Is an openwrt router really secure?  I don't have answers, only questions which I hope others can answer.

You can connect to redboot on the Internet port if you know the redboot IP address to talk to and the reboot port number.
These settings come from the procedures that are provided, so most openwrt routers would have the same settings.

What prevents a hacker/worm from attacking your router and accessing your redboot?  Is there some protection against packets having come through a switch or router?  Would your router be safe against attacks from another router on the same ISP LAN segment?

My own tests show:

Redboot is only accessible if you catch it during boot, but routers are often rebooted while connected to the ISP (e.g. after power failure) so scanning for redboot is a reasonable thing for a hacker/worm to do.

If, in fact, redboot could be accessed from the Internet then we should consider some protection.  Perhaps a simple approach
is to recommend users to make up their own redboot IP address and redboot port number so that our routers are not configured consistently. 

Comments?

redboot doesn't have default gw by default, thus you can only connect from adjacent host on the same network, i.e. your local network. During redboot phase no internet connectivity is established (in case of adsl modems) and only ethernet interface is initialised.

Many devices are not adsl modem/router combos and so perhaps they could still be vulnerable to attack on the ISP LAN/MAN?

Example:

The suggested procedure for flashing the DIR-300
http://oldwiki.openwrt.org/OpenWrtDocs( … d)300.html
suggests the following fconfig settings.

Use BOOTP for network configuration: false
Gateway IP address: 192.168.1.1
Local IP address: 192.168.1.10
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.228
Console baud rate: 9600
GDB connection port: 9000

seems to set a gateway address - I am guessing that this would make the redboot accessible through a router
(although using a private IP means that routers in the wider Internet will not transmit traffic to the IP).

I conclude that it would be better for each user to use an individual local IP address for their redboot and perhaps
also to change the port number from 9000 to something else.

In case you are on broadcast multiaccess network (like  plain ethernet) with the box directly connected to external cloud (i.e. gateway to home network) then theoretically someone on the same broadcast domain could exploit it. So, might be it has sense %)

But even if somebody exploited this tiny security hole, it would not be just to blame it all on OpenWRT since by the time the exploit runs it is the bootloader who is in charge. I think that the question 'is openwrt as secure as we think?' is unfair in this context.

Sure, it has nothing common with openwrt, so it is just a speculative question. %) And should be addressed on redboot mailing list.

Firstly, let me thank those who have contributed to this discussion.  I was wondering whether I had missed a security feature for redboot, but now I believe that I will follow my own advice and randomise the redboot IP address.

Blaming openwrt is not the issue.  Helping to protect users of openwrt from security vulnerability is.

The proposed solution of randomising the redboot IP address is something that should be documented in the installation guides for end users and not hidden in the redboot development group somewhere.