So the EFF is pushing development of an open CPU router
https://www.eff.org/deeplinks/2014/07/building-open-wireless-router
https://openwireless.org/
It's currently targeting WNDR3800's and based on the CeroWRT software
(which works pretty well in my own experience).
What will possibly be interesting in this forum is that it's explicitly
targeting having open guest wireless access (unlike the stuff being pushed
by some ISPs, where you can roam but only to other customers of the same
ISP).
Agree - CeroWRT works well. We at Comcast worked with Dave Taht on CeroWRT
to explore and understand approaches to resolving Buffer Bloat. So it¹s
nice to see that it is seeing other applications like this. I also like
the secure method for software updates in this release.
Jason
The Free Network Foundation (which I co founded and am CTO of) has been helping several groups in the USA do this for ~1 year now. EFF is simply rebranding/respinning community networking, but they are pretty new to the USA Free Networks party overall. They just have a bigger budget/brand recognition (though FreedomTower has become a pretty resilient brand based on the e-mails we get on a daily basis). Also I'm not sure of the level of support/hand holding/documentation etc EFF will provide for folks wanting to build a network off this setup (I'm guessing not much). Also most incumbent carriers prevent sharing (where FNF supported/assisted/collaborative/affiliated US based efforts back haul (over high capacity wifi or VPN over incumbent circuits) to wholesale colocation facilities POP and do things like monitor abuse@ contacts etc. (Ya know, actually responsibly run an ISP).
I'd rather of seen them partner with FNF, (or actually much more preferable would be upstream wrt projects like QMP) and not spin YET ANOTHER FIRMWARE.
I'm glad they picked CeroWRT though.
Any idea how well CeroWRT stands up to nation-state level intrusion efforts?
George William Herbert
Interesting question.
It uses OpenWRT as a base. IPTables for the firewall. So that's a pretty big code base right there (though certainly a bit less than a comparable x86 Linux box). Most people use it with LUCI (web UI). So that adds more code.
Is this attack from the WAN side? Or from a comped browser on the LAN side?
Interesting discussion for a Friday! 
If they are as determined as FBI v Scarfo (the FBI pulled a black bag job
to install a keystroke logger in a mobster's PC to capture his PGP passphrase),
it's pretty much "game over". Isn't much the average router-class hardware
can do to protect itself at that point.
The second big challenge is that to the best of my knowledge, there exist
no router-class hardware that includes a TPM chip, which means that you're
not going to be able to implement a trusted boot environment. This means that
we're stuck with trusting at least part of the boot process (though we can
probably trust the first stage boot loader on a 3800, as that appears to be
in an actual ROM, and we'll have to trust the bootstrap code on the flash,
but if we use a signed kernel, everything after that can have some trust
attached.)
There's a number of attack surfaces left on CeroWRT, starting with the usual
"find a 0-day and point it" - good targets there are the Linux network stack,
the IPtables code, dropbear (which is nice, but almost certainly not audited
as heavily as OpenSSH), and Luci. And yes, reflecting an attack off a browser
behind the router is *very* much in scope - *most* of the pwned router attacks
we see come from javascript or other executables pointed at the usually
well-known router address from a PC behind the router.
All the way to pulling a MITM on downloads from Dave Taht's repositories. The
combination of DNSSEC, trusted crypto signatures on the dowload package, and
OpeWireless's plans to use Tor to do the software download should make it a
*lot* harder to attach via that route.
And the rabbit hole goes *much* deeper - see Ken Thompson's "On Trusting Trust",
which itself got the idea from Karger and Schell's analysis of Multics security.
http://cm.bell-labs.com/who/ken/trust.html
Actually, Karger and Schell is a good read if you haven't done so - that *was*
a nation-state funded intrusion effort.
http://www.acsac.org/2002/papers/classic-multics-orig.pdf
They were nice enough to go back 30 years later and tell us what we had
learned in the meantime. tl;dr: Not much.
https://www.acsac.org/2002/papers/classic-multics.pdf
Hope that 15-minute analysis helps....
Any idea how well CeroWRT stands up to nation-state level intrusion efforts?
If they are as determined as FBI v Scarfo (the FBI pulled a black bag job
to install a keystroke logger in a mobster's PC to capture his PGP passphrase),
it's pretty much "game over". Isn't much the average router-class hardware
can do to protect itself at that point.
Of course. Physical access is root access. We know this.
The second big challenge is that to the best of my knowledge, there exist
no router-class hardware that includes a TPM chip,
OpenWRT x86? Run it on a decently specced laptop a couple gens old (like a Dell Latitude 6500 or so). That's got TPM, plenty of ram.
Of course you can run on a server board (Dell Poweredge or something). I prefer pfsense myself for full blown kit.
which means that you're
not going to be able to implement a trusted boot environment. This means that
we're stuck with trusting at least part of the boot process (though we can
probably trust the first stage boot loader on a 3800, as that appears to be
in an actual ROM, and we'll have to trust the bootstrap code on the flash,
but if we use a signed kernel, everything after that can have some trust
attached.)
Right.
There's a number of attack surfaces left on CeroWRT, starting with the usual
"find a 0-day and point it" - good targets there are the Linux network stack,
the IPtables code, dropbear (which is nice, but almost certainly not audited
as heavily as OpenSSH), and Luci. And yes, reflecting an attack off a browser
behind the router is *very* much in scope - *most* of the pwned router attacks
we see come from javascript or other executables pointed at the usually
well-known router address from a PC behind the router.
Agree 100%
All the way to pulling a MITM on downloads from Dave Taht's repositories. The
combination of DNSSEC, trusted crypto signatures on the dowload package, and
OpeWireless's plans to use Tor to do the software download should make it a
*lot* harder to attach via that route.
Oooo. I'll have to clone that methodology for the FNF downloads.
Yeah, but it's hard to justify a PowerEdge for a Joe Sixpack consumer CPE
(admittedly, I managed to leave that phrase out of 'router-class', mea culpa).
Well yes.
Plenty of relatively inexpensive x86 based kit out there. Maybe with TPM? Never looked. Atom can push a good amount of packets.
I am in the process of building an HCL for the various bits of the FreedomStack. (CPE/distribution/core etc). My family is a very heavy internet user. Both directions. An atom pfsense router and netgear 3800 has done the trick. Now to package them up with a slick / simplified / turnkey configuration and not have people balk at the price.
I hadn't taken much security/TPM wise into account. Would be a good way to help folks deal with the increased expense. NSA proof, Snowden endorsed!