At Home Playing With OpenWRT? Time For An Update!
Unencrypted Updates Are Always A Bad Idea
OpenWRT has been discussed on the PC Perspective Podcast a number of times, it is an impressively powerful piece of open source firmware you can install on routers and a variety of other devices to give yourself more control over security, traffic and almost any other setting you want to dig into. Unfortunately they’ve been a bit lax on their own software as it turns out the updates you have been grabbing are unencrypted and the security researcher that Ars Technica quotes describes defeating the digital-signature checks as a trivial task.
You don’t have to panic because you have been using and updating OpenWRT for years. In order to successfully feed you a poisoned update an attacker would have had to have modified your DNS to be able to redirect you to a site of their choice as opposed to the legitimate one or to already be on your network and in a position to conduct a man-in-the-middle attack.
For the nonce, downloading version 18.06.7 or 19.07.1 is recommended as these include a temporary workaround solution which forces the hash check to work effectively, but it is not a permanent solution as attackers with a redirect in place could still point you at an older repository with older hashes which even the new versions would accept as valid.
For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.
More Tech News From Around The Web
- Samsung calls it a day on liquid-crystal display, says quantum dot is really hot @ The Register
- 2020 Moto G goes up for pre-order today, $250 for a 5000mAh battery @ Ars Technica
- Astrophysicist Gets Magnets Stuck Up Nose While Inventing Coronavirus Device @ Slashdot
- Outage hits some Google Cloud services, error rate curve flattens and they’re coming back @ The Register
- How SNES emulators got a few pixels from complete perfection @ Ars Technica
- Marriott Discloses New Data Breach Impacting 5.2 Million Guests @ Slashdot
- Cloudflare is over the moon because its pro-privacy 18.104.22.168 DNS service got a clean bill of health from everyone’s favorite auditor – KPMG @ The Register