Security of AsusWRT/Merlin vs OpenWRT/LEDE

[fantom]

Hi, there are lots of articles out there selling the idea of the stock firmware being insecure and promoting OS' like OpenWRT, Tomato, etc. Feature set and performance aside, is there really such significant security benefit to truly non-stock firmwares? Asking because Asuswrt-Merlin is effectively as secure as the stock firmware.

I have experience with both and I like OpenWRT-Merlin for its simplicity, speed, and support for modern devices. At the same time supporting an OpenWRT route is more time consuming than I would like. Also, OpenWRT gets good enough support for devices that are nearing their end of life and most of the time does not support any hardware acceleration.

If one puts forward security as the only differentiator, are OpenWRT and others really so far ahead?

 

[jrmwvu04]

I think that comes from a couple of general ideas. One, that device makers have a tendency at times to release a product and then never touch the software/firmware, and Two, that even among those who do, they eventually stop supporting old devices.

That’s not terribly uncommon as the idea is that once the device has sold, you’ve made the money so there’s nothing further to gain monetarily speaking by sinking time and money into improving an already sold product. Whether that’s right or wrong is an entirely separate discussion.

I can’t speak about most stock firmware for routers because I haven’t used them in ages - but Asus certainly seems to be on top of most security issues for current and even older products.

The third party/open source community is thought of as more secure because an entire community works on fixing the issues. There’s nothing inherently more secure about these kinds of projects, it’s just that they tend to maintain them better (and for longer) than corporations do, for financial reasons.

 

[RMerlin]

One of the reasons why OpenWRT/DD-WRT might be more secure than many OEM firmware is the fact they don't devote as much time developing exotic/proprietary features that are highly likely to contain coding errors. They generally rely on features provided by already established software projects (Chillispot, Samba, etc...).

One thing in favor of OEM firmware however (at least in Asus's case) is their release cycle. If a security issue is discovered in DD-WRT, good luck finding out about it, or figuring out which firmware version you need to flash to secure your router. With Asus, you get formal releases, with clear changelogs. The same applies to my firmware.

I can't really comment on OpenWRT's efficiency at resolving security issues as I'm not familiar enough with their typical release cycle.

I'd say each has its own issues. OEM is more likely to have security flaws, but (in Asus's case) it's generally easier to know about it, and to get a prompt fixed release.

Note that third party firmware are still susceptible to security flaws in their bundled components (OpenSSL, Samba, etc...), so the lack of exotic features doesn't rule out the risk new security flaws appearing in these. It's all about how quickly they address them, and whether they make it easy for end users to be notified, and to take actions to secure their routers.

 

[sfx2000]

One of the reasons why OpenWRT/DD-WRT might be more secure than many OEM firmware is the fact they don't devote as much time developing exotic/proprietary features that are highly likely to contain coding errors. They generally rely on features provided by already established software projects (Chillispot, Samba, etc...).

OpenWRT does an excellent job at security within their own code, and they do a good job of tracking upstream development. If one is building from source, I've found that they're very proactive on their git for checking in and reviewing patches.

For OEM firmware in general - the biggest challenge to keep up with security issues is available resources for development and QA, as the next product is always coming up.

Asus does a decent job, and of course, RMerlin is proactive in his approach with development, which is a win for the community there.

 

[fantom]

That is all true. OpenWRT does a great job in that area, no question. Maybe ASUS too, but it is harder to know for sure. I am of the opinion, that a router must be just that for routing, dns resolution, network segregation, ad blocking, and VPN. Maybe one or two other networking things, but that is it. I would never open a WAN port and would lock down the admin interface, never use Samba, etc. I know how to do that and would generally be comfortable maintaining my router and stay on top of things.
The problem that will eventually arise for many of us (or might already be there) is the kids moving out. So I know how to setup and maintain a secure router and home network, but a non-tech savvy kid doesn't and has no interest to. I will be facing this issue in some years ahead.
I would want to help my kid to do an initial setup and show the ropes, but I would expect them to maintain their router on their own going forward. I can teach and hold their hands for a bit, but am not willing to make that my second job. I never thought about this until now and not having a good answer does not make me feel warm.
I cannot generally expect my kids to learn a command line Linux and advanced networking that are needed to use OpenWRT. Neither I can recommend them to use the cheapest off the shelf router that will stop being supported in 6 to 12 months in the best case. And there are better thing in life that building their own firmware, so hoping there is a way to find a balance.
I am not trying to say that AsusWRT and/or OperWRT are worse than the other guy. I am facing a real life problem and hoping that there is a middle ground: a secure router that is not too difficult or time consuming to maintain. The problem is that "security" is not easily quantifiable or even detectable until after the fact.
There is a lot of fear on the subject on the Internet, and fear does sell. Maybe it is overblown. Or maybe the same rules cannot be applied too all manufacturers without exceptions.

 

[fantom]

One of the arguments that are being used is that the stock firmware is on an older and unsupported versions of the kernel and that is by definition bad (un-patched vulnerabilities and stuff). Is that a real thing?

Update: this question is specifically about AsusWRT. Not in general.

 

[sfx2000]

One of the arguments that are being used is that the stock firmware is on an older and unsupported versions of the kernel and that is by definition bad (un-patched vulnerabilities and stuff). Is that a real thing?

Update: this question is specifically about AsusWRT. Not in general.

Erm, not really - there's a lot of kernels that are LTS, and security fixes can be, and often are backported...

Just because a kernel is 2.6 doesn't mean it's "old" - it can still be current with regards to security.

Most distro's have moved forward, that being said...

 

[sfx2000]

Most distro's have moved forward, that being said...

And I'll couch that statement - with external dependencies, including the SoC board support package, it's non-trivial sometimes to take things forward.

OpenWRT is good about that aspect - challenge there is not linux or routing, but wireless driver support for Router/AP's - there's been major foundation items on the driver perspective, and that's a chipset/vendor issue.

 

[horizonbrave]

Does OpenWRT offer IPS/IDS (Asus/Merlin firmware does)?
I thought that Linksys could have been an higly popular choice over here by offering/advertising support for opensource firmware like OpenWRT.. I thought was a win-win, but I think people still prefere Asus and I wonder why.
Thanks!

 

[microchip]

Linksys only supports open source firmware on their WRT line of routers which are rather expensive. On their other routers like the Max-Stream and similar, the process of flashing Tomato/DDWRT/OpenWrt is locked

 

[horizonbrave]

does OpenWRT offer a nice GUI like Merlin/Asus firmaware? Thanks

 

[fantom]

does OpenWRT offer a nice GUI like Merlin/Asus firmaware? Thanks

Well, there is a GUI, but it is not for faint-hearted...

 

[gattaca]

^^^ There's no easy answer. 90-95% of the people out there are not techies and sadly NEVER update their routers. It's a lot to ask most people to do that as part of their "monthly computer hygiene" Just consider Windows Update or Apples Update... they push them from the vendor but you have to eyeball it. Maybe eventually we will get a more sophisticated update model for routers. .. but wait, we did have someone dip their toes in that pool only to lose them.

Don't forget about the Norton's experiment with the now sunset "Core". Part of their goal and allure for me was to NOT be in the router maintenance business for relatives by providing security updates by downloading and automatically flashing the router. So I brought her a Norton Core a year + ago even thought it's not a "great performing" router that most of us here would never own. My goal was improved security for her 99.99% web surfing, email etc.. not screaming performance for her iPad. That model seemed to work well but maybe not financially well enough since Norton announced they were terminating the Core program earlier this year. They gave everyone a 1 years notice and after that... well no more updates.

I have no easy answer - maybe for $2 / mth / router you can start a private 2nd job updating routers for relatives, then neighbors, then you wake up one day and boom your primary job is now router maintenance SERVICE from home!

 

[Frankflash]

^^^ There's no easy answer. 90-95% of the people out there are not techies and sadly NEVER update their routers. It's a lot to ask most people to do that as part of their "monthly computer hygiene" Just consider Windows Update or Apples Update... they push them from the vendor but you have to eyeball it. Maybe eventually we will get a more sophisticated update model for routers. .. but wait, we did have someone dip their toes in that pool only to lose them.

Don't forget about the Norton's experiment with the now sunset "Core". Part of their goal and allure for me was to NOT be in the router maintenance business for relatives by providing security updates by downloading and automatically flashing the router. So I brought her a Norton Core a year + ago even thought it's not a "great performing" router that most of us here would never own. My goal was improved security for her 99.99% web surfing, email etc.. not screaming performance for her iPad. That model seemed to work well but maybe not financially well enough since Norton announced they were terminating the Core program earlier this year. They gave everyone a 1 years notice and after that... well no more updates.


I have no easy answer - maybe for $2 / mth / router you can start a private 2nd job updating routers for relatives, then neighbors, then you wake up one day and boom your primary job is now router maintenance SERVICE from home!

Because A lot of people dont no how to update their routers
dont no what a firmware is and most people have isp routers where their isp does it for them

 

[martinr]

....where their isp does it for them

Or, more likely, doesn’t?

I can understand why an ISP wouldn’t be keen to remotely regularly update their routers. And one of the many reasons I moved to custom firmware on my own router is that I don’t like the thought of anyone other than me having access. I’d be uncomfortable if the ISP had the ability to update the firmware, and I’d be similarly uncomfortable if the firmware wasn’t being updated!
(I suppose some would say: but you’re happy to let Microsoft update your Windows OS.)

 

[eibgrad]

I suppose some would say: but you’re happy to let Microsoft update your Windows OS.

Are you? I'm not. Can't tell you how many times I've gotten up in the morning only to find my PC rebooted and lost open files. Also, I usually have multiple virtual desktops finely configured, and all that gets blown away too. And the worst? When I go on vacation or a business trip, I have to make sure to disable my boot manager, because if Windows installs a new version while I'm on the road, it changes the partition ID, then on the reboot, my boot manager (BootIt Bare Metal) refuses to proceed! It sits there with the message that the partition ID has changed and requests confirmation before it will reboot the OS. Ugg. First time I ran into this problem, I didn't even know what had happened. I suddenly just couldn't remotely access my PC. Only realized what had happened once I got home.

That's the problem w/ automatic updates. There are times when if things go wrong, you're not necessarily there to fix them. The idea seems simple, even desirable, at least in the abstract, but in the real world, it can cause problems, often ones that those pushing the updates don't appreciate.

 

[RMerlin]

That's the problem w/ automatic updates. There are times when if things go wrong, you're not necessarily there to fix them

On two occasions, I was doing firmware development from my laptop in the living room. My dev VM is on my desktop, so I was working remotely through SSH. Well, Windows decided to reboot to install updates while I was working. Both times my git filesystem got corrupted, and I had to restore a backup, losing a few hours of work.

I can live with automated update... But let the user disable it if they want to. I hate their stupid "Oh, we'll let you delay it by a few hours." "Oh, we'll let you delay it by a few days". Stop dancing around Microsoft, give us a complete, unconditional OFF SWITCH to the automated updates. Some of us aren't just sitting behind a PC from 9 to 5 to run Word.

Microsoft engineers are completely out of touch with reality. Quite a few of my customers are confused as to why their Start Menu keeps changing layout every 6 months. or why one morning they get at the office to begin working, only to be told that Windows has to install updates, and it will take "1 to 2 hours" because it's a new Windows 10 release that decided to install itself that day.

 

[Vexira]

On two occasions, I was doing firmware development from my laptop in the living room. My dev VM is on my desktop, so I was working remotely through SSH. Well, Windows decided to reboot to install updates while I was working. Both times my git filesystem got corrupted, and I had to restore a backup, losing a few hours of work.

I can live with automated update... But let the user disable it if they want to. I hate their stupid "Oh, we'll let you delay it by a few hours." "Oh, we'll let you delay it by a few days". Stop dancing around Microsoft, give us a complete, unconditional OFF SWITCH to the automated updates. Some of us aren't just sitting behind a PC from 9 to 5 to run Word.

Microsoft engineers are completely out of touch with reality. Quite a few of my customers are confused as to why their Start Menu keeps changing layout every 6 months. or why one morning they get at the office to begin working, only to be told that Windows has to install updates, and it will take "1 to 2 hours" because it's a new Windows 10 release that decided to install itself that day.

Microsoft should just make updates streamline like Linux no interruptions, I did see a presentation on some new window OS that is going to have a no reboot update feature, I'm hoping that it will make it to the next windows 10 build, which will solve the issue of updates.

 

[Vexira]

Or, more likely, doesn’t?

I can understand why an ISP wouldn’t be keen to remotely regularly update their routers. And one of the many reasons I moved to custom firmware on my own router is that I don’t like the thought of anyone other than me having access. I’d be uncomfortable if the ISP had the ability to update the firmware, and I’d be similarly uncomfortable if the firmware wasn’t being updated!
(I suppose some would say: but you’re happy to let Microsoft update your Windows OS.)

My ISP does remote updates on thier unit problem is that it's straight up garbage, I had to Mac clone it to get VoIP working and I had to decrypt the config file to get my VoIP username and password to be able to get my ata to work.

But the other thing that bugs me is that even though it automatically updates it's insecure and there is no change long as to what has been modified and worst of all it's pretty easy to breach in to admin or technicians menus that can really break the settings it's done via an IP and page name.

@RMerlin I was able to get the ata to work on upnp now with the full cone setting and by having it reboot an hour or 30 mins after the router, I think it has an option for symetric Nat routers to work around them also.
In regards to a previous conversation about keep alive vs upnp.

 

[martinr]

Are you? I'm not. Can't tell you how many times I've gotten up in the morning only to find my PC rebooted and lost open files. Also, I usually have multiple virtual desktops finely configured, and all that gets blown away too. And the worst? When I go on vacation or a business trip, I have to make sure to disable my boot manager, because if Windows installs a new version while I'm on the road, it changes the partition ID, then on the reboot, my boot manager (BootIt Bare Metal) refuses to proceed! It sits there with the message that the partition ID has changed and requests confirmation before it will reboot the OS. Ugg. First time I ran into this problem, I didn't even know what had happened. I suddenly just couldn't remotely access my PC. Only realized what had happened once I got home.

That's the problem w/ automatic updates. There are times when if things go wrong, you're not necessarily there to fix them. The idea seems simple, even desirable, at least in the abstract, but in the real world, it can cause problems, often ones that those pushing the updates don't appreciate.

Sorry: I could have said it better. I was anticipating (and therefore forestalling) someone saying and assuming: but you’re happy to let MS do an automatic update, so why not your ISP with your router. I’m not at all happy about MS or any other program automatically updating exactly for the very reasons you, Vexira and Merlin stated. So I disable automatic updates on software and on my version of Windows 10. I update manually at my convenience and when I’ve checked to see if others encountered problems. And I’ve read that, because of all the complaints and cock-ups, Windows 10 Home users are soon going to have this option with the ability to delay up to 6 weeks or so?
(As an aside I use Open Shell Menu on my Windows OS to show the Windows 10 start menu in classic Windows 7 style. Open Shell Menu replaced the similar Classic Shell.)