MT-3000 AX: Disable USB port permanently for security reasons

smart5538 · 2023-09-06T19:08:57.391Z

Hi there,

is there a possibility to disable the USB port of the MT-3000 AX permanently? I’m primarily using the router for traveling and this could be a possible security issue as the router can be accessed by the cleaning staff, and so on. I already could disable the LAN ports by removing the eth0 and eth1 from the /etc/config/network file.

Now I’m also searching for an option to disable the USB port. Currently I’m using this cronjob (* * * * * (echo 0 > /sys/class/gpio/usb_power/value) >/dev/null 2>&1, that is working pretty well, but the USB port is active for maybe a half minute after boot, until the cronjob has run. So is there a better solution?

Thanks in advance!

silkweb · 2023-09-06T19:37:45.566Z

Why do you think that disabling LAN and USB ports would be useful? Unless you are concerned about a government agency or some other organisation with significant resources, I don’t see any security issues

For most people some hidden cameras and a door/window sensor(s), that alerts when the door/window is opened, should be enough… Also is important to not tell anyone what kind of security you use

smart5538 · 2023-09-06T19:56:12.851Z

I am concerned about that my travel router opens access to my home network via vpn. And when I’m not in my room, anyone could connect to my router via cable and access my home network. Maybe it’s a theoretical problem, but I’m just feeling much better having that physical access blocked. The wifi access is secured with password, so that’s not a issue. I hope that’s quite understandable…

silkweb · 2023-09-06T20:23:53.361Z

You said that the wifi access is secured with a password which means that you use the wifi for other reasons than a backup for internet connection.

Why someone who is disabling LAN and USB ports for security purposes would use Wi-Fi? Wi-Fi is very weak when it comes to security…

Anyway if it is a theoretical problem then of course that it is understandable

Quidn · 2025-03-10T10:36:54.476Z

Personally I never concern this much, but if someone has the ability and will to breach your devices in home through the USB port, probably it doesn't matter whether that USB port is powered or not. Because that can be so easily bypassed with a externally-powered USB hub or cable.

If you're really that concerned, you should physically destroy the USB and TTL pins on the SoC. But even after doing so, your keys stored in the unencrypted flash would still vulnerable.

In my opinion, it'd be better to consider some additional security like granting access only when your device is connected by you. Additional security inside the network would also be needed.

Me? I've configured both ethernet ports as different WAN. I don't care about the USB port, and there's no additional security measures. Do I feel safe? Well, even if someone were breach my network, there would be almost nothing to do without very detailed information and exact credential.