Used Router - Any advice for secutity/anti-malware best practices?

Hi guys :slight_smile:
recently I bought an used Netgear R7800 router and I performed a factory reset then succesfully installed OpenWrt 23 on it
(I already have some experience using and configuring OpenWrt on another router).

Before I start using this used router on my network are there any secutity/malware related checks I need to do on it?

For example, I'm aware that some malwares can infect routers using firmware vulerabilities. In the case the old owner has been infected by one of them is there any possibility the malware can resist to an OpenWrt flash? (eg. on PC some malwares can infect the BIOS and auto install on OS after clean install)
Can I search for any malicious process in the logs or in the running processses?

Any help or sugestion are very welcome :smiley:

I think what you've done is all that can be done.

5 Likes

I would say the biggest risk is to connect this kind of unknown router to your computer before installing OpenWrt without knowing what it brings to the party.

It may work or it may result in an infected computer or ransomeware?

Yeah, I know that's a risk, for this reason I factory reset it and used Linux notebook to install OpenWrt to reduce risks (probably I should have used a Live distro to reduce risk even more but...) btw the notebook seems ok, so I hope for the best.

About the router: is the hardware similar to PC (eg a bios/firmware that start the OS) so a malware can hide in it and then install itsefl on OpenWrt or flashing can wipeout dangerous code? (if any, obviously)

There is a boot process in network equipment with for example u-boot.

For boot process to change the content of rom firmware image I doubt.

In theory it could mount something in runtime ram.

But why make the job so hard? The earlier owner if they wanted to do something simply build a bogus firmware and install it. Then it doesn’t matter what you did since there is no factory reset to reset to.

Oh, I don't know about those firmwares, u scared me enough :rofl:
When I asked this question my idea was about malwares/exploit from malicious websites/app, not installed on purpose. I cannot be 100% sure but I don't think previous owner was interested to sell a router with malware in. On the seller page it looked more like an old product not used anymore... but obviously is only my opinion.

I don't know what to do, maybe I'll try to leave it connected to internet for a while (but no others devices connected to it) and check processes in openwrt using a live linux distro :thinking:

Those kind of bots are pretty much always running in ram memory which means they don’t survive a simple reboot. I talk about a power off, wait 30seconds and power on so the ram memory gets drained.

They usually have a mother server somewhere in the world that keeps the record of where and what the bots do.

Usually after a reboot the mother server send a new one the same way they come in to begin with, and that way is almost always some kind of known bug in the more or less old firmware.

The chance that OpenWrt and the old firmware have the same known bug is very slim.

1 Like

In cyber security there is the concept of “found memory”…

“Ohh, someone have left a USB flash drive here on the floor, wonder what it contains. Let’s put it in a computer and have a look”.

After that the Iranian nuclear centrifuges self destructed.

But Iran example was only the most known case. This method has been used over and over again because the people psychology is always the same. They are curious and want to bee good and helpful.

Why do you think new hdd, ssd, flash drives etc comes in security labeled cases.

1 Like

ok, so better to throw it in the bin then? :rofl:

If you start by give us the answer you want we can give you the right question after.

Is it possible to track the device ownership from factory to you, the trust issue is probably easier. Do you find something cheep around the corner in the trash bin, well “play around and find out”.

Sadly the Netgear R7800 is not in production anymore neither I can found an online shop with any of them in the warehouse left. So I tried searching an used one.
Before buying I was aware the previous owner cannot be trusted in any case but I though that even if device has been infected (by owner or by online threat) it can be removed as u can do with a PC.

XR500 is the almost identical successor/replacement (that shares the device recipe in OpenWrt). But also that is probably done of production by now.

Easier might have been to use the OEM TFTP recovery flash routine. You would have not needed to claunch the old OpenWrt or OEM firmware at all.

Neither OEM or OpenWrt firmware installs touch the u-boot part, so it stays as original from Netgear.

The GLinet.MT6000 is a good replacement if it fits your budget.

@hnyman
Using TFTP will erase the u-boot to clean previous data?
(so is it safer thant flashing from netgear web-ui?)

Tnx @darksky for the suggestion, that router seems very good. It's not cheap but seems one of the best alternatives right now to have good performance.

To my knowledge, neither factory reset or TFTP flash touches the uboot variables. U-boot just loads the main firmware, which then has the settings is various files inside the normal filesystem.