James Harper wrote:
2. There's a substantial risk of bricking them when you replace the vendor-supplied firmware with OpenWRT or upgrade to the latest openwrt.
Wrong. Sane models have will attempt to boot off TFTP for a few seconds every boot. Even if you brick it, you can install a new image via TFTP. This is how I do *all* installs, because it's less aggravating than dealing with some "upload new firmware" page of the vendor OS.
You need to be very careful where you deploy such a router. Setting this up with a tftp-enabled port (often all Ethernet ports) exposed to a school network would be madness.
Typically only from port 0. I'm not disagreeing with you, but... The attacker (malicious student) in your scenario has direct access to a switch port, and (unless it's at the other end of a patch panel) direct access to the WRT as well. So if he can trigger a reboot of the WRT, he can reflash it with an arbitrary firmware. This process takes about ten minutes. (0) But he could also 1. unplug the power cable, cut the power cable, or fill ports with epoxy (DOS); 2. unless you hard-code neighbours table, he can ARP poison (MITM); 3. If you use DHCP, he can be a rogue DHCP server, and anything which receives his DHCP response before yours, will see his view of the world (MITM). That's just off the top of my head. If I was stuck in class all day for a year staring at a comms cabinet, I daresay I could come up with a few more. Also off the top of my head, I think (3) would be easier to implement, and harder to detect, than (0). And unlike (0), (3) does not require the ability to reboot a router, which would probably require phsyical access to the WRT, or access to the building mains and some vocational elec eng knowledge. Bottom line: when they have physical access, GAME OVER.