I don’t know if this was already told here, but let’s go try.
I’ll explain a problem that I’m passing and I think Mikrotik’s developers can solve it.
There are some people going my towers and other places that I have Mikrotik, they open our boxes and reset a Router Board manually.
After, they can access the reset RB and get the “backup-before-reset”.
With this, they go to this website: http://mikrotikpasswordrecovery.com/default.aspx (I tested and it works with all versions).
and can get ALL MY RB PASSWORDS to a future access or to try know the others.
Even if Mikrotik used a hashing algorithm instead of the encoding they have now, brute force attacks could be used.
If they removed the backup-before-reset feature, then the attackers would just PXEboot into a linux distro and mount the flash directly
(See http://manio.skyboo.net/mikrotik/)
If people are breaking into your safe to steal the gold, there are only 2 real solutions:
Make the safe bigger:
Better locks / security, tamper tags, detection and response when the device goes offline. Either record or catch them in the act and have them prosecuted.
Take the gold out of the safe:
I know it makes management more difficult, but the real problem you have is that if you get one password, you get all of them. Stop reusing local passwords. Set the local admin password to something random and unique to the site, then enable centralized password management (RADIUS) for the rest of the user accounts.
This isn’t an issue Mikrotik can really solve. All routers have similar problems and vulnerabilities, some are just more widely known than others. Start with the migration to RADIUS and you should see great improvement (plus it makes logging and managing user account access a great deal easier). Good Luck.
I didi everything you said, the problems were “solved” but i think this is a big vulnerability that is so much visible (there is a website to do it!!!).
The question is the facility to do this, just 3 minutes they do this, and we think it was just a reboot problem e it’s ok.
I think Mikrotik could do something to get this kind of security, higher. Remove the backup-before-reset starts with this problem, maybe remove passwords from the backup or the reset is just from serial (it’s a little bit hard).
As CCDKP has noted, if they have physical access to your boxes there’s next to nothing that’s going to stop them accessing files on the device.
If you aren’t able to lock up your devices..
a) use different passwords on each device (so it doesn’t matter if they get access to one).
b) use radius authentication for access to your mikrotiks
If you wanted to give yourself backup access (in the event you’re onsite and the box has no internet access) you could setup a backup radius client pointing to a local address which you assign your computer and run something like http://www.tcpdata.com/ras.html to act as a mini radius server to get access.
That said, this is a silly amount of work to go to when a better secured router would solve the problem
1 - big, hard and different passwords each device.
2 - radius authentication (but, MK needs a full user in its user database)
3 - lock in devices boxes (now i’m improving it)
4 - different port for winbox access and access from just some IPs (and the other services too).
Yes, but the device is still prone to PXE booting a “hostile” image and manually retrieving the password file. Disabling the Reset jumper makes it significantly more difficult, but still not impossible.
Perhaps consider adding tamper seals to your boxes? (something like: http://www.americancasting.com/info-padlock-seals-01-TOC.asp).
While they don’t prevent entry, they do let you know if someone has gotten into the box so you can take action accordingly (change local password, etc).
Additionally, what about adding logging of “system info account” to a centralized remote server? While again it won’t stop the intrusion, it gives you notice that something occurred and an accurate timeline.
If the user/admin passwords WERE 1-way hash’d stored within the router, they could only be brute cracked if they were short or easy passwords. I think this would be the answer. Sure, physical access is bad. They could do malicious things, maybe they could reset the password even, but with the 1-way hash of a GOOD password, they won’t retrieve it…
Unless password retrieval is needed (like ppp secrets), then 1-way hash is always good security practice. Even the third party linysys-style router firmwares do password encryption within the config. You can change it, but you can never retrieve the old one.
The Cisco 5 MD5 hash is used for the enable password. It does provide better security since it’s a one-way hash, but with how cheap GPU power is getting, md5 doesn’t stand up terribly long anymore.
But i still think something in RouterOs could be made to make it harder to get passwords.
I tested the command to stop reseting from jumper and it seems work.
Thank you fe4r for letting us know that MikroTik password are not so strong any more.
It is important to know security problems, although someone would argue that this is more
a physical access security issue.
What if someone puts his hands on your regular backup files? He doesn’t need to climb
a tower to have that backup file, he may simply have access to your backup files.
I know some ISP (small or big) create a second account for the customer so that he can
configure the router at his own requests. This would give them access to the other account
of the ISP itself.
Metarouter is a feature implemented lately. There are a lot of routers out there before metarouter was released.
Also, you have to deal with real facts of life, not everyone is using it, it is an option.
Now people have to be aware of such security issue so that they can act accordingly, and what’s more
MikroTik can take their steps on their side too.
What I pointed out, was that thanks to the topic of fe4r I came aware of this problem.
