TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

50% Positive

Analyzed from 484 words in the discussion.

Trending Topics

#openwrt#update#routers#giant#devices#story#space#device#secure#based

Discussion (10 Comments)Read Original on HackerNews

briansmithabout 4 hours ago
> We have been assessing our existing processes (for OpenWrt, and especially the OpenWrt One) against NIST IR 8425A, and are now accelerating those efforts to ensure we can show that routers using OpenWrt are indeed safe and secure, as determined by independent bodies.

It would be awesome to have somebody show that OpenWrt-based routers are safe and secure. I looked into this problem about 10 years ago and my concluding was that stock OpenWrt was really questionable. Like, there is no auto-update story, but at the same time it is a giant (relative to what it should be, IMO) Linux distro full of vulnerability-laden components. This space is in dire need of a minimal security-first-from-the-ground-up alternative with a real trustworthy update story.

yjftsjthsd-habout 4 hours ago
> Like, there is no auto-update story, but at the same time it is a giant (relative to what it should be, IMO) Linux distro full of vulnerability-laden components. This space is in dire need of a minimal security-from-the-ground-up alternative with a real trustworthy update story.

I admit I'm not super deeply familiar, but I would have guessed the opposite - that openwrt had no extra software included, not least because it's targeting devices where total disk and RAM are measured in megabytes. What components would you remove/replace that make it "giant"?

wtallisabout 3 hours ago
The only thing that can reasonably be called "giant" about OpenWRT is the package repository: it has a decent package manager like you'd expect to find on a desktop Linux distro, and it can be used to add functionality to your router, including a fair bit if stuff that goes well beyond what is typically used on routers. But the default install set is not giant, and is typical of what you'd expect for a wireless router.
aragilarabout 2 hours ago
My impression was that autoupdate was not the default because the devices it runs on only have so many resources, and there's a non-trivial chance of bricking the device (given how many devices are supported)? It's not like other vendors are doing any better in this space (and I've seen enough things in the "IoT/embedded" space brick themselves with updates to be a bit wary of autoupdates).
wtallisabout 1 hour ago
Auto-update is also a bad idea unless you can make it really secure, which is hard to do on devices so constrained they don't even have a clock to keep track of what day it is to judge whether a certificate is still valid.

Minimizing the chance of bricking the device with an automatic update requires at a minimum having two copies of the OS, so that the running copy isn't trying to modify itself and can remain as a fallback in case of a broken update. That's not too challenging these days now that most routers are using NAND flash, but for a long time it was common to use very small NOR flash modules with the absolute minimum capacity.

charcircuitabout 4 hours ago
Is there a way to prove that a device claiming to run OpenWrt is actually running it and not a modified, compromised version of it?
briansmithabout 4 hours ago
Pretty much all the routers that are targeted by the ban would be OpenWrt derivatives, AFAICT. It’s basically the Android of routers, except without the Google resources.

Google Wifi Is one of the main lines that aren’t based on OpenWrt.

I don’t operate any OpenWrt-based devices.

essephabout 2 hours ago
Ubiquiti built a multi-billion dollar company on modified OpenWRT.
rurbanabout 3 hours ago
April 2. Was this an April 1 joke?
charcircuitabout 4 hours ago
>see the Librem 5 (USA) for example

I always assumed it was priced outrageously to have a big enough margin to start fulfilling the preorders and refund requests from the original kickstarter. The device does not sell very many units so it won't benefit from bulk pricing.