Open Wireless Router firmware aims for better router security, network performance

The new custom router firmware will allow users to share their wireless networks, but could also improve their router's security

Advocacy group the Electronic Frontier Foundation wants to address the poor security track record of home routers with a new firmware project that will encourage users to share their Internet connection publicly by setting up guest Wi-Fi networks.

The first experimental version of the firmware, called the Open Wireless Router was released Sunday and is mainly aimed at developers and hackers who can assist with finding bugs and improving the software overall.

The project's main goals are focused on allowing router owners to securely set up public Wi-Fi networks for passers-by to use, which the EFF and other organizations argue helps conserve radio spectrum, benefits business and economic development and can spark innovation. However, some of the firmware's other planned features could also improve the overall security of routers that run it, even if their owners don't decide to share their Internet bandwidth with strangers.

"Most or all existing router software is full of XSS [cross-site scripting] and CSRF [cross-site request forgery] vulnerabilities, and we want to change that," the EFF said Sunday in a blog post.

While this is generally true, the XSS and CSRF flaws, which allow attackers to hijack authenticated sessions, are actually among the least critical flaws commonly found in routers.

Over the years security researchers found vulnerabilities in routers that would have given attackers full control over many devices from a large number of manufacturers. The issues found included backdoor-like features and hard-coded credentials, traditional buffer overflows and command injection vulnerabilities in the Web-based administrative interfaces or even implementation errors in third-party components like UPnP libraries.

The overall consensus among security researchers is that from a security perspective the code maturity in the home router world is very poor. Adding to that problem is the fact that few router vendors publish detailed security advisories and that updating the firmware is usually a process that requires manual intervention and technical knowledge from users.

The Open Wireless Router firmware will have an automatic update mechanism that will work over HTTPS and will use digital signatures to prevent upstream tampering with the updates, the EFF said. "Firmware signatures and metadata are fetched via Tor to make targeted update attacks very difficult."

Security researchers also pointed out in the past that many vendors don't have dedicated security programs in place for properly handling the security vulnerabilities reported to them. Giving the EFF's history of working with and supporting security researchers it's likely the organization already knows how to deal with such reports.

Aside from security, the Open Wireless Router firmware promises improved network stability and performance. The firmware "will provide state-of-the-art network queuing, so most users can expect an improved Internet experience -- especially with latency-sensitive applications -- compared to what commonly available consumer grade routers are delivering today," the EFF said.

So far the firmware's "hacker alpha release," as the EFF calls it, can only be installed on one router model -- the Netgear WNDR3800. However, the firmware is based on a custom router software called CeroWrt, which is itself based on OpenWrt, one of the most popular community built router firmware project that supports a wide range of router models from many manufactures.

CeroWrt is also focused on network performance and security. Some of its goals includes proper support for IPv6 (Internet Protocol version 6) and better integration with DNSSEC (Domain Name System Security Extensions).

The EFF will be sponsoring a router hacking contest at the upcoming Defcon 22 security conference in Las Vegas next month together with security consultancy firm Independent Security Evaluators. The contest will reward security researchers for finding and exploiting vulnerabilities in home routers from different manufacturers, including in the Open Wireless Router firmware.

Join the CSO newsletter!

Error: Please check your email address.

Tags networking hardwareonline safetyNetworkingsecurityroutersExploits / vulnerabilitiesIndependent Security EvaluatorsElectronic Frontier Foundation

More about EFFElectronic Frontier FoundationNetgear Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place