OpenWrt Security: How to Achieve Proactive Defense for Embedded Systems

Proactive Defense
Written by prodigitalweb

Embedded devices are more ubiquitous than most people think. They are present in offices, factories, industrial facilities, public establishments, homes, and even vehicles. The global embedded systems market is projected to be worth $162.3 billion by 2030 or almost twice its value of $89.1 billion in 2023.

While embedded devices are often overlooked, they serve important roles in everyday life. The problem is that, sometimes, even IT departments do not pay that much attention to them, especially when it comes to cybersecurity. Many of them are not maintained and updated in response to emerging threats.

Many of these devices run on OpenWrt, an open-source Linux operating system known for providing a writable filesystem that comes with package management, not the usual static firmware. As a well-maintained open-source software, OpenWrt is generally reliable and secure. However, it is not invulnerable to cyber-attacks. The growing number of OpenWrt devices expands attack surfaces and can overburden security posture management.

The need for proactive OpenWrt security

Again, OpenWrt is built to be secure. It comes with some features that enable embedded device security. These include regular security updates, flexible firewall configuration, intrusion detection and prevention, and virtual private network support.

OpenWrt security has the advantage of having a big global community of developers maintaining it. These developers actively detect and profile vulnerabilities and provide security patches and other updates to ensure the optimum performance of the OS.

When it comes to securing network traffic, OpenWrt provides granular traffic control that allows device administrators to define and adjust rules and filters, as needed, to address malicious activities and other threats.

Additionally, OpenWrt is designed to be compatible with intrusion detection and prevention systems (IDS/IPS). Reliable IDS/IPS tools like Suricata and Snort can be added to OpenWrt to efficiently monitor network traffic and spot potential threats. These tools help enable real-time protection against external attacks.

OpenWrt can also work with VPNs to ensure the security of communication channels or the transmission of data through embedded devices. VPNs are particularly useful in making sure that sensitive data exchanged with embedded devices are protected from sniffing. VPNs encrypt data to prevent threat actors from intercepting data.

However, these security features are not enough to fully secure embedded systems. Some devices can have exploitable vulnerabilities due to misconfiguration or configuration weaknesses, faulty software components, and other defects that may allow threat actors to gain unauthorized access and execute arbitrary code. Brute force attacks targeting weak passwords can also defeat existing OpenWrt security controls. Additionally, OpenWrt devices do not have infallible protection against command injection, cross-site scripting, distributed denial-of-service, and social engineering attacks.

Hence, to create a free OpenWrt security solution, device administrators need to supplement their features with other security solutions. Instead of fixing or adding security controls after an attack takes place (reactive), device administrators can put in place systems, tools, and practices that make it difficult for attacks to penetrate.

OpenWrt security best practices

There is no one-click deploy-and-forget solution that can effectively secure OpenWrt devices. Ensuring adequate security entails several steps and a proactive approach, including the following best practices.

  1. Always keep OpenWrt up-to-date. OpenWrt has a big and active global community of developers and users who regularly provide updates for the OS, especially when new threats or attacks are affecting the system. Software updates should be promptly applied as soon as they become available.
  2. Change default passwords with strong, unique passwords. One of the biggest mistakes of organizations that use embedded and IoT devices is the failure to replace default passwords in their devices. Since there are a multitude of these devices being deployed, some no longer take the time to change passwords. If they do, they settle with simple passwords that are easy to guess or break with brute-force attacks.
  3. Configure the firewall properly and use IDS/IPS. Ensure that intruders are kept at bay by taking full advantage of OpenWrt’s firewall system and using IDS/IPS to continuously keep track of network traffic and spot possible anomalies or suspicious activities.
  4. Use a VPN. OpenWrt devices can be secured with a VPN, but this can only be done by having a router with both Openwrt firmware and an enabled VPN client. Setting up a VPN is not that difficult, but it is important to ascertain that the configuration is correct.
  5. Enable SSH. For OpenWrt devices that use remote access, it is important to activate SSH or Secure Shell to secure remote connections. Doing this is advisable to stop devices from using less secure protocols like Telnet.
  6. Implement network segmentation. For organizations that use numerous embedded and IoT devices, it is advisable to segment the network to make it easy to isolate devices and services. It is impossible even for the most protected networks to be completely secure. As such, it is important to have a mechanism to isolate the affected devices and prevent and control the impact of a breach.
  7. Avoid enabling web interfaces. Many devices can be conveniently accessed through web interfaces. This convenience, however, can serve the adversarial intentions of threat actors. That’s why it is better not to enable it unless it is crucial for efficient device management.
  8. Enable logging and monitoring: Lastly, it helps to configure OpenWrt to continuously maintain logs of security events and perform constant monitoring. Logs and monitoring tools are useful in identifying suspicious activities. They can support debugging procedures later on and facilitate effective troubleshooting by readily presenting important metrics and other data.

The role of device manufacturers

The best practices listed above are things device administrators or users can do to secure their embedded systems. It is worth noting, though, that device manufacturers can also help build proactive security by making sure that their devices are secure out of the box. They can also undertake post-market monitoring to ensure that security issues are addressed if they emerge in the course or using the devices.

Device manufacturers can take advantage of deterministic in-device observability and security solutions like the free license OpenWrt security solution mentioned earlier. It simplifies the process of securing embedded and IoT devices. At the same time, it helps address zero-day and supply chain attacks.

Proactive, not reactive

Even if OpenWrt is packed with security features, the reality is that these features are only as good as their configuration and implementation. It is important to emphasize the need to proactively secure embedded devices, especially given the growing aggressiveness and sophistication of new cyber threats. OpenWrit security does not only refer to using its inherent security features. It is also about taking the necessary steps to optimize security and getting device manufacturers involved to advance cybersecurity.

About the author