2

In working with a number of non-profit organizations, devices such as routers that may have been used by other businesses are often acquired. Equally, devices are often inherited through other channels e.g. donations

What are the methods if any in determining if devices such as routers have been tampered with both from a hardware and software perspective?

The threat model includes the following scenarios;

  1. Compromised operating system
  2. Modifications to firmware e.g. modding
  3. Malware infections e.g. VPNFilter

Does resetting the device overcome 1 and 3?

Can monitoring traffic on the device help identify malicious traffic that may be an indication of a tampered device?

Motivated
  • 1,493
  • 1
  • 14
  • 25

1 Answers1

1

Monitoring may or may not uncover malicious traffic.

What you will want to do is to reflash the firmware with a known good version, either from the manufacturer or an after-market one (e.g. DD-WRT, or Tomato). This takes care of the OS, any modifications, and likely the infections.

The after-market option might be something to consider so that all your devices are running the same OS and the same configurations.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks schroeder. Do you have recommendations to flash the firmware before plugging it into the network? For example, should the router be connected to an isolated laptop to reflash the firmware? Would reflashing infections and/or modifications if the device has malicious hardware embedded? You mention that monitoring may uncover malicious traffic. In what scenarios is this possible? – Motivated Oct 13 '18 at 21:42
  • 1
    I certainly wouldn't connect the donated router to the internet, but I imagine that the risks of connecting it to your network are going to be low, especially if you end up re-flashing it. Flashing should overcome malware embedded after the device was sold (but not malware installed by the manufacturer). Monitoring might uncover "call home" behaviour. But most router backdoors receive connections, they don't broadcast out. – schroeder Oct 13 '18 at 21:46
  • Is there a risk of the router infecting the device its connected to? The reason i ask is if i should consider using a LiveCD to reflash the router. On the topic of incoming requests, can these be easily identified? If so, what tools can i consider user? Is WireShark sufficient? – Motivated Oct 13 '18 at 22:42