Security: AMNESIA:33 - sec-holes in open source TCP/IP stacks

Don’t know, wether that affects typical linux-based implementations that might be relevant for Librems (perhaps somebody can shed a bit of light on this in that regard), but one can expect those vulnerabilities found to have quite a bit of an overall impact on internet-security.

Overview

Technical in-depth

1 Like

these are IoT stacks, and IoT stacks (for real IoT - microcontroller based) will likely always be vulnerable to some attacks merely by the fact they cannot implement the full stack :slight_smile: And this is the reason normal companies (and noble houses) are always keeping IoTs quarantined from the rest of the network.

2 Likes

Yes, not likely to occur in devices containing a current, mainstream Linux kernel incorporating IP stack. More likely to occur in embedded and dedicated devices.

DNS seems to be the most vulnerable component among those particular 33 bugs - so always good to run your own local DNS server and have all local devices, no matter how big or small, go through that DNS server, making sure of course that the DNS server validates everything to within an inch of its life and has no such vulnerabilities. (Corollary: Don’t use the DNS server that may be built in to your router.)

That could be difficult for a phone, since it may frequently be operating in an environment where it is using an untrusted DNS server(!).

Shouldn’t be, unbound or kres are quite flexible and mature (secure) dns stacks which can run as a local recursive resolver on a phone without reliance on foreign resolvers. But it may not always work as when someone does tricks with dns on lcoal net they usually block external resolution on firewall.
Anyway I’m always doing it on my laptops and in my experience only once i was forced to set a local forwarder (taht is to rely on foreing resolver) to make dns work (and it was corporate guest network).

1 Like

That’s a point were a local “Pi-Hole” combined with “unbound” DNS-Resolver can come in handy providing

a) ad-blocking
b) hiding your dns-requests from third-parties
c) providing sort of your own dns-server (that doesn’t fetch it’s informations from just one instance, but from a full chain of different instances)

https://docs.pi-hole.net/guides/unbound/

1 Like

That can be difficult because when my phone is at home, I want it to use my local DNS server and not to perform its own DNS resolving by directly querying authoritative DNS servers. (As you say, a more fascist sysadmin might even block direct use of DNS using the firewall, although I am not currently doing that.)

So it would need careful configuration to respect the DHCP-supplied, or otherwise supplied, DNS server IP address only for selected SSIDs - and to use a local resolver by default and for all other SSIDs. Is that achievable?

The bottom line: DNS is a fairly large specification with an unusual packet structure that is just asking for coding errors or corners to be cut - so the smaller the device, the less you should trust the DNS client (approximately speaking).

Mmm. Don’t know whether I want to run all that on my phone. (My) pihole has upwards of 80,000 domains listed. Time will tell …

Forum users had already mentioned a bunch of suggestions what could possibly get a new project for Purism, when Purism is ready (which I don’t expect to be anytime soon). As those vulnerable IP stacks are seem to be most often used in embedded systems like routers this is just another reason why I would like to see a free router by purism or some other organization. A free router with free software and maybe exchangeable WLAN interface. This could give such a device a long living. And users freedom, privacy, security and more possibilities for technical features as compared to all those closed router systems.

1 Like

In that case i wouldn’t run pi-hole and unbound on the phone, but create a vpn-connection that tunnels me home into a part of my network where pi-hole and unbound are active. Sounds like a lot of efforts, but would be the cleanest solution and can be done completely without external influence with opensource software.

2 Likes

Going rather OT here but where possible you should get your WAP (and switch) out of your router. I would be happy for a router that is … just a router. No switch. No WAP. (It might still have firewall functionality as part of the routing.) That though would make it more expensive if part of a complete solution. However since many potential customers would already have a router (all-in-one type device), the existing router can be redeployed as a switch and WAP i.e. just stop using the routing functionality of the existing router.

However since you specifically said “exchangeable”, if I can order it without a WLAN card, leaving an unused M.2 slot, then that could work for me. Even better, I can order with a cellular modem card in the M.2 slot instead and have a dual-WAN router e.g. cellular as backup.

and separate HKs for WAP/WAN or at least ONE for both :wink:

What are HKs?

Hardware Killswitch

Continuing the digression … would you want a hardware kill switch on a secure, private router developed by Purism?

What is the use case for it and what are the alternatives if you don’t have it?

If I want to isolate my router at the moment, I physically unplug it on the WAN side or the LAN side, as applicable.

If it’s a single WAN router, it may also be appropriate just to unplug the router from its power supply. It is one thing to want to use a Librem 5 offline and hence HK the cellular modem and WiFi. It is another thing to want to use a router ‘offline’.

i meant it more as in line with how if the L5 already has HKS built into the existing PCB then it should be relatively easy to incorporate in case they decide to repurpose/remarket the L5 concept into a no-screen-L5/ROUTER …

or i could do it as you just wrote :slight_smile:

1 Like