Use ddWRT or OpenWRT for increased security?

Circumnavigate

Limp Gawd
Joined
Dec 26, 2009
Messages
218
Will be starting a new job, remote work with a Chinese company that requires the use of WeChat and in the contract it literally says they spy on you.

I'm using an Asus router and looking to increase security.

Do you guys think flashing to either ddWRT or OpenWRT would be a good move to protect the router from viruses and vulnerabilities?

Thanks.
 

BlueLineSwinger

[H]ard|Gawd
Joined
Dec 1, 2011
Messages
1,181
Maybe?

If the Asus is reasonably recent, it's probably still being updated and may be just as up-to-date as the dd/OpenWRT or other open-source/3rd-party options, such as OPNsense. Still, using one of the WRT distros does help guarantee against things like backdoors and continued development past what most manufacturers will provide.

I think the main advantage to the 3rd-party options here may be the networking/security options they give you. For instance, you could set up a separate network segment/VLAN just for this one work system, completely isolating it from your personal systems. I don't expect the stock Asus firmware has such options (outside of maybe a guest network setup).

Possible issue is compatibility. The WRT distros may not support your router in full or even in part. Often, wireless performance can be hit hard with the open-source options. Be sure to thoroughly research any possible issues.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,212
Holy MF--I would get a separate Internet account on a separate physical lan with a hardened kiosk or ram based os (like the TENS live cd) running on a thin client.

You're basically are opening pandora's box on a whole bunch of levels (what do they do with your ssn? Your bank info for payroll deposits? You can't trust those MF for anything--I have a good friend that works on Apple's iphone batteries and knows china pretty well and all the shady AF stuff there--even companies on their stock market regularly get busted for faking their accounting records as if it is normal to just try to cheat your way to the top and getting busted is normal. F that lifestyle--I'd rather be homeless and keep my integrity living on some street in the western world.)
 

Circumnavigate

Limp Gawd
Joined
Dec 26, 2009
Messages
218
So you think getting a burner phone for WeChat won't be enough?

Their paying an extra 100k per year over my previous gig.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,212
So you think getting a burner phone for WeChat won't be enough?

Their paying an extra 100k per year over my previous gig.
I don't think so. It's like asking the manufacturer of handcuffs to themselves wear them as a restraint. I think the safest way would be some sort of office that you rent that comes with Internet that you go to that's separate from your home so there's not nexus into your personal affairs or life. A lot of times the way you break into any 'system' is through a weak link and then move laterally--and it can be the same in social engineering or flat out cheating.

And this right here is suspect to me. If you can find a competing opportunity at that salary level here for that much, then I'd lean towards it being legit. But if they're literally $100k more than everyone else, what is it that they're getting from you that's worth $100k more? Not that you may not have some sort of super-duper skill that fits their niche as that does happen, but you should also think about ulterior motives all the time when dealing with that part of the world as nothing is as it seems on the surface. The west may be passive-aggressive, but the east will tend to be flat out lying to your face and you have to watch for that. And these guys have taken that one step further stating that they WILL be spying on you--I would interpret that as we will also be hacking at you 24x7...but for what ultimate cause?
 

x509

2[H]4U
Joined
Sep 20, 2009
Messages
2,630
I don't think so. It's like asking the manufacturer of handcuffs to themselves wear them as a restraint. I think the safest way would be some sort of office that you rent that comes with Internet that you go to that's separate from your home so there's not nexus into your personal affairs or life. A lot of times the way you break into any 'system' is through a weak link and then move laterally--and it can be the same in social engineering or flat out cheating.

And this right here is suspect to me. If you can find a competing opportunity at that salary level here for that much, then I'd lean towards it being legit. But if they're literally $100k more than everyone else, what is it that they're getting from you that's worth $100k more? Not that you may not have some sort of super-duper skill that fits their niche as that does happen, but you should also think about ulterior motives all the time when dealing with that part of the world as nothing is as it seems on the surface. The west may be passive-aggressive, but the east will tend to be flat out lying to your face and you have to watch for that. And these guys have taken that one step further stating that they WILL be spying on you--I would interpret that as we will also be hacking at you 24x7...but for what ultimate cause?
Yeah, I'm with SamirD here. You could have G-d as one of your direct reports, and you still might not be worth $100K more than you got paid at your last job.

EDIT: I added "not"
 
Last edited:

chithanh

Gawd
Joined
Oct 18, 2010
Messages
941
Simply flashing OpenWrt (not "OpenWRT") or DD-WRT on your router will not increase security per se against someone spying on you.

It is true that wifi broadband routers stop receiving firmware security updates after a while. Once that happens, if you flash OpenWrt etc. and make the effort to keep it up to date then the router itself will be less susceptible to attack.

In your case however, just create a Guest Network and put all the devices that you use for interacting with the Chinese company/WeChat there. Do not perform any activity, nor store any data, nor use any credentials on these devices that you want to keep private.

If you want to take it one step further, you can do that with OpenWrt and additionally route the Guest Network traffic through a VPN service to make it harder for WeChat to track your other Internet activity based on your IP address. Or don't use your private internet connection at all, instead get e.g. a separate mobile data plan for WeChat.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,212
And I was just thinking even more about this as I read the posts--what if they're using him for something completely illegal that will get him in trouble--a 'mule' of sorts? Something he's not even aware of but that they know they can do through him? His entire life will be ruined if feds sweep in and put him behind bars. :eek: I know it's a bit far fetched, but it's not something I wouldn't dismiss. These are very scary times we live in because of all the online nonsense that comes with the weaponization of the Internet.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,212
Simply flashing OpenWrt (not "OpenWRT") or DD-WRT on your router will not increase security per se against someone spying on you.

It is true that wifi broadband routers stop receiving firmware security updates after a while. Once that happens, if you flash OpenWrt etc. and make the effort to keep it up to date then the router itself will be less susceptible to attack.

In your case however, just create a Guest Network and put all the devices that you use for interacting with WeChat there. Do not perform any activity, nor store any data, nor use any credentials on these devices that you want to keep private.

If you want to take it one step further, you can do that with OpenWrt and additionally route the Guest Network traffic through a VPN service to make it harder for WeChat to track your other Internet activity based on your IP address. Or don't use your private internet connection at all, instead get e.g. a separate mobile data plan for WeChat.
Ordinarily, I would probably say this is enough, but the OP will basically be subject to nation-state level hacking attempts 24x7 with some of the best coders in the world probably hitting his stuff. For this war, you either have to move the target (get an office and separate Internet), or step up to enterprise level security and threat monitoring (think palo alto routers with continuous deep packet inspection), and I would opt for the first versus the latter.

(And perhaps the hacking/monitoring is the whole point? Develop a better way to hack the individual american citizen or validate existing tools to see how they work 'in the real world'?)
 

toast0

[H]ard|Gawd
Joined
Jan 26, 2010
Messages
1,758
If you're going to rent an office and get a burner phone, you should also get a burner desktop for the office to do your work. If you have to, take the burner phone home, but don't use it on your home wifi. If you need a work laptop, and you have to work from home, tether to your work phone.

There's also plenty of US based companies with iffy reputations that pay a bunch you could work for. I worked for FB, and never feared they'd hack my home network; although actually some stuff I did for work would crash my CenturyLink modem, but that's cause the CenturyLink modem was dumb as rocks, long story.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,212
If you're going to rent an office and get a burner phone, you should also get a burner desktop for the office to do your work. If you have to, take the burner phone home, but don't use it on your home wifi. If you need a work laptop, and you have to work from home, tether to your work phone.
Yep, won't hurt to leave everything in the office too. I'd even go so far as recommending a thin client if they don't need anything running client-side (I doubt it--they probably want as much from this side feeding them as they can). I'd also make sure you have something to block/disable the camera and audio recording on every device as they will probably be on 24x7.
 
Top