[OpenWrt-Devel] Building OpenWRT static kernels

Jean-Michel Pouré - GOOZE jmpoure at gooze.eu
Mon Mar 23 13:55:16 EDT 2015

> you would be horrified to look under the covers of most linux based
> appliances, 
> a lot of them are running a stock redhat/centos install with very
> little 
> customization outside of the userspace app that they run. Gaping
> security holes 
> in such appliances are common.

Yes, I agree with you. 

For example, DLink DGS-1210 products revision A1 are running a very old
2.6 Linux kernel and it could be very easy to penetrate, especially
because no update is done on the firmware. All source code is available,
so it is a matter of days before you understand how to break in. You
probably only need to look at OpenSSL vulnerability list ...

On the converse, we may discuss attack surface : a static kernel can
have a very low attack surface. When it includes GrSec, it can become
very difficult to penetrate. Hopefully  ... DLink appliances are using

With current OpenWRT configuration, the attack would be Luci => Kernel
module. I wonder if specialized companies offer "on the shelf"
penetration tools for OpenWRT, but it would not be surprising.

IMHO, with current penetration tools, not using GrSec or a static kernel
or both is simply too low.

Kind regards,
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list