Posted: Mon Feb 05, 2024 18:45 Post subject: DD-WRT routers with best kernel and driver security
Assuming that attacker is a hardware engineer focusing on exploiting kernel and device drivers as primary means of gaining network access, which DD-WRT routers would you suggest? Does DD-WRT use the latest drivers from manufacturers or some generic ones? Which router models have the strongest support when it comes to kernel and driver security? Some routers receive a ton of updates and new features from their makers all the time (Ubiquiti), but build them on top of ancient kernels and drvers. If a kernel-based and/or driver-based exploit is discovered and used by attacker, software updates may not be able to mitigate such threats.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Feb 05, 2024 19:25 Post subject:
Current top performance routers supported: Netgear R9000 / or XR700 (reboxed version of R9000)
Lower class R7800 / XR500
Lower than that, all the rest check supported devices DDWRT base
Top Perfomance x86 / x64 DDWRT on micro PC with AES-NI support
R9000 is on kernel 4.9xx
R7800 and most of the others (Marvel), moved to kernel 6.1xx
R7000 still on k4.4x
DDWRT is read only OS, so not much to happen...if you are not root or have GUI access...even in some cases GUI is the only way to configure and keep changes after reboot..(firewall)
The man Developer, Brain Slayer keeps all binaries up to date, whenever comes up as an update as soon as possible is added/patched at DDWRT..
As far as hacking, you have to be concern about layer 7 hacking more likely than, router level..but yep..anything is possible...everywhere...anytime...anyhow... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Tue Feb 06, 2024 10:25; edited 1 time in total
Not much has changed. The Netgear r7800 is a really great router when combined with non-factory firmware.
However, for now. I would suggest staying away from dd-wrt builds that are are based on kernel 6 as I and numerous others have had a lot of problems with them. The kernel 6 builds just aren't stable on the r7800 right now.
Most seem to agree that dd-wrt 53562 is the latest stable build to use on these routers. _________________ - Netgear R7800 -- OpenWRT 23.05.2
- Cellular modem with CGNAT
- SMB NAS with multiple users and private directories.
- USB hard disk plugged into router as NAS drive.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Feb 05, 2024 22:41 Post subject:
UnicornStallion wrote:
Not much has changed. The Netgear r7800 is a really great router when combined with non-factory firmware.
However, for now. I would suggest staying away from dd-wrt builds that are are based on kernel 6 as I and numerous others have had a lot of problems with them. The kernel 6 builds just aren't stable on the r7800 right now.
Most seem to agree that dd-wrt 53562 is the latest stable build to use on these routers.
well im ok with k6.1 builds for R7800...but, as i always say, "stable build" may vary, depends from its use...
As far as routers / clients world, not much of a progress the last 5-6 years and yes, those 2 recommended from above, are still on the top of the N/AC band and 1 Gigabit performance (R9000 on k4.9x), new AX routers support is coming soon...and then there will be a new suggestions... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
DDWRT does not use the manufacturers drivers. They would not be compatible with the newer kernels, as drivers have to be compiled against the running kernel. Atheros has OSS driver source code which I am pretty sure this firmware uses. Or this project has signed an NDA to use the source. I am pretty sure it's the former and not the latter but this is a secret project so we don't know for sure . _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Feb 07, 2024 7:19 Post subject:
UnicornStallion wrote:
Not much has changed. The Netgear r7800 is a really great router when combined with non-factory firmware.
However, for now. I would suggest staying away from dd-wrt builds that are are based on kernel 6 as I and numerous others have had a lot of problems with them. The kernel 6 builds just aren't stable on the r7800 right now.
Most seem to agree that dd-wrt 53562 is the latest stable build to use on these routers.
I agree with that for the time being
Drivers are more or less open source and coming from the manufacturer (Qualcomm in this case).
But more important than the Kernel or drivers are the vulnerabilities in packages or libs (recent SSH vulnerabilities, OpenVPN vulnerabilities, glibc etc.), DDWRT is one of the first to patch these.
So regarding DDWRT on a R7800 the most important vulnerability is the user (yes there are still users who open their WAN side for remote administration with a password) _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
What about drivers? I doubt Netgear updates their R7800 models with firmware that includes the latest drivers for internal components.
Netgear rarely updates their firmware at all, which is why I gave the caveat that the R7800 is a really great router as long as you combine it with third party firmware. The last official Netgear firmware release for the R7800 is 1.0.2.92, which came out in November of 2022. Also, I believe (but could be wrong) that that firmware is based on a 3.x version of the Linux kernel, which is no longer supported with maintenance or security updates. So yeah, even the latest versions of the official Netgear firmware might have kernel security vulnerabilities.
dd-wrt or OpenWRT are your best bets for these routers if you are concerned about security. For now, I'm running the latest stable release of OpenWRT on mine, but I may switch back to dd-wrt when the kernel 6.1 builds become stable on it. _________________ - Netgear R7800 -- OpenWRT 23.05.2
- Cellular modem with CGNAT
- SMB NAS with multiple users and private directories.
- USB hard disk plugged into router as NAS drive.
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Thu Feb 08, 2024 15:02 Post subject: Re: DD-WRT routers with best kernel and driver security
OpenSource Ghost wrote:
Assuming that attacker is a hardware engineer focusing on exploiting kernel and device drivers as primary means of gaining network access, which DD-WRT routers would you suggest? Does DD-WRT use the latest drivers from manufacturers or some generic ones? Which router models have the strongest support when it comes to kernel and driver security? Some routers receive a ton of updates and new features from their makers all the time (Ubiquiti), but build them on top of ancient kernels and drvers. If a kernel-based and/or driver-based exploit is discovered and used by attacker, software updates may not be able to mitigate such threats.
Do not just focus on kernel security. You should also consider security features of individual processes/applications. Sometimes, an user-land application might choose NOT to trust the kernel at all. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Thu Feb 08, 2024 16:02 Post subject:
UnicornStallion wrote:
Netgear rarely updates their firmware at all, which is why I gave the caveat that the R7800 is a really great router as long as you combine it with third party firmware. The last official Netgear firmware release for the R7800 is 1.0.2.92, which came out in November of 2022. Also, I believe (but could be wrong) that that firmware is based on a 3.x version of the Linux kernel, which is no longer supported with maintenance or security updates. So yeah, even the latest versions of the official Netgear firmware might have kernel security vulnerabilities.
If the Linux kernel had a backdoor deliberately planted by Mr. Torvalds, kernel version could NEVER mean security. Do NOT forget that he's from the military. His job in the kernel team is possibly guarding that backdoor. The same applies to the Internet aka ARPAnet. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
If the Linux kernel had a backdoor deliberately planted by Mr. Torvalds, kernel version could NEVER mean security.
I sort of assume you are joking, yes? There are hundreds of developers who work on the Linux kernel, it is open source so everyone can see the code, and Linux distros build it from that open source code that everyone can see. If the Linux kernel had deliberate backdoors in it, we'd know. _________________ - Netgear R7800 -- OpenWRT 23.05.2
- Cellular modem with CGNAT
- SMB NAS with multiple users and private directories.
- USB hard disk plugged into router as NAS drive.
DDWRT does not use the manufacturers drivers. They would not be compatible with the newer kernels, as drivers have to be compiled against the running kernel. Atheros has OSS driver source code which I am pretty sure this firmware uses. Or this project has signed an NDA to use the source. I am pretty sure it's the former and not the latter but this is a secret project so we don't know for sure .
From where do the latest drivers come for DD-WRT routers, such as R7800, which isn't updated by Netgear since 2022. Wi-Fi, CPU, and other drivers that can leak information are the ones I'd like updated.
Just to clarify, my threat model involves those with access to communication equipment hardware schematics and strong belief that software mitigations cannot compensate for hardware and kernel vulnerabilities. That beliefs comes from working as engineers for communications equipment and/or communications equipment component manufacturers. As such, they see hardware-based and kernel exploits as main attack surface.
From where do the latest drivers come for DD-WRT routers, such as R7800, which isn't updated by Netgear since 2022. Wi-Fi, CPU, and other drivers that can leak information are the ones I'd like updated.
The Netgear R7800 is based on the Atheros chipset. The vast majority of companies that make wifi chipsets release their drivers as open source or at least make the hardware specs open so that anyone can write a driver for them since it is in their best interest to have their chipsets work correctly on as many operating systems as possible. So yes, for the most part, the open source driver code comes directly from the manufacturer itself. There are a few exceptions, of course, where the manufacturer does not open source their drivers and does not release the specs for their hardware, and those drivers are created by the community based on reverse engineering the official drivers. But most manufacturers of the actual chipsets open source their drivers or at least provide open hardware specs so that the community can write their own drivers.
To put it another way, most of the hardware in the Netgear R7800 is not made by Netgear itself in the same way that Dell doesn't make their own CPUs. And most of the official Netgear firmware is actually open source software with the exception of a few proprietary parts (such as the web based UI.) In fact, the official Netgear firmware actually borrows a lot of open source code from OpenWRT. It's just that Netgear doesn't update their official firmware very often. Hence why you are better off with dd-wrt or OpenWRT. _________________ - Netgear R7800 -- OpenWRT 23.05.2
- Cellular modem with CGNAT
- SMB NAS with multiple users and private directories.
- USB hard disk plugged into router as NAS drive.
.