25

I went to download the latest firmware for my router and noticed the download link is not HTTPS, so I sent the following email to the manufacturer:

I went to look for new firmware for my Archer C7 router, but I saw that the download link is over unencrypted HTTP, not secure HTTPS. I would never download software or firmware over an unsecure connection. Please upgrade your site to HTTPS.

This was their reply:

The device will verify the integrity and correctness of the bin file, if it is tampered, it won't be able to upgrade successfully. Don't worry, you can download it.

Ignoring the fact that they have no excuse for not using HTTPS, my question is: Is it even possible for the router to confirm that a new firmware file hasn't been tampered with? How would that work?

Ian Phillips
  • 361
  • 3
  • 5
  • 21
    The accepted answer establishes that it is *possible in principle* for the router to securely validate a firmware image downloaded over HTTP. Of course, that doesn't mean *your* router actually does this. Another (sadly plausible) explanation for the response you've received is that the router has "integrity and correctness" checks that simply validate that the file is a well-formed firmware image, without checking any signatures, and that the tech support employee who answered your query doesn't understand the difference between validating a file format and validating a signature. – Mark Amery Jan 12 '17 at 21:49
  • Agreed - the question asked if it was possible, which it is, not whether it was done in this particular case. I've never come across an Archer C7 router, so can't comment on that point. – Matthew Jan 12 '17 at 22:19
  • 8
    The implication that HTTPS somehow makes a downloaded firmware image safe is kind of silly. Either you're super-paranoid (in which case you require extended validation, not just SSL), or you're not (in which case HTTPS doesn't give you any real benefit here). – Sneftel Jan 12 '17 at 23:10
  • @Sneftel I wouldn't say that. EV doesn't really offer a benefit if you already know that the website you are going to is the right one. For example, if the URL is written on the bottom of the router, then you have a reasonable level of certainty that the website at that domain (and thus the SSL certificate) are owned by the company that made the router. – 0942v8653 Jan 12 '17 at 23:55
  • 1
    There are some ways to help verify this if you don't mind risking losing the router. Just change a random byte in the middle of the file and try flashing the firmware. If it succeeds, then you know it's not verifying anything. If it doesn't succeed, then maybe it's doing a checksum of some sort. So maybe guess the checksum algorithm (e.g. CRC32) and try to see if you can make it accept an invalid file with a similar checksum. If you never succeed, then maybe there's some truth to what they're saying (but you can never be sure). – user541686 Jan 13 '17 at 00:40
  • 7
    Also, it baffles me how much people worry about HTTP security. For this to be unsafe someone has to be *actively tampering* with your connection *right now*. Are you really *that* valuable of a target? Have you been annoying a government somewhere or something? If you really think everybody's out to get you, just download from different locations and verify the hashes are equal, and that you get plausible results when you Google that hash. If you think someone's compromised the *company*'s side of the connection, then realize it's unlikely it'll stay that way for long before they notice... – user541686 Jan 13 '17 at 00:47
  • @Mehrdad So better don't change anything at will, but try to identify if there is UI text anywhere. There it doesn't harm functionality if flashing works at all. – glglgl Jan 13 '17 at 14:28
  • 1
    @Machavity: Plenty of ISPs actively MITM all HTTP traffic, at least for caching and ad injection. It's not far-fetched to believe they might also replace router firmware, e.g. to make your router do additional ad injection or tracking that earns them kickbacks. – R.. GitHub STOP HELPING ICE Jan 13 '17 at 17:45
  • 2
    @Machavity Not necessarily, Stack Exchange allows posting questions (and viewing the rest of the site) using HTTPS, but it doesn't require it. – Kevin Brown-Silva Jan 14 '17 at 01:04
  • 4
    @oldmud0: There's a huge difference in executing potentially-tampered-with code and reading a potentially-tampered-with question on SO. Making fun of people's legitimate concerns about obtaining and running code from unsafe channels is not appropriate for this site. The really sad thing is that, if OP were asking about how they got infected with a virus, people like you would probably be insulting them for downloading and running exes from sketchy sites. They can't win. – R.. GitHub STOP HELPING ICE Jan 14 '17 at 03:34
  • @Sneftel How does HTTPS without EV provide no benefit? Even the most basic certificates would eliminate any possible MITM or DNS poisoning attacks. Maybe you can't prove that linksys.com is attached to some specific company, but if you trust the DNS domain then regular HTTPS/certificates prove that you are securely connected to it. – trognanders Oct 12 '18 at 22:28

4 Answers4

56

Sure - it could be a signed image. If the router has a built-in public key, and the image was signed by the corresponding private key, it would be perfectly safe.

Unless someone had got the private key, and uploaded a malicious version to the server, in which case, HTTPS wouldn't help either.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • Well the if old firmware has a know vulnerability couldn't someone possibly detect and interfere with the transfer and then attack knowing your system is un-updated? –  Jan 12 '17 at 19:58
  • That's why I specified that the public key had to be built in (and the key validation not flawed). However, you need that whether the download is over http or https, or any other method. – Matthew Jan 12 '17 at 20:03
  • Yes but over https they can't see that it's firmware you are getting. My hypothetical attacker isn't trying to change your firmware they DoS your attempt to update and since you tried to update it is reasonable to assume you have old firmware so attack using some vulnerability of old firmware. –  Jan 12 '17 at 20:13
  • 2
    Why bother? Most attackers will just try all possible attacks, regardless of whether they are likely to work - and an attacker who was specifically targeting a given user doesn't need to wait until they try download a firmware update. – Matthew Jan 12 '17 at 20:25
  • 2
    "and uploaded a malicious version to the server" - not necessarly - it is sufficient for attacker to perform MITM via, for example DNS/DHCP/ARP spoofing. – Maciej Piechotka Jan 12 '17 at 22:13
  • 2
    Not if it's a signed image - if they don't have the correct private key, any data they change would make the firmware signature incorrect. They could tamper with the download, but it wouldn't install, assuming a working signature validation method. – Matthew Jan 12 '17 at 22:17
  • 2
    Although "technically correct" the image is not verified by public key on the router, that or the private key has been leaked. There exists an OpenWRT image that uses this mechanism to install itself on the Archer C7. https://wiki.openwrt.org/toh/tp-link/tl-wdr7500 – Aron Jan 13 '17 at 02:07
  • @Aron Not necessarily. Manual firmware upgrade may be allowed to bypass some of the checks mandatory for automated upgrade. – Dmitry Grigoryev Jan 13 '17 at 09:41
  • "Could be". OP should verify the verification mechanism, by replying to technical support. – Lightness Races in Orbit Jan 13 '17 at 18:11
23

It is probably safe.

But downloading over https should be preferred if possible.

Without https:

  • If there is a flaw in the signature mechanism, it can be exploited (example: https://github.com/QubesOS/qubes-issues/issues/2520 )

  • An attacker can know which firmware/version you install (so if there is known flaws in that firmware/version , it could be exploited)

  • If the downloaded file is not just the bin file of the firmware but an executable, a modified version couldn't install a rogue firmware, but could still harm the computer

  • If the downloaded file is not just the bin file of the firmware but contains additional inflammations for the update program (like pre-update script to execute) it could harm the computer

  • If the update program has flaws (like buffer overflow for invalid bin firmware file), even if the firmware couldn't be installed, it could harm the computer.

  • If the firmware encryption keys are stolen, https add a significant protection.

  • An attacker can replace your download by an older official firmware with known flaws: it will pass the signature spec but you will be vulnerable.

Tom
  • 2,063
  • 12
  • 19
6

Probably there's a digital signature on the firmware and a key on the router. If the update file is tampered somehow, the signature verification will fail and the router will reject the update.

It works, but employing SSL would be better.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 2
    It is likely going to be easier to find a vulnerability in SSL or any trusted CA to perform the attack that way than it is to forge a valid signature to be verified with a public key already known to the router. – kasperd Jan 13 '17 at 08:06
  • @kasperd You're giving awful router vendors a lot of credit, that their signature verification code can't be trivially tricked due to bugs. – Matt Nordhoff Jan 14 '17 at 04:39
  • @MattNordhoff Verification of a signature is a lot easier to get correct than SSL. – kasperd Jan 14 '17 at 09:29
  • @kasperd Your faith in consumer router vendors is seriously misplaced. – trognanders Oct 12 '18 at 22:30
  • @BaileyS What makes you think I have any faith in them? All I have really said is that I don't trust them to get SSL right. – kasperd Oct 13 '18 at 08:10
-3

if the site has md5 checksum. i'd use it to verify what i downloaded has not been altered. at least I have a basis that the file I will use is safe.

Toto
  • 1
  • 10
    Doesn't really help if you're using HTTP - if you can tamper the file, you can tamper the checksum too. – Matthew Jan 13 '17 at 16:10