← Back to context

Comment by pbasista

9 hours ago

> The associated username is not validated, so any provided username will succeed when paired with the backdoor password.

Great. I am really wondering why should the customers trust these manufacturers.

At this point I would not use any router with vendor-provided black box firmware. Full stop.

I would always install OpenWRT or something similar on it before using it.

And if that is not possible for whatever reason, I would not even think about buying such a device.

Last time when I looked OpenWRT was unable to support MIMO and beamforming capabilities of many of the devices it was running on.

This capabilities are crucial to have decent coverage, signal strength and throughput where I live (i.e.: crowded/congested wireless networks in an apartment complex).

Did OpenWRT team managed to work around them, or did the manufacturers started to play nicer with open drivers with loadable firmware?

  • Some routers specifically allow openWRT.. example, Routers like the GL.iNet GL-MT6000 (Flint 2) and TP-Link Archer AX6000 come with OpenWrt pre-installed and are designed for easy OpenWrt use.

    • ...usually because they have a fork of the codebase, and it's not vanilla base OpenWRT.

Hm, do you ever go over 1gbit? If my understanding is correct, good affordable routers like Mikrotik's CCR2004 are fully closed, so the only option is to build your own shitty box which will be much less energy efficient than their specialized switch chips.

  • Pfsense or OPNsense can handle ~5 gbps routing/firewall on a low power AMD or Intel embedded chip. My now old Pfsense box I got off Aliexpress can comfortably handle 2.5 gbps on an ancient Celeron J4125 running around 10W total. 10+ gbps is feasible on a reasonable power budget with higher end hardware, though it starts to get more expensive.

  • Because of lax security in commercial routers, this backdoor being a prime example of what I'm concerned about, I'd have my own shitty box as a firewall between them and my other kit anyway, so there isn't an efficiency saving either way. It is just a choice of where the walls are, and therefor where my shitty box(es) is/are, not whether my shitty box exists or not.

    Currently my primary shitty box router does everything wrt external connectivity and a bought AP/router sits inside offering WiFi. I'd like to remove that AP completely with a WiFi adaptor controlled by my shitty box, but I've not got around to that as it would mean learning to configure a mesh (and so at least one more of my own shitty boxes!) to get good coverage everywhere (I only have a small place, but there are still a couple of blind-ish spots depending on where I put the primary AP). Not trusting a bought router/AP to not have back doors like this raises the question: if they are going to add backdoors for direct outside connections, what is to stop the firmware instead/also trying to tunnel out and letting unwanted connections in that way? (other than this having less “plausible deniability” once discovered)

  • > do you ever go over 1gbit

    No. None of the local ISPs offer speeds above 1 Gbps.

    However, I use FriendlyElec NanoPi R5C as the main entrypoint router. It has two 2.5G ethernet ports. It costs less than 100 euros. And it runs OpenWRT.

    It is not a multiport, multi-gigabit device though. And I have not tested it above 1 Gbps so I am unsure about its real world performance.

good approach, but your security should not depend on your router anyway, you should be immune to attacks from it

  • Not exposing your management interface to internet and running a guest network which doesn't have access to said management interfaces can block 95%+ of the attacks, I believe.