Ask Slashdot: Can Commercial Hardware Routers Be Trusted?

First time accepted submitter monkaru writes "Given reports that various vendors and encryption algorithms have been compromised. Is it still possible to trust any commercial hardware routers or is 'roll your own' the only reasonable path going forward?" What do you do nowadays, if anything, to maintain your online privacy upstream of your own computer?

No.

[deconfliction]

'nuff said.

Re:No.

[deconfliction]

actually the obvious answer is that trust is not a binary thing. Evaluate your threat models. If you want to be safe from the NSA, and you are protecting information they want to know, then yes, I would say that eschewing any technology from corporations that are easily coerced by the NSA would be a good idea. Of course, that is practically impossible. But you do what you can. And wanting a device with all source available, in a form that is easy to (perhaps modify and) compile to a verifiable equivalent of the stock firmware and operating system would be the first obvious step.

Re:No.

[sabri]

actually the obvious answer is that trust is not a binary thing.

Actually, the obvious answer is that you don't have a choice. No matter how much effort you put into it, you will always be depending on third party hard- or software that simply have to trust. So, you want to solder your own PCB? Sure, go ahead, but your Ralink SoC is still manufactured somewhere in China. Don't trust Cisco's IOS? Sure, write your own, and let me know how you designed and manufactured your own ASICs. And then we're not even discussing the fact that as soon as the packet leaves your router, it will enter one that you don't even own. Yes, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.

Re:No.

[erroneus]

I was going to say that.

RSA compromised with money. Cisco compromised already documented. Juniper? I don't know but I wouldn't doubt it.

NSA, you've turned the world against the US and all its businesses. Happy yet?

Re:No.

[D-Fly]

Public key cryptography using open source tools that have been tested and retested by lots of other coders still works pretty well. The RSA backdoor you are referring to is certainly discouraging news. But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool. This week's news is merely confirmation. That's why PGP and its ilk, open source and made by activists, might be a better option than commercial tools by companies with a strict profit motive.

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

Re:No.

[deconfliction]

es, there is a lot that you can do and I think the closest real answer to the poster's question is to just get an OpenWRT capable router and compile from scratch, but to not trust anyone is simply not an option.

I agree with you, though would optimistically add to your thoughts- "to not trust anyone is simply not an option... yet". Maybe there will come a day when a truly open source and hardware replicator will become possible. Before dismissing me completely, I imagine there would be some years where it looks like an Apple-II 3d printing another Apple-II, but it's seeming more and more possible. And then it's a bootstrapping issue from there to catch back up to modern specs. But I'd have a lot of fun with an Apple-II that I had a lot more trust in of not being infiltrated by the NSA (regardless of whether the original already was)

Re:No.

[couchslug]

"certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised."

You can also boot an .iso image from a USB or other flash as well as CD and load it entirely to RAM with no persistent home.

Knoppix (nicely polished distro) has had the "toram" option for many years as do other distros it inspired.

http://en.wikibooks.org/wiki/Knowing_Knoppix/Advanced_startup_options#Transferring_to_RAM

Re:No.

[toejam13]

If you are really concerned about security, you might very well want to roll your own machine, and certainly should run a fresh, clean linux install off a CD every time you start up, to reduce the chances your machine is compromised.

The next question is, what motherboard and network card firmwares can you trust? Running trusted code at the OS level and higher does reduce your risks, but until you can audit the code running your hardware, there is still a threat.

Obviously, one can ask if most companies are a big enough fish to worry about this. Firmware hacks are fairly sophisticated, which makes me believe that they'd mostly be used to spearfish data from specific companies. So unless there is hidden backdoor in every network card manufactured by Popular Company X, should we be worried?

Re:No.

[Jane+Q.+Public]

" But on the other hand, the fact that RSA had backdoored itself was sort of understood by the community at large as far back as 2006, shortly after they issued the compromised tool."

"Backdoored itself" is a singularly apt way to put it. But apparently they were engaged in trying to "backdoor" other people, too, which is not a victimless crime.

Personally, after their "SecureID" debacle and now this, I'm not inclined to "trust" RSA at all. Fool me once, and all that.

And the same can be said about DropBox. They promised end-to-end encryption, but instead they were "de-duping" files to save storage, which means that entirely contrary to what they told their customers, they actually had direct access to your raw files. Sure, they fixed that (so they say), and said "Sorry, we won't do it again." But how much can you trust them, considering that they blatantly lied to you before?

Re:No.

Firmware attacks can be sophisticated indeed: http://spritesmods.com/?art=hddhack&page=1

Re:No.

[erroneus]

It has been demonstrated that the intelligence agencies (plural) in the US government is the tail that wags the dog. This is historically true and more than likely true today as well. When you've got the dirt on many people, how tempting would it be to leverage that into getting your way? It's a temptation many could not avoid exploiting.

Re:No.

[tibman]

You could always just build a cpu from scratch? http://www.homebrewcpu.com/

Re:No.

[AmiMoJo]

If you use commodity hardware you could have two CPUs from different manufacturers and compare outputs. Back in the 80s that sort of thing was popular in critical systems. Buy a 68000 CPU from two different sources, preferably from different continents and with each being a unique design. Run the same code on both, and if their outputs don't match for some reason one is faulty. This of course assumes that both don't have identical back-doors.

Re:No.

[furbyhater]

We aren't forced to use a 14nm process just because the industry giants are doing it.

Still have to rely on the NICs

[ModernGeek]

You still have to rely on the trustworthiness of the NICs. Anything contacted to the Internet can not be trusted.

For VPNs, or for routing?

[dgatwood]

The answer depends on what you mean. As far as I'm concerned, a hardware router can probably be trusted to be a basic firewall/router. It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

Now if you're passing unencrypted data across that router, you might have a problem, but then again, passing unencrypted data across any router outside your own intranet is a bad idea, so nothing new there. And if you're expecting the commercial router to provide a VPN, then the answer to whether it is trustworthy becomes "no", because its crypto implementation cannot readily be audited and verified to be trustworthy.

Re:For VPNs, or for routing?

[FlyHelicopters]

I am pretty sure if they are interested enough they will get the data one way or another.

This...

Or has no one ever heard of rubber-hose cryptography?

If all else fails, they can break in at night and steal the information locally, or simply put a gun to your head.

When it comes to computer nerds, that last option probably has a 99.99% success rate.

Re:For VPNs, or for routing?

[RR]

As far as I'm concerned, a hardware router...

There is no such thing. A device that moves data from one location to another, using some policies to examine and transform it, is not just a "hardware" device. It's also software. And if it interfaces with software, then it can be compromised. Or haven't you noticed the news about D-Link routers? A lot of these routers have 2MB or less of flash, which makes it difficult to find a useful exploit, but "difficult" doesn't mean "impossible."

It's pretty unlikely that anyone will come up with a useful attack on a device that's just doing port blocking, NAT, and basic routing. At worst, somebody might DOS it or turn it into a well-connected zombie to aid in DDOSing somebody's server, but neither of those is compromising your data.

With just a little paranoia, I can imagine someone finding a way to get those routers to copy your traffic, or at least the headers, to some hostile entity. It doesn't take full knowledge of your traffic to destroy your privacy.

A router is a type of computer. It's subject to all the same concerns about trustworthiness as any debate about proprietary and free software.

The Wrong Question

[agwadude]

You shouldn't have to trust your upstream routers. Instead you should assume they're compromised and use end-to-end encryption. HTTPS and SSH, for example, specifically protect against active attackers such as malicious routers.

Re:It can be a good thing too

[SB9876]

Like RSA or Microsoft?

Re:It can be a good thing too

[PopeRatzo]

Remember that "commercial" can sometimes also be a guarantee that you do not get fucked: screw with your customers and that kind of company will soon be out of business.

See, that's the theory, but it can not work in practice the way things are today..

Today, you will notice that an increasing number of business models reject the notion of "I'm the seller and you're the buyer". Most of the corporations with whom you do business don't really see you as the customer any more. For example. If you use Google, are you the customer or are the advertisers? If your data is compromised, that doesn't change anything about the relationship between the seller and the buyer. Same goes for banks, and for Microsoft, Apple, and most of the big tech corporations. While they may sell products to you, they have significant income streams that are deals with the government. In the next six years, Apple computers could have almost a trillion dollars in cash-on-hand. Are they a tech company or a bank? The money they make from their intellectual property doesn't come from you. The money they make from their "strategic partnerships" doesn't come from you.

You're going to buy their products regardless, so it's a lot more important to Apple that they have a good relationship with the government than with you. Because their beneficial sweetheart tax deals could bring in as much as the profit from selling consumer electronics.

Same goes for the telecommunications industry. When you've got telecoms involved in creating content, you're no longer the customer. You're not the consumer, you are the consumable.

This new relationship circumvents every aspect of the notion of "free market", at least any "free market" that involves you. And make no mistake: this new relationship where there is a third party that inserts itself between you and the company from whom you purchase an item is the model of the future. Video gaming, food, intellectual property (of course), transportation, right on down the line. You are being cut out of the equation. There is more profit in making the government happy than there is in making you happy.

Re:It can be a good thing too

[PopeRatzo]

Bottom line is this: there is no longer a division between the corporate world and government. They are one in the same. They rely on each other and have no reason to take you into consideration.

This makes dealing with the problem as citizens ten times harder. Because if you attack one of the heads of this snake, the head at the other end comes around to bite you. And the current setup is sweet for both corporations and government so they've got no reason to want to change it.

Would that the IETF knew

[mbone]

This is a big (and, I personally fear, unfixable) problem for the IETF and associated Internet bodies. Of course, router security is only a tiny piece of it. Given that RSA has been revealed as taking money from the NSA to weaken security protocols, who knows how deep the rot goes.

One big fight right now is in over the removal of NSA employed Chair of the Crypto Forum Research Group. There will be more.

Trust for what purpose?

[vadim_t]

For ensuring the safety of your outgoing traffic, it doesn't matter at all whether you can trust your router or not. It's just one step away from a router at your ISP, which you can't trust, and which can be assumed to be malicious.

It's a bit different for ensuring the safety of your internal network, though. If you think there might be any reason why the NSA, government or whoever might want to reach inside your personal network, then you certainly should avoid any closed solutions and keep it under as much control as possible. That router might well hiddenly allow people that know how to access your network without permission.

Router manufacturers also have been caught rewriting pages to insert ads. Here is one example of such a thing.

Not trusting vendors = you give up a lot

[davidwr]

One solution is to simply not communicate outside of a domain you trust. Go offline. I the extreme, use pen and paper to store information you don't want others to see, and if you need to share that information with others, memorize it and tell it to them in person. As a compromise, use a trusted courier. But even that requires trusting someone.

Basically, adopt the same "off the communications grid" techniques that Osama bin Laden was thought to use.

As I said, you give up a lot, and for 99+% of us, that's not going to be the best option out there. But for a few, it is.

Re:Not trusting vendors = you give up a lot

He died non-violently in December 2001 of kidney failure.

Re:X-Files

[davidwr]

Trust No One!

And I should believe you why?

You're doing it wrong.

[BitZtream]

If you're worried about a router and if you can trust it, you've already done it wrong.

Your data should have been encrypted before it let the original application if its something you care about.

It shouldn't MATTER if you can trust the router, if it does, you've already failed.

And they ARE compromised.

[Ungrounded+Lightning]

Modern laptops and desktops come with remote administration tools built into the chips on the board. (The vendors tout this as a feature, simplifying administration of a large company's workstations. It's easier and cheaper to build it into everything than to be selective, so it's in the machines sold to individuals, too.)

One example: Intel Active Management Technology (AMT) and its standard Intelligent Platform Management Interface (IPMI), the latter standardized in 1998 and supported by "over 200 hardware vendors". This is built into the northbridge (or, in early models, the Ethernet) chip).

Just TRY to get a "modern laptop" (or desktop), using an Intel chipset, without this feature. (I suspect the old Thinkpad is how far back they had to go to avoid it.)

You can't disable it: Dumping the credentials or reverting to factory settings just makes it think it hasn't been configured yet and accept the first connection (ethernet or WiFi, whether powered up or down) claiming to be the new owner's sysadmins.

If the NSA doesn't know how to use this to spy on, or take over, a target computer, they aren't doing their jobs.

Some of the things this can do (from the Wikipedia articles - see them for the footnotes):

Hardware-based AMT features include:

Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
Remote power up / power down / power cycle through encrypted WOL.
Remote boot, via integrated device electronics redirect (IDE-R).
Console redirection, via serial over LAN (SOL).
Keyboard, video, mouse (KVM) over network.
Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.
OOB alerting.
Persistent event log, stored in protected memory (not on the hard drive).
Access (preboot) the PC's universal unique identifier (UUID).
Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).
Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information

Alternatives to being spied on?

[unixisc]

If you wish to skirt the NSA, get your router from Huawei, and let the Chinese spy on you instead. If you don't want the Chinese to spy, get something from the usual NSA contributors. Or see if there's anything made in Russia or any country that's totally independent of the US.

How easy is it to get a standard router from Cisco or Juniper, and replace IOS or JunOS w/ something like pFsense, m0n0wall or OpenWRT?

While at it, switch to IPv6, and within a group of people, share a /64 subnet so that even if the NSA spies, they'll find it impossible to source the original source/destination, particularly if dynamic IPs are used.