DIY Router & Intel ME Security

TL;DR

Building your own router with open-source software like OpenWrt significantly reduces the risk associated with Intel’s Management Engine (ME) because you have control over the firmware and can disable unnecessary features. It requires some technical skill, but offers a much more secure solution than off-the-shelf routers.

Understanding the Risk

Intel ME is a separate processor embedded in many motherboards and network devices. It has its own operating system and firmware that runs independently of your main OS. This can be exploited by attackers, even if your primary operating system is secure. A self-build router allows you to avoid this potential vulnerability.

Step-by-Step Guide: Building a Secure Router

1. Choose Compatible Hardware
• Select a router that supports OpenWrt or similar open-source firmware. Check the OpenWrt Table of Hardware for compatibility.
• Look for routers with powerful processors and sufficient RAM (at least 128MB is recommended).
• Consider a router without an Intel chipset if ME security is your primary concern. Broadcom, MediaTek, or Qualcomm-based routers are good alternatives.
2. Flash OpenWrt Firmware
• Download the correct firmware image for your specific router model from the OpenWrt website.
• Follow the instructions provided on the OpenWrt wiki for flashing the firmware. This usually involves using a web interface or command-line tools (like scp to transfer the image and then using sysupgrade).

  sysupgrade -v /path/to/firmware.bin

• Important: Incorrectly flashing firmware can brick your router. Follow the instructions carefully!
3. Configure OpenWrt
• Access the OpenWrt web interface (LuCI) via a web browser, typically at 192.168.1.1.
• Set a strong password for the root user.
• Configure your network settings (WAN, LAN, DHCP).
4. Disable Unnecessary Services
• OpenWrt comes with many services enabled by default. Disable any you don’t need to reduce the attack surface.
• Use LuCI or SSH to access the router’s configuration files.
• For example, disable UPnP if you don’t use port forwarding:

  uci set network.wan.upnp='0'; uci commit network

5. Firewall Configuration
• Configure the OpenWrt firewall to block unwanted traffic.
• Use LuCI or edit the /etc/config/firewall file directly.
• Implement rules to allow only necessary incoming connections.
• Consider using a default-deny policy, blocking all incoming traffic except what you explicitly allow.
6. Regular Updates
• Keep OpenWrt updated with the latest security patches.
• Use LuCI or SSH to update the system:

  opkg update; opkg upgrade

• Subscribe to security mailing lists for OpenWrt to stay informed about vulnerabilities.
7. Consider Additional Security Measures
• Enable intrusion detection/prevention systems (IDS/IPS) like Snort or Suricata if you have the resources.
• Use a VPN to encrypt your internet traffic.
• Monitor router logs for suspicious activity.

Benefits of a Self-Build Router

• Control: You control the firmware and can disable unnecessary features like Intel ME.
• Security: Reduced attack surface compared to off-the-shelf routers with closed-source firmware.
• Privacy: Greater control over your data and network traffic.
• Customization: Tailor the router’s functionality to your specific needs.