Trending Articles

Blog Post


OpenWRT Security: Why Built-in Protection Is Not Enough, and How to Improve It

OpenWRT Security: Why Built-in Protection Is Not Enough, and How to Improve It

An open-source firmware originally created to replace stock firmware in wireless routers, OpenWRT is now one of the leading operating systems for embedded devices. It is used in various devices including residential gateways, pocket computers, smartphones, and CPE routers. It is also used in some PCs.

OpenWRT has been gaining popularity because of the increased functionality and customization options it provides. Also, it supposedly provides good security features. It is not some run-of-the-mill firmware that cuts corners and settles with compromises, especially when it comes to security.

The question, however, is whether or not OpenWRT is secure enough. It can be recalled that a few years ago, a code execution bug was discovered in OpenWRT. This security issue made devices running on OpenWRT vulnerable to remote code execution attacks.

OpenWRT built-in security features

OpenWRT comes with a number of security functions. For one, it has a firewall to regulate incoming and outgoing traffic. This firewall can be configured to work with VPNs and port-forwarding solutions. This embedded operating system also comes with an access management system that includes password protection for the device’s web interface as well as the ability to set up multiple user accounts with different access levels.

Additionally, OpenWRT includes secure shell (SSH) support to enable the secure remote management of a device and the configuration of its security settings. It also provides Network Address Translation (NAT) support to allow devices to translate IP addresses and ports when there is communication between the local network and the internet. NAT secures local networks by concealing their IP addresses.

With proper configuration and regular updating, these features can provide some degree of protection. However, they are not enough. They cannot adequately secure individual devices, let alone protect the enterprise network and the other devices connected to it.

Why basic OpenWRT security is not enough

The stock security features of OpenWRT are inadequate to address more aggressive and sophisticated threats. Proper OpenWRT security, in view of the evolving threat landscape, calls for more advanced functions. Basic OpenWRT security features do not include protection against DDoS attacks. Also, there are no built-in defenses against code injection.

For example, some OpenWRT routers allow threat actors to exploit the ping command, wherein an attacker injects an arbitrary system command with the addition of a “;” (semicolon). This semicolon has the effect of ending the previous command (ping in this example) and executing the command that follows the semicolon.

Simply put, the standard security features of OpenWRT are not enough to align with the overall security posture management strategy of an organization that has multiple OpenWRT devices in its network. Every OpenWRT device that connects to the enterprise network is a potential vulnerability or point of attack, and it is impractical to secure them individually by configuring, updating, and maintaining each device through a command line interface.

The good news is that there are ways to bolster OpenWRT’s security through third-party solutions. It is even possible to get this security enhancement for free with last year’s announcement of the first security and observability platform for OpenWRT IoT devices. This free solution provides a way to secure IoT devices with embedded self-protection and runtime protection directly applied to the code. It also offers cloud-based analytics to deliver real-time security visibility.

In other words, there is a light security solution for OpenWRT devices that are typically resource-limited. IoT devices, routers, and other small connected gadgets usually have minimal memory and processing capacities, so it is not possible to install full-fledged cybersecurity systems in them. It is necessary to develop a security solution that matches their low-resource nature.

Improving OpenWRT security

It would be inexpedient to look at OpenWRT security individually or on a device-by-device level. Doing so is not only exhausting and time-consuming. It also prevents organizations from resolving security issues in a timely manner, which can provide threat actors with opportunities to spot and exploit vulnerabilities.

Many OpenWRT devices tend to be part of shadow IT, one of the biggest challenges in cybersecurity.  Because of the number of these devices being added, removed, or added again to the network, it is difficult to keep track of all of them. It is challenging to maintain visibility over these numerous small devices.

It helps to have a solution that resolves this visibility problem, something that makes it possible to keep track of locations, use patterns, and malfunctions. With these details pooled in, organizations can account for all potential attack surfaces and set up the appropriate defense mechanisms. These may appear as trivial and harmless parts of a network, but they can become a nightmare for an enterprise if cyber criminals manage to gain access to them and use them to conduct a sophisticated attack.

Another way to improve OpenWRT security is to automate the process of updating and configuring the security functions of devices. Many OpenWRT devices, especially those used in the Internet of Things, operate autonomously or as distributed devices. They are not governed by a unified system, so monitoring and updating them is a hassle. Again, some of them may not even be known to the IT department because they were introduced to the network unsanctioned.

A system that can automate security patch installation and other software updates would make OpenWRT more secure. It ensures that there are no devices missed in implementing security upgrades and that security patches are installed as soon as possible to deprive threat actors of any opportunity to exploit vulnerabilities.

Lastly, a defense mechanism comparable to runtime application self-protection (RASP) or the core features of the first OpenWRT security and observability platform mentioned earlier makes OpenWRT significantly more secure. The ability to integrate with a device’s firmware seamlessly and run embedded self-defense and data extraction for low-resource devices make for an excellent alternative to a full-fledged security system to protect individual devices.

Compulsory security enhancement

In summary, to reliably secure OpenWRT devices, it is crucial to properly configure their built-in security features and add security solutions to enhance visibility. IoT and other devices that run OpenWRT are prone to becoming unmonitored and un-updated, which makes them vulnerable in a network. It is advisable to use supplemental solutions to ensure visibility and prevent software supply chain risks. Device security patching and firmware updating should be automated as much as possible. Also, enabling the ability to self-protect and perform runtime security tests is important to make sure that IoT and other similar low-resource devices do not become a shortcoming in an organization’s security posture management.

Related posts