What are the chances there's a hardware backdoor/exploit in many of these routers?


#1

With the recent news of a supposed 'god' mode in intel chips0, chinese backdoors into servers, and even iphone 'exploits' what do you suppose are the chances that there's a backdoor/exploit for typical consumer router hardware?

In china the government is even requiring hotels to use certain models of routers3


#2

It's more likely they don't bother hiding spyware inside the hardware when they can include it in the firmware.
That way is more effective in development, production, support and update.


#3

I thought openwrt handles the firmwares/drivers?


#4

Talking about embedded devices it's common practice to address operating system with drivers and compiled software as firmware.


#5

I understand that but does openwrt using any closed source/proprietary code? From my understand everything is open source so to exploit a openwrt/lede flashed router, they would have to find a bug in the code or backdoor the hardware.


#6

Of course, nobody can prove you anything.
However, you see, there are countries, where the government has no need to hide total surveillance and censorship.
They push laws to make it legitimate and use higher level instruments to control it instead of utilizing some low level backdoor which might not even work correctly.


#7

OpenWrt can/does include BLOBS.


#8

"Open source" is always "to a point" as virtually nothing is built out of raw gates anymore. Whether it's visible blobs of firmware, burned into the device during production, mask programmed, or just in the design itself, there's parts of the system that are "firmware" that you just have to trust.

It wouldn't surprise me if there are more "backdoors" out there discovered, as generally complex systems need testing that can't be done "black box" and at least development versions are often laden with coprocessors and testing hooks. There's only so much that ASIC simulation can do -- especially when you're down at the scale of today's chips when physics starts getting strange.


#9

That's not what I asked. We are not talking the faceless FISA courts that rubber stamps surveillance warrants on its citizens.

This is purely a technical speculative talk about the security of commoditized consumer routers.


#10

OK, let's speculate.
There's neither hardware, nor software without bugs, and some of them may lead to security vulnerabilities.
Would it be intentionally or unintentionally - the cause doesn't really matter.
And even if there're no bugs today, it doesn't mean there will not be any tomorrow.
The power of OpenWrt as a part of OSS is higher possibility to find and fix those bugs faster.


#11

Well there's always bugs within every piece of software but do you think a 'god' mode exists for arm processors within these routers? You guys work close to the metal so I figured you would have some insight.


#12

A responsible person wouldn't share such information in this way if they knew it anyway

https://cve.mitre.org/


#13

Dunno, ask your friends at Huawei what's in their production silicon that isn't on the datasheet.

In my opinion, far too easy to break SOHO devices without any hardware exploits so as to push any intentional efforts to the desktop and above, especially networking gear, and even more interestingly that on the backbone.


#14

Why doesn't openwrt/lede start designing and manufacturing hardware? I'd imagine alot of people would be willing to shell out a premium for a open source designed hardware/software package. Plus there wouldn't be any more of those threads asking "what the best router for LEDE/openwrt". It would help fund development and even could put several people fulltime on development.

As far as hidden hardware backdoors from china, would simply randomly select routers to be x-rayed in the production line. It's not impossible, just a matter of money and will.

I am not familiar with the LEDE/openwrt community and haven't done any firmware development myself but the business opportunity is mouth watering. Think of all those people with cryptocurrency, sensitive government documents, etc. It's a huge vacuum in the market.


#15

You can't "X-ray" to find this kind of hardware flaw (intentional or otherwise). When they say, for example, that there is a coprocessor on the chip, you're talking about tens or hundreds of thousands of gates in among the hundreds of millions, or billions in the chip. The size of a gate is now around 10 nm -- a millionth of a millimeter.

Looking at a very powerful core, compared to what is needed to provide access to the inner workings of a modern SoC:

Arm processor with a total floorplan area of 0.007 mm2 in a 40nm technology process

Something like a Z80 core is vanishingly small, and could easily "poke" a JTAG-like interface.


#16

I guess if you don't own a foundry then all points of security is mute.... There must be a way.


#17

Or, for that matter, get one with transistors you can see


#18

Been a couple of years since I sat in front of a PDP box with my hair blowing in the warm breeze, tru-blu ma bell *nix was special, the HW not so much. Maybe just dust off a 6502 dev box.


#19

There's a huge business opportunity here to have lede endorsed hardware even if you can't guarentee securty.


#20

That comes up from time to time, yet nobody has been able to put forward even a marginal business plan that I've seen for either how a small firm could profit from it, or why any major manufacturer would consider it. Should you have something interesting, there are many funding sources available.