[sf-lug] Hacking embedded devices..

[Rick Moen]

Bobbie, no offence taken, but normally I post on mailing lists
in order to (try to) benefit the public forum, and not just specific
individuals.  So, I am redirecting back from private mail, into which
you just departed, to the ongoing mailing list thread.

Naturally, if you ever want a private discussion, please just say so
(and why, if it's not obvious).



Quoting Bobbie Sellers (bliss at sfo.com):

>     Can you give a pointer to a reference that OpenWRT is proof against
> this SSL exploit?

Um, not exactly.

The thing is, OpenWRT is a real Linux distribution.  Real Linux
distributions don't have hard-coded SSL (or SSH) keys.  You have to
create them when you configure the WAP/router.

Moreover, OpenWRT doesn't default to permitting administration from 
the public interface, to begin with.

The best way to verify all this is to just play with OpenWRT.  I got 
a pair of WRT54Gv2 boxes for free as cast-offs, but they and similar
gear are really cheap at any time.

The real challenge is to find a _good_ set of WAP/router hardware that
has a desirable chipset (like Atheros), a decent amount of RAM and
firmware, and (preferable) at least one high-speed USB port.  The
WRT54Gv2 has none of those things -- but is damned good for free
hardware.  Best information source about good current makes/models is...
OpenWRT's discussion forums.