

I have a big box with about 3 dozens of tplink routers, you just made me want to do it something like that to a poor router.

lucize · August 8, 2017, 2:22pm

there are countries in the world where using VPN is illegal so I somehow understand your needs, maybe you can use arp to get the mac address of your gateway (like the password) and if is not the predefined value encrypted overlay will not mount, so in this way it can be used only at your home
this if you can depend on the mac address of your provider

Console_GEEK · August 8, 2017, 4:00pm

Deleted old topic Deleted old topic

braian87b · August 8, 2017, 4:07pm

It is very interest approach, but this guy seems to be serius about their key not being discovered.

I think there is better to have a device hidden somewhere that is be able to wirelessly discover if protected box is near and connect using ssh and put the key in that secure manner (you just automate the same you could do using another box)
and secure phisically the box (if someone tryes to open it while working and running it will destroy itself, and if someone turns off, disconnect and stole it will not have the keys, since they are in the hidden box, hidden box must have battery backup (thats why I recommended MR3040 for example) and it could have a 3G USB modem too to send sms/notifications if needed... if the hidden box detects in someway that the main device was compromised it can erase itselft automatically, or even on demand quering some URL every minute or getting sms message...

There is also other considerations, like how to detect if remote box was compromised, like surveing for specific SSID and BSSID on specific known channel, or even connecting to it to query some thing on network to make sure that is not rogue AP with hacked wireless key.
The hidden device could be inside a Faraday cage isolated with some cable to another device with some sensor. (the important one will not be found until the sensored one it is found because of the electric isolation. You could put on vent tubing or something similar to avoid FLIR cameras too.

Please let me know if you see some point of failure on this, so far I can think it is really secure, I think that it could be even better that any Movie-Like scenario ever imagined.

lucize · August 8, 2017, 4:32pm

when pppoe connects you should get this:
Tue Aug 8 19:22:19 2017 daemon.notice pppd[10486]: peer from calling number 00:xx:xx:xx:xx:xx authorized and you can use that with a script, but of course you have pppoe user and password on unencrypted filesystem and the mount script and if they have the time they can figure out how do you get the password and another visit to your router place to get the mac address

so without another external checkpoint is not so safe but it could stop the first wave ..

edit: you can set a mount succes inside the encrypted fs to query the PADO https://wiki.mikrotik.com/wiki/Manual:Interface/PPPoE and verify that is the correct location and if is not, to erase everthing
that if is monted by hand in other location