Unencrypted Updates Are Always A Bad Idea
OpenWRT has been discussed on the PC Perspective Podcast a number of times, it is an impressively powerful piece of open source firmware you can install on routers and a variety of other devices to give yourself more control over security, traffic and almost any other setting you want to dig into. Unfortunately they’ve been a bit lax on their own software as it turns out the updates you have been grabbing are unencrypted and the security researcher that Ars Technica quotes describes defeating the digital-signature checks as a trivial task.
You don’t have to panic because you have been using and updating OpenWRT for years. In order to successfully feed you a poisoned update an attacker would have had to have modified your DNS to be able to redirect you to a site of their choice as opposed to the legitimate one or to already be on your network and in a position to conduct a man-in-the-middle attack.
For the nonce, downloading version 18.06.7 or 19.07.1 is recommended as these include a temporary workaround solution which forces the hash check to work effectively, but it is not a permanent solution as attackers with a redirect in place could still point you at an older repository with older hashes which even the new versions would accept as valid.
For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.