The Turris Omnia is not the first hardware project by the CZ.NIC. We caught up with Bedrich Kosata, Head of Development for the Turris Omnia, at the OpenWrt summit in Berlin, Germany, and asked about the objectives for development of this ultra-secure router.

Linux Magazine: The domain registrar, CZ.NIC manages the top-level domain in the Czech Republic. What prompted the company to also develop network equipment for end users?

Bedrich Kosata: We are a non-profit company and seek to use profits from the CZ domain for the good of the public. This is why we focus on open source and IT security. So we figured that it would be instructive to see what kind of traffic flows between the Internet and home networks – who attempts access to home networks and in what way. The idea evolved into the Turris project: We gave the people special routers, just to monitor this traffic and to see whether we could identify anomalies, malicious software, or the like.

LM: When was the Turris project founded?

BK: We had the idea of the end of 2012, and we started the project in 2013. Initially, we did not want to make our own hardware, but we failed to find any products that met our standards. We thus had to develop the hardware itself from scratch willing or not. In 2014, we delivered the first two router models free of charge, in exchange for data from users. Anyone who wanted to take part just had to sign a contract for three years. In return, we maintained the boxes and provided updates but also collected data for analysis.

LM: Now the Turris Omnia is ready – the third router by CZ.NIC and the first financed by crowd funding. How did you manage to make the device completely open source?

BK: We open-sourced all the chips so that the mainline kernel would support them; all the drivers were required to be open source. The only exception is the WiFi driver: You will not find a completely free driver; there is always binary firmware that is not disclosed.

LM: What makes this router secure?

BK: It all starts with the basic setup. It is well known that default passwords are some the biggest security problems on the Internet. That's why we force the user to define their own, sufficiently strong passwords during the setup. This makes our router secure from the outset, in addition to regular updates and advanced features such as the distributed firewall.

LM: The distributed firewall – what is that exactly?

BK: The firewall collects data from various sources – the routers themselves, but also from our company or externally from the Internet. From this we create an IP graylist and watch the conspicuous addresses in particular. If a router connects to one these addresses and we discover suspicious or malicious activity, we warn our users.

LM: This is not something that everyone will want – isn't this an invasion of privacy?

BK: By default, the distributed firewall is not active; the user has to enable it explicitly. We are not interested in the private data but only in the local firewall logs: This information lets us see who is attempting to log onto the router from the outside, and which services are especially subject to attack. To discover what is happening on their own routers, users can use a special portal that also shows the volumes of data exchanged between the router and the Internet.

We collect only the information that we really need, in particular metadata – who is talking to whom. We are not interested in the content at all. Our analysts see only anonymized data sets; also, we destroy all the individual data after ten days and then only keep the aggregated traffic data. This is also part of our privacy policy, which the user has to agree with.

LM: Are there more security measures in addition to the distributed firewall and local hardening of the router?

BK: We have also set up honeypots in the form of virtual routers and servers to determine how attackers attempt to intrude. In the case of Telnet access, we only present a login where the attacker can continually enter their username and password, until it gets on their nerves and they give up. But this provides us with interesting data about botnets in particular. The SSH honeypot shows the attacker a system that they can supposedly infiltrate. We thus learn what kind of malware the attackers are trying to install can analyze the results. The honeypot is isolated from the user routers so that real routers will not be compromised.

LM: For some time, open source routers have had a problem with official approval: The US FCC, in particular, but also the EU, require some kind of lockdown of the wireless interface. How do you handle this?

BK: That is a real problem. We are in the process of pursuing FCC approval, which is seriously slowing us down. We want to make the router as open as possible, and now we need to lock down part of the hardware. Currently, we are collaborating with the manufacturer of the WiFi cards to find a good solution for all parties. Ultimately, we will probably need to offer a separate version with a lockdown for the US market in order to achieve FCC certification.