Is our Tomato Firmware "pretty" secure?

Discussion in 'Tomato Firmware' started by ratchet, Feb 15, 2014.

  1. ratchet

    ratchet Addicted to LI Member

    I was just reading about the Moon virus that the Linksys E routers are susceptible to and other routers and viruses. Any particular setting to harden Tomato? Access Restriction perhaps? Thank you!
  2. koitsu

    koitsu Network Guru Member

    Easiest approach: hake sure the HTTP interface to your router is not accessible by the outside world, i.e. that you aren't using HTTP or HTTPS Remote Access -- or if you are, use iptables firewall rules to limit the source IPs to networks or IP addresses for which you trust.

    Note: I say all of this without having looked at any of the built-in HTTP webserver code to see if it's exploitable in this way. For all I know it isn't. I simply have not checked.

    Edit: looks like someone has already checked. This problem is specific to VxWorks-based routers, i.e. those running stock VxWorks-based firmwares, not Linux-based firmwares. DD-WRT and Tomato therefore at not susceptible. Reference:

    My comments about not using Remote Access at all (instead use SSH + SSH tunnel to access the GUI remotely), or if you must, then use iptables to filter source addresses, still apply as a general security measure.

    Edit #2: another Slashdot user pointed out that this doesn't necessarily have to be something accomplished via remote means. All it would take is someone posting a malicious URL on a web page somewhere that pointed to the IP address of your router + malicious URL params, and for you to click it (or possibly done automatically through some JavaScript or other garbage) for it to work. Reference:

    But regardless, the first URL I linked shows clearly that Tomato and DD-WRT are not susceptible to this, and it appears VxWorks-specific.
    Last edited: Feb 15, 2014
    Elbart likes this.
  3. ratchet

    ratchet Addicted to LI Member

    Thank you for this good work!
  4. idimitro

    idimitro Reformed Router Member

    Actually this was a question I have been asking myself for some time (actually since we got security audit in my company and I was amassed how many wholes can a "finished", "enterprise" SW can have). Also recently I have been reading articles that the routers, are getting more and more targeted for attacks.
    Considering that tomato is still using a kernel from 2+ years, and there has been multiple libs and tools added to it and the developers are updating them when they have free time. I am wondering how many wholes are there? Is there such thing as vulnerability report for tomato?
    Don't get me wrong, I appreciate the work from the community. I am also aware that I can do more damage to my security by misconfiguration. Just curiosity :).
  5. koitsu

    koitsu Network Guru Member

    The Tomato project is a volunteer project. If you want to do a security audit and look for CVEs for all the included software as well as the kernel, you're welcome to do so. No one would stop you.

    There have been ""pseudo-audits"" done within the past year and posted about on popular news sites (ex. Slashdot) with regards to things like UPnP vulnerabilities and so on. Even semi-recent TomatoUSB versions were not exploitable, however many other stock firmwares in other router models and brands were. Here's the thread where you can read my comments:

    Regarding the kernel: upgrading it cannot be done due to reliance on binary blob drivers (the Ethernet switching driver and the wireless drivers, both by Broadcom) which are tied directly to kernel version. There is no ABI compatibility shim. I repeat: nothing can be done about this. You're welcome to redirect frustrations and concerns at both a) hardware vendors (ex. Asus, Linksys, others) for using such chipsets, and b) Broadcom themselves.

    I'm looking forward to seeing what becomes of the extremely new ARM-based routers running Linux, as they may offer a better upgrade path (ex. Linux 3.0) in addition to easier cross-platform toolchains and easier maintenance, and (hopefully/crossing fingers) no reliance on binary blob drivers. But that's speculative and wishful thinking on my part.
    Last edited: Feb 16, 2014
  6. RMerlin

    RMerlin Network Guru Member

    The Northstar platform (Broadcom's ARM routers) is based on

    Security fixes can still be backported to those older kernels (a lot of things were backported to the currently used on MIPS devices), but it requires technical skill and time.

    One thing in Tomato/Asuswrt's favor: we don't use the minefield that is Broadcom's uPNP code (which is the most common target of security exploits). Miniupnpd is pretty secure, and very actively maintained by its author. Both Tomato and Asuswrt-Merlin tend to keep up with the latest or near-latest versions.

    One thing that might be in need of checking security-wise is Tomato's Samba implementation. I know Asus fixes issues related to that on occasion, no idea if any of these would also apply to Tomato.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice