Off topic? It's specifically what he is asking for in the OP. Spectre/Meltdown is pretty huge, so if you're buying a new router just pick one with a CPU that's not vulnerable to it and you're better off than with any x86. Obviously you won't be fort knox.
it was said that x64 is probably better... do you agree?
Not at all, absolutely every x86/x86_64 chip is vulnerable.
Unless you're going for legacy hardware it's all going to be 64-bit on x86, the majority of ARM hardware is still 32-bit (routers etc) but you can find 64-bit if you can live with barebone solutions such as the Espressobin board and Turris MOX. That said, depending on what size your tinfoil hat is there are few things to consider and also things like longetivity.
Without going too much off topic I'd say that the wireless part is the only reason why I still look at MIPS/ARM for networking.
Well, but then the only secure router is no router... Really the whole point is a trade-off as there is no absolute security. As I wrote "not relying on the router being a strong security barrier " gets you much further than looking at hardware exploits, especially as long as software exploits are going to be much more prevalent. Even hackers go for the low hanging fruit first....
As a first approximation everything is exploitable and nothing is absolutely secure, the question IMHO should not be "is it possible" but rather "is it likely"...
Yes, IMHO the OP posed a question about router security and not intricate details of hardware exploits on different CPU families, so I consider this subthread comparing x86 (both Intel and AMD exploitable) with ARM (mostly exploitable as well) not really helpful.
Well, this is not how I a) understand the question and b) I do not think this is a reasonable line of discission, as witnessed by the esoteric discussion which is more exploitable x86 or arm.
That said, personally I do find this sub-thread rather interesting but I seriously doubt this will help the OP understanding the issue properly. Then again this is my personal opinion, so just as valid as yours
Well, Meltdown is huge in that it only seems to affect Intel and this seems rather less subtle than the other spectre-subtypes. But then AMD seems impervious to meltdown, so not even this is observation is a clear recommendation against x86 and for arm (if at all all of this points to sticking to MIPS as they only list a total of two cores being affected by spectre), no?
Well the list of affected ARM cores also indicates that this is going to be tricky. Especially since us endusers typically can't pick and choose (I'll have A53 with a side of 1Gbps switch and 802.11ac wifi please), but have to rely on what the market offers.
BUT, I bet that for most router's out there spectre/meltdown kind of exploits are not the most iportant security threat, so i believe one should only look at these details after dealing with the more likely security breaches first.
+1 I have a hunch that mostly people in this discussion agree and we are violently fighting about the small details...
So, how about you a) try to get a reasonable secure router installed, and then b) treat it as if it would be compromised? Say, leave the router at doing its routing/NAT job, but more the VPN endpoint to a somewhat better secured endpoint within your local network?
The less services your router runs the smaller its exploitable attack surface....
He specifically said "which has up-to-date chips which are secure", which I interpret as hardware and then obviously spectre/meltdown comes to mind. As he is looking to buy a new one, he can choose one which is not exploitable so it certainly is helpful.
Qualcomm Krait 300's aren't affected AFAIK. They are used in IPQ8064/IPQ806 SoC's. What you "bet" on being most important security wise is irrelevant, as he is specifically looking to purchase a router that's as secure as possible then he should pick one that's not vulnerable how hard is that to understand?
Nobody is saying that it would be absolutely secure and that he should not look at other security breaches. I completely agree that running less services on the router would be best.
Once more: Spectre and meltdown are not remotely exploitable attacks, your router has to be compromised already before they become relevant. It's like asking which bullet proof chest plate will keep a bullet from exiting the front of your chest after being shot in the back... Too late for that to really matter
And more to the point, with all the attention x86 gets its drivers and etc which DO have remote exploits will be fixed faster, thereby making it a better bet overall even if Spectre or meltdown aren't fixable. Overall it's by far the better choice for routers.
The very important issue for Spectre and meltdown is when you have multiple virtual machines or containers, and one of them is remotely exploited say through unpatched ssh vulnerability or similar, and the Spectre or meltdown techniques can then allow the exploiter to expand the exploit to other virtual guests or the host.
I got hung up on:
Which to me indicated a rather broad inquiry by an open mind with not necessarily much prior exposure to the security topic. And in that context, I think it more helpful to show the full picture than just focus on small details. But you are right the question was explicitly about hardware.
The complete lack of public information from qualcomm regarding this makes me suspect that they are actually affected. At least in a security sensitive context as this thread I would not recommend using those...
I note that https://spectreattack.com/spectre.pdf contains the following "Finally, we have also successfully mounted Spectre attacks on several ARM-based Samsung and Qualcomm processors found in popular mobile phones." as well as https://www.theregister.co.uk/2018/01/06/qualcomm_processor_security_vulnerabilities/ which states " Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable."
While this does not directly implicate krait 300 as being affected it clearly shows that qualcomm is not a vendor for the security conscious.
Well, a "bet" is an probability estimate that I am willing to back up with real money...
Well, the problem is that all of us lack the information to do so, I just happen to be more open about this than others here. The point is any decently performing out-of-order speculative CPU is very likely to contain at least on of the family of exploits/side-channels that have been first introduced as spectre, I find it very optimistic that one CPU architecture that offers modern performance levels should be not affected by it. Hence my advice to explicitly treat the router as compromised... That should, to use your words, not be hard to understand either? But hey I really do not want to get into a fight here, so peace. I believe we are much closer in our positions than this discussions seems to indicate.
Everything is a probability... My question was about security which includes both the hardware and the software
Short of disconnecting from the Internet or so severely restricting access to services as to make the use of the Internet nearly impossible, you can reduce the probability of compromise with, for example:
- Two border firewalls, running entirely different OSes (meaning, for example, BSD and Linux)
- Inter-zone firewalls
- No services at all running on any of your firewalls or routers, not even DNS and especially not DHCPv4 (which runs the interface in promiscuous mode)
- Two different IDS systems with automated notification and shutdown of connections
- Two, secure, authenticated, centralized logging systems
- Two log-analysis tools
- Isolation of various "trust levels" on their own networks
- Appropriate end-point security
- Continuous monitoring and updating of all security-related software
As pointed out repeatedly above, most of the hardware-related issues have to do with breakdowns in interprocess isolation on the same host, not "outside" attacks.
Typically software is the easier Target, and hardware flaws only enhance the ability of a compromise to be escalated. I think there have been some "magic packet" type remote execution flaws that are hardware related but not many, and they aren't relevant to the Spectre etc flaws they're more like exploitable driver bugs for certain NICs or certain BIOS features like wake on lan or whatever.
The first question is what is the priority, for example if you need to route and shape a gigabit or more then only x86 machines will do it, so it's pointless to discuss 400Mhz MIPS machines unless security is so important that you are willing to choke your gigabit down to 70Mbps or whatnot.
Everything is a trade-off. If I had high security requirements I would run x86 as a main router using debian stable with security updates, booting off a physically write locked SD card and hand build the firewall etc. I would then take my highest value targets and put them behind a transparent firewall bridge: a device that has no IP addresses but filters packets passing through it. This can be done with bridge netfilter and iptables. I would also have this device mirror all the packets passing through it to a second machine running Snort or similar again with promiscuous interface that has no IP address. Each of the high value targets behind the transparent bridge filter would have its own firewall, and all these devices would be backed up to off-site disconnected media on a randomly generated schedule by rolling a physical 12 sided die to determine the next day to swap the media.
Updates would proceed by going to a third party public location such as a library, and downloading a new Debian image, updating it there and then write protecting the SD card and returning to swap it out and reboot the router.
How high value are the targets? If all that sounds expensive and time consuming then the targets aren't high value enough to bother. If instead you run an active hedge fund then you might want to replicate this across 3 separate geographically diverse locations in at least two different countries that don't have extradition treaties with each other... Etc
As an example, Verisign runs both Linux and FreeBSD =)
threat modelling should be the first step, indeed
With two, independently developed security models, it is less likely that both will be breached in a single-vector attack.
Though somewhat off-topic of a Linux-based discussion, FreeBSD and other BSD-based systems offer much stronger protection of the file system, raw devices, and firewall than is typically available on Linux-based systems. Interested readers can consult https://www.freebsd.org/cgi/man.cgi?query=security&sektion=7 and, for example, compare the protections of
kern.securelevel with those provided by
chattr and the like.
I'd be more concerned over those aforementioned misconfigured firewalls. I personally can't seem to figure out how they work or what some of the bridge settings might do (esp. in LuCi, since there's no help icons where really needed, the names differ subtly vs. commandline, and I have no idea what the security implications of any of that is in the first place). I mention that because I have a router repeating a WiFi signal from STA to AP, and I have no idea if there's a config interface open to the Internet now. Also, nice try, but it's not on right now, for those of you who wanted to test.
Still, hardware is a very valid concern still. Short of building your own (and how can you tell if the imagebuilder / compiler on your machine didn't subtly break something anyway?) there could be backdoors added in, and a lot of hardware (Intel ME, anyone? But AMD is worse, should anyone hack theirs!) has questionable features. And, of course, Broadcom is known to have had a lot of issues before.