>Advisory helps organizations protect against PRC-linked actors hiding in router firmware
The most popular router brand is TP-Link which is a Chinese Brand. Both Eero and Nest from Amazon to Google aren't available worldwide. Netgear and Linksys has poor Firmware update frequency. That is pretty much left with ASUS which I have a decade old unfix bug with my ISP that randomly fails to get new IP.
I only wish Apple would come back with new AirPort Extreme.
For select small/home plastic routers, there's always OpenWrt.
OpenWrt is generally more trustworthy than the stock firmware, but I wouldn't expect any of these solutions to keep out a state actor, nor even a script kiddie with a lot of time on their hands. Trust level is more like not having a known stock firmware botnet motel, and maybe keeping some cruddy US IoT products on their own VLAN.
If a SoC has a co-processor with proprietary firmware, potentially for things like security, remote management, bringing up the main CPU, etc, peripherals with proprietary firmware, potentially with DMA access, or firmware operating at ring -2/-3, they can sidestep OpenWRT and you wouldn't even know it from the OpenWRT side of things.
But... How do you know that's not back doored as well? I would just assume that everything is back doored or has a zero day until proven otherwise. And yes, how do you prove a negative? I refer you back to my first point.
Everyone's throwing out suggestions, so I'll say what I've found to work well after years of sampling the options.
pfSense box + Ruckus WAP
I went with a Netgate SG-1100 and am happy with it for 200/100 WAN. I have a Ruckus R610 (used on ebay for $100) that gets regular Unleashed firmware updates and is far and away the best WAP I have ever owned.
We have photographic evidence of the NSA intercepting Cisco routers. I'm not sure the country of origin matters if you have a red spot painted on your back.
What's being proposed here - as an alternative solution to mass-produced Chinese equipment of unknown trustworthiness - is to purchase different mass-produced Chinese equipment of unknown trustworthiness.
Your example of highly-targeted physical interception by state-level actors is irrelevant here.
You are really bringing your own OS here. The nanopi can run mainline linux and u-boot[0]. If you suspect an Intel ME-style component with ring -3 access, it should show up in the initialization sequence - there are no blobs here. Features like these are not cheap to implement, especially when Chinese vendors are so keen on cutting costs.
Essentially, this means that there is zero risk, unless you are a target, at which point any unintentional hardware bug caused by the aforementioned corner-cutting will become a concern.
How do you guarantee there isn't some logic flashed onto the chip that overrides the bootloader sequence?
btw, I asked about this 5 months ago [0] and got some interesting replies. I ended up purchasing a PCEngines board (just before they went out of business)
From what I've seen, networking peripherals you can attach to a Pi via USB, or whatever, can't really compete with networking peripherals in routers that are integrated on SoCs/SoMs.
I figure people are using them for router things, like using it as a wireless AP and switch, and the hardware available for those use cases usually fall short of what's available on router SoCs.
I'm scratching my head as to why I don't hear about more people running Raspberry Pis as APs off the built-in WiFi for smaller (in terms of number of clients) networks.
I chucked up hostapd on Debian at one point and was surprised to see how good coverage it got. Outperformed devices in higher price-range without even attaching an antenna.
Same here Unifi isn’t perfect but I still prefer the single pane of glass view with Unifi and Protect. My biggest gripes are silly defaults they cause massive issues with 2.4g devices and subpar outdoor cameras and doorbells that fail after 1-2 years.
If you are like me and don't want to keep messing with the router, then Firewalla Gold 1Gb [1] or Gold Plus 2.5Gb [2] should be good for a home router.
Docker can also be used.
Don't get the SE or other cheaper versions, they use ARM chips. Gold/Gold Plus use x86.
They have a default configuration applied when they are first powered on after a reset which includes wan, lan and nat setup. Possibly some basic firewall setup though I cant recall.
The UDM SE has a bug where if you max out 1 Gbps for a bit, at some point the WAN interface is going to crash and you have to either 1) restart, 2) unplug and replugin the cable, 3) restart the interface the WAN port was on.
This bug has existed for over a year, with no fix in sight.
Unifi's quality is dropping day by day. I'm convinced they don't use their own networking tools.
The most popular router brand is TP-Link which is a Chinese Brand. Both Eero and Nest from Amazon to Google aren't available worldwide. Netgear and Linksys has poor Firmware update frequency. That is pretty much left with ASUS which I have a decade old unfix bug with my ISP that randomly fails to get new IP.
I only wish Apple would come back with new AirPort Extreme.