Serial console password

OpenWrt serial console is not protected by default by a password. As a principle, networking hardware should never be accessible and should be locked-down to avoid attacks.

See also: Forum thread, Support ticket, How to build a single package

After OpenWrt first boot, a password is defined by the user in order to protect SSH and LuCI HTTP(S) access. However access to the serial console is still available without password. Very few OpenWrt users are aware that their hardware is wide open, and you should be aware and find solutions.

uci set system.@system[0].ttylogin="1"
uci commit system
service system restart

You will need to recompile busybox because it does not include the line CONFIG_BUSYBOX_CONFIG_LOGIN by default into .config. Run make menuconfig and enable “Base system → busybox → Login/Password Management Utilities → login”. Save, exit and verify the .config contains CONFIG_BUSYBOX_CONFIG_LOGIN=y.


make package/busybox/compile
make package/busybox/install

Get the busybox package: <build_dir>/bin/<arch>/packages/base/busybox_<version>.ipk.

Single user mode is available through GRUB and allows to boot without password. An attacker is then able to change root password and reboot.

A solution would be to lock-down OpenWrt booloader process, to make sure that booting in linux single user mode is impossible. This has to be discussed and this is not yet documented.

You should know that hardware attacks on serial console pins are always possible. However, it requires time and skills.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2019/09/10 21:03
  • by tmomas