[OpenWrt-Devel] Did they check security of OpenWrt?

Alberto Bursi bobafetthotmail at gmail.com
Tue Aug 20 12:11:45 EDT 2019

On 20/08/19 17:34, Rich Brown wrote:
> Hi Vincent,
> I don't know whether the article, or its underlying report from Cyber Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that any firmware using 18-year old kernels is on its face a security joke.)
> My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
> - Stack Guards
> - ASLR
> - Fortify SRC
> - Non-Exec Stack
> And are there other security practices that we enforce that would make an OpenWrt system more secure?
> If OpenWrt compares favorably, it occurs to me that we could invite CITL to review OpenWrt builds (on hundreds of routers) and update their report...
> Thanks.
> Rich
(up-to-date) OpenWrt compares very favorably to most stock firmware 
regardless of any such features, (you could look up in the source to see if

those features are enabled or not by default in OpenWrt), as it is 
simply using modern Linux kernel and userspace vs

decade old stuff that was also hacked to work with their own 
low-code-quality proprietary drivers, running a web interface that 
allows easy

code injection.

There is no point in inviting CITL to review OpenWrt per-se as it's a 
third party firmware, most people don't even know what a firmware is,

much less installing it on a supported device.

It could make sense to have them review devices from manufacturers that 
employ modern OpenWrt as stock firmware.

Afaik that's GL.Inet mostly, maybe others.


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list