Today I was working on a prototype board for testing the GoodFET which I have built during last weekend, but then I’ve noticed a box on my desk… The Router box… And decided to read, what does manufacturer say about security.
So, they claim that there were some security experts, taking a look… And those experts have apparently made code reviews, penetration tests, etc. And came to the conclusion that it is relatively secure device, that will keep bad guys away from your home (or professional … well, yes, it is a pro-grade router) network.
Not that I have too much time and desire to dig into it, but since it is a Linux box, offers SSH access and claims to run latest and greatest firmware… let’s take a quick look… It is greeting us with lovely ASCII graphics, which is great & old school. Awesome!
Busybox v1.30.1… hmm … release date: 14 February 2019 … Well… 1 year old.
Quoting: https://teltonika-networks.com/product/rut955/ : Professional rugged Dual-SIM 4G/LTE & WiFi cellular router. This highly secure and reliable industrial device…. blablablablabla …
Highly secure and reliable! Running 1 year old Busybox … Rrrrright!
1.30.1 is 2 versions behind from current “latest and greatest”. With a change log few screens long… Including pointer initialization issues, memory leaks, dynamic variable handling fuckups, etc… But, remember, highly secure and reliable…
CVEs… Well, I will just leave this here… https://www.cvedetails.com/vulnerability-list/vendor_id-4282/Busybox.html
But, back to the ssh … Simple PS command proves “highly secure and reliable” again and again … Everything is running under “root” account and “least privilege required to complete the task” principle is followed nicely! Except it is not… But, remember, highly secure and reliable…
Few more … File permissions across the system … (remember, this highly secure and reliable system can be running stuff like FTP)…
Well, I’m sure that giving write permissions to cacert is a matter of taste … but … well … The same goes across the filesystem. Way too many 777 to my liking…
I know it doesn’t prove anything and is manly bashing for basic principles … But, it took about 15 minutes to get root access to the box, using simple techniques… But, that is a topic for another blog … here we are talking hardware, right? 😛
I’ve come across your post and would really like to contact you as it is really important for us to listen for the clients opinions.
Yes, busybox version is indeed one years old, but the security fixes in the latest version does not really affect the router security until you get the direct access to the console (login to the router).
Version will be updated in the future.
If you got any suggestions feel free to contact your sales manager or me, these will be analyzed by our RND department.
Thanks for your blog and have a nice weekend.
LikeLiked by 1 person
Well, I haven’t really done much to RUT955. Just some basic scan to see how it really feels inside. And some quick pen test to see how long will it last before giving me root. As for recommendations, I believe we can start with least privilege principle (you don’t really need to run everything under root account, do you?), going through filesystem, removing unnecessary access rights is a good idea. This 2 simple things alone can save you from many issues. If you add regular update of 3rd party software it would be even better. After this you can see about filesystem encryption or even encrypting flash memory all together and utilizing things like secure boot… Or are you already doing that? I haven’t checked, actually…
Provided that you want more extensive pen testing, we can discuss the details in private conversation.
I might or might not dedicate some of my free time to it later, but I do not commit to working for free. 😉
Would you mind writing me an E-mail ? I assume you do see it :).