Ryan Lackey, Marc Rogers Reveal Inexpensive Tor Router Project At Def Con

An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)

Re:Can't trust the hardware.

[causality]

All you need a ethernet firmware that speaks to the CPU over DMA and reads out memory allowing the NSA to attack any OS running on top of that router.
Buy a non-router based piece of hardware and use that. You seriously cannot trust what you'll find inside a Linksys router people. The bug is below the software level so your fancy firmware does *nothing*.

There certainly are countermeasures you can (and should) take, but generally, applying technical solutions to political and social problems doesn't work long-term.

Re:Can't trust the hardware.

[bobbied]

Don't trust the hardware itself.

No just stop it right now, stop with this craziness. Exploits of *hardware* over the network, or building in some monitoring directly in the hardware are extremely rare, not to mention difficult (read expensive) to do. Unless you are a high value target, you needn't worry about such theories over possible attack vectors. The hardware is going to be cheap but it's not going to be compromising your data.

Manufacturers of Consumer level devices are concerned about one thing, making a profit. That means they want CHEAP hardware and they want to sell a lot of it. Same with the chip vendors, they want to make a profit, that means they want high yields using the cheapest process and selling as many units as they can. Nobody has time to engineer in all the stuff that would be required for your proposed attack vectors to work. It's too hard, to expensive and flies in the face of their #1 priority, profit. So please stop with this "You gota worry about the hardware ratting you out!" theory, it's not true for consumer devices. It's also not true with commercial stuff for the most part, although exploits at this level have been demonstrated for less than main stream vendors, but all of these involve software, at least the one's I've heard about.

What IS true and what DOES fit is getting crappy firmware/software from consumer product vendors. Worry about that because it's a LOT more likely to be compromised with back doors, security holes and known vulnerabilities. So buying of the shelf hardware and loading your own software on it makes perfect sense security wise. You needn't worry about the hardware.