Which is the best router from a security point of view?


#1

I watched Mr Robot and now I'm wondering how really secure our routers are... At the end of the day you only need to manipulate or eavesdrop a few packets to compromise an entire infrastructure. The weakest link is always the one which gets exploited...
So the question is, what's a good router which has up-to-date chips which are secure from a security point of view?
I don't care about speed >10Mbps, I would like to have a device which is secure and has enough flash memory to run opkg update and openvpn


#2

Current up to date OpenWRT versions do not have known vulnerabilities that I know of. There is really no way to know how vulnerable we are to "secret" vulnerabilities that haven't been discovered yet (except by malware authors maybe). But I think you can say that the best security you will have for your router is to run a fairly default OpenWRT distribution on a modern piece of well supported hardware. For example a WRT32x or an x86 machine or any of the "ideal for openwrt" routers in the table of hardware.


#3

To add to that, the most common vulnerabilities seem to be the ones that the owners bring on themselves, like:

  • Poor passwords
  • Insecure access to the device
  • Web access to the device
  • Running application software on the device
  • Failure to promptly update when patches become available
  • Trusting someone else's firewall rules
  • Using firewall rules that "make things easy"
  • Enabling UPnP

(The list goes on...)


#4

Once you install OpenWrt on them, all routers are pretty much equally secure.


#5

x86 (despite its flaws) is most likely the most "secure" platform by the end of the day simply because it gets by far the most attention from upstream. In general I think you can/should expect that 64-bit is more "safe" irregardless if its x86/ARM or whatever and is the way to go if you want longetivity at least by looking at the trends upstream and open source (and closed) products/software.


#6

Something with mainstream OpenWRT with mainstream uBoot most likely. Assuming the code is clean all that could be vulnerable is something in the hardware itself (quite unlikely but still possible).

In reality your risk of being hacked is a function of how easy you are to hack and how valuable a target you are. If you have a reasonably secure setup (mainstream OpenWRT on a mainstream router) you’ll be a tough mark and opportunistic hackers will move on to the next target. Unless you have state secrets or millions in bitcoin you’re probably not that valuable either.


#7

@diizzy

Incorrect, Intel x86 is the most vulnerable to spectre/meltdown so I'd say ARM is definitely more secure.


#8

Spectre and meltdown require something running on your router, as soon as a third party has ability to run stuff on your router you already lost well before they use Spectre or meltdown.


#9

All software vulnerabilities require running something on your computer. This can for example be triggered by remote execution through vulnerabilities in programs running on your router.


#10

Right so a router with zero remote execution vulnerability is immune to problems regardless of it's Spectre or meltdown status. But if your router does have remote execution vulnerability it is hackable, regardless of Spectre or meltdown. In other words, Spectre and meltdown don't really make a difference for a router.


#11

Is armv8 the most secure architecture? is there any router running this?


#12

Keep an eye on the patches and updates it will atleast keep you safe from the attackers that usually keep scanning for the vulnerabilities in news that are fresh vulnerablities or zero day one

On the other side you can hardly do anything for attacks on wireless level, you don't even get to know that you are compromised . A guy just passing by you can endanger your privacy


#13

Any of the architectures are likely to be more secure than any of software running on them. The hardware, at least in my opinion (as long as not from Huawei, ZTE, or the likes), is a minor, nearly trivial concern compared to software and its configuration.


#14

@escalade
Did you miss https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability? @dlakelan and @jeff pretty much sums it up in general.


#15

@diizzy

Miss what? Your article confirms what I'm saying: "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism"


#16

Most current cores (used in routers etc) are more or less, the only exception is A53 to my knowledge.


#17

Yeah, while all x86 CPU's are vulnerable to the point of not being possible to fix. New ways to exploit them are being found all the time.

EDIT: Thought you said aren't, most ARM routers aren't AFAIK. Have anything to support this claim?


#18

That probably falls into the "less interest" category for now, I'm sure we will see new ones on either platform so I'd be very careful claiming that X is better than Y. I still think that the software running and configuration is more of a concern as others mentioned earlier.

Did you even look at that list, A7/A9 etc are used in most ARM-based routers for consumers.


#19

Could we stop the somewhat OT sub-thread about which architecture is more vulnerable, please? From the OP's perspective (sa far as I understood) neither ARM nor x86 give the kind of guarantees that he/she seems to desire.
IMHO security is a perpetual whack-a-mole game, with complacently relying on the superiority of a specific architecture being a problematic attitude...
Tracking known vulnerabilities and updating timely as well as not relying on the router being a strong security barrier should get you far (modulo nation-state attacks, but let's face it even a secure router will not help much then, as indicated already above).


#20

Well from a security perspective it's not OT. Anyone who wants good security must consider everything that is exploitable...