undefined | Better HN

0 pointsprotocolture7mo ago0 comments

My biggest issue is threat surface. You can design around it, but Mikrotik WAP's do everything a Mikrotik router can do. If they get compromised they can run scripts, create blind proxies etc, and mikrotik has a habit of resurfacing CVEs from memory.

My experience is very binary. I had some Mikrotik RF installs that Just Worked, and never needed attention. And some that were just problem children constantly demanding reboots.

Mikrotik code isnt the most stable beast in the world, but if you keep it at a certain point in time you are usually safe. But then that brings you back around to the security issues again.

0 comments

3 comments · 1 top-level

simoncion7mo ago· 2 in thread

> If they get compromised they can run scripts, create blind proxies etc...

How's that different from a Unifi AP? Unless they changed something in the past five, eight years, the software running on the AP is pretty much OpenWRT with the serial numbers hastily filed off. [0] Get a shell, and you get to download whatever to do whatever you need.

[0] Me coming to this realization is what lead me to switch over to OpenWRT. I didn't need any of the fleet management stuff provided by UniFi, and was constantly frustrated that the APs had to totally reboot whenever you changed nearly any setting on them. (I heard that they eventually fixed that particular shortcoming. Good for them, I guess.)

protocoltureOP7mo ago

Mikrotik will let you do a lot of this without downloading new code, but you are correct. In my experience people find a simple vuln, log in, enable the blind proxy feature, and then use your network to evade netflix region blocking until you realise.

Cambiums shell from memory is much further locked down. IIRC you need a possibly predictable password form cambo to do get full root shell on a lot of devices.

simoncion7mo ago

> IIRC you need a possibly predictable password form cambo to do get full root shell on a lot of devices.

If we're ignoring access-control-violating logic errors, then Mikrotik's shells are quite locked down. As you'd expect, you can provision multiple users with a variety of privs... and even make a user that has no configuration modification privs at all.

You can also very easily deny remote access to any credentials other than a username and SSH key. Good luck predicting an SSH key.

But if we're not ignoring coding errors that bypass access control, then I expect that Cambium is no less vulnerable than anything else out there. They're certainly using either BSD or Linux with some proprietary goop layered on top to make it look super sexy.

j / k navigate · click thread line to collapse