Protected RouterBOOT

kmailz · February 22, 2015, 8:44pm

Hi all,
I found new protected-routerboot setting in Wiki. Sounds too good to be true so I’ve installed update package for backup RouterBOOT. Do everything as written in Wiki.. And result? Nothing, still was able to boot into netinstall mode.
It takes me two days of fun to found that my RB is not supported.
rb_log.jpg
RB 750
ROS 6.27
RB FW: 3.22

There’s coming question: will be 750 supported?

And please specify supported models in Wiki.

Thanks

normis · February 23, 2015, 10:35am

older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported

kmailz · February 23, 2015, 7:47pm

Okay thanks.

from wiki:

Newer devices will have this new backup loader already installed in factory

Will be this applied to older devices like RB750?

Caci99 · February 25, 2015, 9:24pm

This is a good feature but not as I would have expected it to act yet. It is a good first step to protect the routerboards which are installed into the open.

My main concern is about SXT Lite. What actually happens, is that a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT. Keep in mind that SXT is generally offered free of charge to the customer, so there is one lost. Time after time this is a considerable loss. I have even asked support long time ago if there was anyway to stop others from steeling routerboards installed at open by resetting or netinstall-ing them. But there was no way to protect a routerboard from netinstall.

This new method is a good step at protecting the routerboards, but still one can netinstall by holding the reset button for the given time. I just tested it on a SXT, and the SXT even flashes after the time is reached, indicating that the button can be released and it enters into netistall.

My suggestion would be, is it possible to add a password to protect the routerboard from netinstall? A password which will prompt at the netinstall window? This is a better way to protect it.
I am glad that this issue has been addressed since it is a serious one, but I think it needs to be better than as it is now at this stage.

marrold · February 25, 2015, 9:57pm

a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT

This is a ‘contract’ issue, not a software / hardware problem. I can’t think of many/any devices that can’t be forced to factory reset in some way.

Caci99 · February 25, 2015, 10:13pm

Oh well, so nothing to do about it, right? What about routerboards on towers and masts out in the open? Are you going to pay guards who’s salary exceeds the value of the devices? And it depends on the country where you live. Here where I am, half of the customers don’t want contracts, if you talk about contracts they look at you as if you are talking alien. I am talking things that do happen in real life not about hypothetical situations.
As I said, it is a good thing MikroTik introduced this feature, it only needs to be better.

marrold · February 26, 2015, 7:51am

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.

In the ideal world, how would Protected RouterBOOT work for you?

normis · February 26, 2015, 10:06am

How does password differ from Protected RouterBOOT setting?

The only difference is ability to format the device for reset, but this is for the situation where you forget the password. Otherwise you would just brick it without recovery.

There is no way to protect against reset. If somebody really wants, they could even remove the NAND.

Caci99 · February 26, 2015, 5:36pm

And I can’t think of single bank which can’t be stolen, coincidentally one was stolen two weeks ago in my town . This doesn’t mean that measures has to be taken.

The password I mentioned was about the neinstall, but you don’t have to follow my idea, you surely can come up with a better one. For example, a pattern pressing the button, like a port knocking. Like 20s keeping it pressed, then 5s pause, then 10s pressed and so on.
I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people and as it stands now, unauthorized people can still access the routerboard by netinstall. All they need to do is a 5min read of the wiki and 5min test like I did.

jandafields · March 27, 2015, 5:05pm

I’ve been trying to figure out the actual purpose of protected-bootloader is, and I cannot yet figure it out.

First, without the admin password, I don’t know of anyway to steal someone’s configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won’t get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.

Second, you can netinstall and reinstall mikrotik regardless of the protected-bootloader setting, without knowing the admin password, and without knowing the seconds setting. Simply hold the button until it flashes, and then netinstall. Easy. So, the purpose of protected-bootloader is not to stop netinstall from working.

So … what is the purpose of protected-bootloader???

andriys · March 27, 2015, 5:45pm

Yes, you understood it wrong. Protected RouterBOOT is for protecting configuration of your device (including all the sensitive data it may contain) from access by unauthorized persons, but not to protect the device itself.

andriys · March 27, 2015, 5:48pm

You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents that.

jandafields · March 27, 2015, 6:03pm

Ah, ok. Thank you.

normis · March 28, 2015, 7:43am

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

jandafields · March 28, 2015, 5:39pm

Actually, based on the other posts here, I think that people DO want a device that would have to be discarded if the password is lost.

I think it would be better for a device to be thrown away, rather than a competitor to end up using it. Theft deterrent.

jandafields · March 28, 2015, 5:43pm

Wrong. There ARE devices that are useless without a password. iPhones and iPads have a locking feature where ONLY the owner can unlock it. If someone else gets a hold of the device, other than the owner, it is impossible to use (unless the owner unlocks it first).

It’s called “Activation Lock” or “Find My iPad”. There is currently no known way to bypass this lock. There are many stories of buying these devices on eBay when the originally did not unlock it (or it was stolen and resold), where the purchaser had no way to use it.

So, not an exact comparision, but yes there are tech devices that can be completely locked down.

freemannnn · March 28, 2015, 5:59pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.

jandafields · March 28, 2015, 6:14pm

You have to do it from the command line:
http://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Protected_bootloader

freemannnn · March 28, 2015, 6:18pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?

jandafields · March 28, 2015, 6:33pm

Did you follow the instructions in the wiki, INCLUDING downloading and installing the required package?

http://www.mikrotik.com/download/share/protected_routerboot_v3_22_enable_6_27.dpk