It would be awesome to have somebody show that OpenWrt-based routers are safe and secure. I looked into this problem about 10 years ago and my concluding was that stock OpenWrt was really questionable. Like, there is no auto-update story, but at the same time it is a giant (relative to what it should be, IMO) Linux distro full of vulnerability-laden components. This space is in dire need of a minimal security-first-from-the-ground-up alternative with a real trustworthy update story.
I admit I'm not super deeply familiar, but I would have guessed the opposite - that openwrt had no extra software included, not least because it's targeting devices where total disk and RAM are measured in megabytes. What components would you remove/replace that make it "giant"?
Almost as important is the fact that updates do not overwrite the original packages, because those are in a read-only partition. Updates are written to an overlay file system, so every updated package uses twice as much flash space. Installing updates weekly would quickly fill the flash.
But as far as vulnerabilities go, what’s the actual exposure? From the outside there’s no ports open, and on the inside only a few for device management, and basic services like dhcp, etc. Those have been around for decades and are pretty well hardened by now.
Minimizing the chance of bricking the device with an automatic update requires at a minimum having two copies of the OS, so that the running copy isn't trying to modify itself and can remain as a fallback in case of a broken update. That's not too challenging these days now that most routers are using NAND flash, but for a long time it was common to use very small NOR flash modules with the absolute minimum capacity.
It would still be nice to have an official automatic update feature that is opt-in for stock systems.
They have the tools and infrastructure for assembling custom firmware images on-demand, and have recently added it to the default images, so they must feel like their infrastructure is ready for significantly increased demand.
Google Wifi Is one of the main lines that aren’t based on OpenWrt.
I don’t operate any OpenWrt-based devices.
So yes, this comment is correct, but it threw me since I wasn’t following the company back then and I hadn’t heard of that history before.
I always assumed it was priced outrageously to have a big enough margin to start fulfilling the preorders and refund requests from the original kickstarter. The device does not sell very many units so it won't benefit from bulk pricing.
