Would installing OpenWRT on a device close potential back doors from OEMs?

I have been considering TP-Link devices as recommendations for friends and family over the years but always find myself hesitant to use them due to back doors that have been found in their previous products. This has me wondering if installing OpenWRT closes those back doors? Is it possible for devices to still have them while running OpenWRT?

If the “backdoor” is at the silicon level, then running OpenWRT will not prevent this. Just like using a BSD or Linux will not prevent the Intel ME or AMD PSP from doing whatever secrets are baked in to them.

If however the “backdoor” is on a software level, then changing that software, in this case to OpenWRT will close that hole. Assuming there are no “bacdoors” in OpenWRT. :stuck_out_tongue_closed_eyes: It’s all a game of trust and how far down the chain you trust.

3 Likes

In the vast majority of cases, the backdoors are a function of fully running firmware (i.e. above the silicon and after the bootloader), so yes, OpenWrt would close those.

If you have details about the specific backdoors that you are worried about, please post those (including links about the discovery and analysis, ideally), and then we can advise more specifically.

3 Likes

This is the most recent example that has me concerned but further research shows TP-Link having a history of back dooring their devices going back years.

3 Likes

Well the Archer C7 v5 is powered by a Qualcomm SOC so I guess any concerns about silicon level back doors would be a question of trusting Qualcomm, right?

Correct. Essentially the supply chain could be compromised anywhere. In theory if you could compromise the compiler or even a library used to build OpenWRT the software could be backdoored without the devs even having knowledge of it…

It’s a bit paranoid but easily doable by nation state actors if they truely wanted to. Also I wasn’t and am not implying there are backdoors in OpenWRT :sweat_smile: Just highlighting that you have to trust the vendors of both software and hardware all the way down the chain. It just depends how paranoid you are or want to be.

1 Like

I'm not overly paranoid, just saw that article come up in my tech feeds and thought I would ask about it as it seems pretty substantial. Got me wondering if it would affect OpenWRT.

You’ll be fine using OpenWRT :+1: I’ve got several TP-Link devices and have found no nefarious traffic on my network whilst using OpenWRT on them. I also didn’t see any whilst on stock firmware too.

1 Like

I'm still curious what any devs might think about this. I can't seem to find any clear information on what level that attack is based on. The articles just say "firmware injection". Is OpenWRT considered firmware?

Yes, OpenWrt is firmware.

The details of the attack are missing from the article, but it can be reasonably inferred that the vulnerability is based on the full stack firmware, rather than the bootloader or very low level implementations like something in the silicon. Based on what is in that article, I feel quite confident in saying that if you replace the vendor firmware with OpenWrt, you would close said backdoor (unless it turns out that this is a vulnerability that exists in the software supply chain, but this seems somewhat unlikely given the verbiage of the article).

1 Like

The article you linked stated it was discovered by checkpoint. All the info you could ever need on it is right there.

1 Like

Thank you for the link, has a lot of good information. I didn't see that when I googled it.

Some interesting points in that article.

The implanted components were discovered in modified TP-Link firmware images. However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors. While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors.

It seem that this back door is not actually specific to TP-Link and is instead device agnostic (can work on any device). Would that mean that it could potentially be installed into an OpenWRT router if it had poor enough security (default / no password)?

Upon inspection, we discovered that the kernel and the uBoot of both firmware versions were identical, indicating that they had not been tampered with by the attackers.

It also seem that this particular back door is not at the SOC level, as discussed already.

We are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication.

Another reminder for everyone to maintain strong passwords for their admin access.

There simply isn't enough information to know if this attack could apply to OpenWrt. My guess is that OpenWrt is not vulnerable out of the box, but without details about the exploits and the specific vectors and interfaces, it's impossible to say (for example, is this based on an attack originating from a computer on the LAN of a given router, or is it remotely explotable from the WAN/internet? What services did they leverage to gain access to the device? And what specific injections did they make (keeping in mind that binaries would need to be compiled for specific platforms/targets, so they're not 'universal', but shell script code could potentially be leveraged across a variety of devices).

OpenWRT is a really terrible candidate for an attacker because when you are fishing you cast your net as wide as you can. Most of these attacks are known to originate from the Chinese military which has a very active cyber warfare unit. They keep a close eye on the market and specifically target the most popular devices. They know for example that it is highly unlikely that some government worker doing a WorkFromHome situation who is working at some sensitive area in the US government dealing with classified data is going to be paid minimum wage - they are going to be paid pretty well, and have a pretty dang fast Internet connection. They likely are going to be using some ISP-supplied router or if they are running their own gear it will be some Netgear device that's within 4 years of age running factory supplied firmware. They also know that Broadcom has closed source it's SDK so they are going to target those devices first because if they find a hole and exploit it, then if Broadcom does not discover it then that hole could exist for many years without it being closed.

And they also know that the entire Open Source Software industry is full of people who have a strong need to prove to the world how they are programmers programmers and take a personal affront to anyone else one-upping them, and so take it as a personal insult if an exploit is discovered. For example, the Big 3 - DD-WRT, FreshTomato, and OpenWRT all rushed KRACK patches into play the moment the vulnerability was discovered yet, today, you can still download vulnerable firmware from manufacturer's websites for their older model routers they are no longer selling.

But ultimately it is a numbers game for every router running OpenWRT there's 10,000 of them running manufacturer's firmware so your best chance of stumbling over anything interesting is to target the manufacturer's firmware. If you find a vulnerability that just so happens to also affect one of the Big 3 - well then that's icing on the cake, but it's hardly likely the target US government worker being paid 6 figures and working from home is going to be running OpenWRT.

This is why I laughed my ass off when Microsoft was trumpeting how secure NT4 was and implying it was better than Unix. That was only true when nobody used it. Once a lot of people did then the security holes poured out of Windows Server like water through a colander and Microsoft looked like the world's biggest fools.

4 Likes

Boy, am I glad I sent back my TP-Link AX73 after finding it sent constant requests to their website. Broadcom, of course. Now happy on Xiaomi AX3200 with OpenWrt.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.