is there a possibility to disable the USB port of the MT-3000 AX permanently? I’m primarily using the router for traveling and this could be a possible security issue as the router can be accessed by the cleaning staff, and so on. I already could disable the LAN ports by removing the eth0 and eth1 from the /etc/config/network file.
Now I’m also searching for an option to disable the USB port. Currently I’m using this cronjob (* * * * * (echo 0 > /sys/class/gpio/usb_power/value) >/dev/null 2>&1, that is working pretty well, but the USB port is active for maybe a half minute after boot, until the cronjob has run. So is there a better solution?
Why do you think that disabling LAN and USB ports would be useful? Unless you are concerned about a government agency or some other organisation with significant resources, I don’t see any security issues
For most people some hidden cameras and a door/window sensor(s), that alerts when the door/window is opened, should be enough… Also is important to not tell anyone what kind of security you use
I am concerned about that my travel router opens access to my home network via vpn. And when I’m not in my room, anyone could connect to my router via cable and access my home network. Maybe it’s a theoretical problem, but I’m just feeling much better having that physical access blocked. The wifi access is secured with password, so that’s not a issue. I hope that’s quite understandable…
Personally I never concern this much, but if someone has the ability and will to breach your devices in home through the USB port, probably it doesn't matter whether that USB port is powered or not. Because that can be so easily bypassed with a externally-powered USB hub or cable.
If you're really that concerned, you should physically destroy the USB and TTL pins on the SoC. But even after doing so, your keys stored in the unencrypted flash would still vulnerable.
In my opinion, it'd be better to consider some additional security like granting access only when your device is connected by you. Additional security inside the network would also be needed.
Me? I've configured both ethernet ports as different WAN. I don't care about the USB port, and there's no additional security measures. Do I feel safe? Well, even if someone were breach my network, there would be almost nothing to do without very detailed information and exact credential.
