Hi,
My home router was been hacked and backdored, it is a very simple router without any password to configure.
So I want build a good and secure router with openwrt installed. But I would like to buy a router with a firmware upgrade protection. That's mean some kind of manual button or jumper to enable/disable firmware upgrade.
is there anyone ?

You won't need that kind of protection with OpenWRT Properly configured. ANY router that OpenWRT supports will give you sufficient protection from people remotely changing your firmware/hacking into it.

With OpenWRT, you need the username and password, or physical access to the router, to modify/upgrade the firmware.

You can even add firewall rules, to disallow people from accessing it from the WAN.

However, a physical protection is impossible- there are no devices in existence that can stop someone with physical access from modding; given time and patience,

If your looking for a good router that supports OpenWRT, go through the list of supported devices. http://wiki.openwrt.org/toh/start

A good overall router would be the D-Link DIR-835; but without information on what your using the router for, it's kind of hard to recommend one.

V/r,
Conjur

Hi,
my last router has not any access from wan but from lan. I don't think that some complicated password can be enough protection to block some hacker to flash the firmware. Because browser and operating system have lot's of 0day and it's pretty simple sniff the password. Also the linux kernel suffer of some bugs that can give access to the device.
I don't want something that block phisical access to the device, but something that block firmware unauthorized flashing without human intervention.
A phisical switch that allow the firmware flashing.

I suppose you could develop and recompile OpenWRT to require pressing one of the buttons on the router before it would complete a firmware upgrade, but otherwise as Conjur said, there aren't devices out there that natively provide that security.  Even Cisco can have its firmware wiped remotely if someone has the username/password to get in (although I think they have a mode that such management can only be done via the serial console).
As for someone sniffing the password, configure your router to only allow connections to its configuration interface via SSL (for web access) and SSH (Secure telnet).  These protocols provide network encryption in the same way (and security) that online banking/commerce provides.   Also be sure you have a really good password using all of upper case, lower case, numeric and symbol characters.   One's pet's name would not be a good candidate.
For additional security, you can also change the admin user account on many routers.

Hacking the firmware itself ithough s less likely a situation than getting into the router configuration utility and making changes there.

Come to think of it, depending on the hardware platform, OpenWRT often can't install firmware through its web interface, but rather you have to install it through the bootloader.   Getting access to the bootloader interface, particularly through Telnet, would require pressing buttons at the appropriate time upon powerup.
But that wouldn't secure you from someone hacking the router configuration, which as I said is probably more of a danger and probablily than installing new code.

(Last edited by danman32 on 31 Jul 2013, 11:39)