Kong's builds cryptographically signed?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
acs
DD-WRT Novice


Joined: 08 Aug 2019
Posts: 5

PostPosted: Thu Aug 08, 2019 12:51    Post subject: Kong's builds cryptographically signed? Reply with quote
One of the differences between BrainSlayer's builds and Kong's builds it's that Kong's builds are cryptographically signed, so you can check that the version you are flashing is authentic and has not been maliciously modified by third-parties. This is what this readme file says.

This is quite important, even more when you download over plain HTTP or FTP, considering how easy is to maliciously modify a DD-WRT firmware.

The problem is that I can't find the signature for R6400v2 builds.

I am looking here:

http://www.desipro.de/ddwrt/K3-AC-Arm/

Am I looking in the wrong place, or Kong just doesn't care signing for the Netgear R6400?

Many thanks.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6975
Location: Texas, USA

PostPosted: Thu Aug 08, 2019 15:03    Post subject: Reply with quote
http://www.desipro.de/ddwrt/K3-AC-Arm/Supported%20Models < -- if you read this, you would know which file to flash, and which signatures applied.

dd-wrt.v24-K3_AC_ARM_STD_128K.bin

http://www.desipro.de/ddwrt/K3-AC-Arm/dd-wrt.v24-K3_AC_ARM_STD_128K.bin.md5
http://www.desipro.de/ddwrt/K3-AC-Arm/dd-wrt.v24-K3_AC_ARM_STD_128K.bin.sig
acs
DD-WRT Novice


Joined: 08 Aug 2019
Posts: 5

PostPosted: Thu Aug 08, 2019 15:31    Post subject: Reply with quote
Thank you for the suggestion, I actually read that file and I saw that .bin are signed.

But, as I pointed out in my previous post (on which you had the courtesy to reply as well) I am looking for a build for the first flash, I'm not updating, so I need a .chk file. And I do not find any signature for that.

I think you would agree that, from a security perspective, flashing an unsigned build and then updating it with a signed .bin is meaningless.

Thanks.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1377

PostPosted: Thu Aug 08, 2019 15:36    Post subject: Reply with quote
You will see here that almost none of the first flash builds have a signature:
http://www.desipro.de/ddwrt/K3-AC-Arm/
http://www.desipro.de/ddwrt/K3-AC-IPQ806X/

Has nothing to do with being a 6400.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6975
Location: Texas, USA

PostPosted: Thu Aug 08, 2019 16:52    Post subject: Reply with quote
I'd go deeper, but I'm not gonna bother. If <Kong> chooses to chime in, I'll let him explain it.
acs
DD-WRT Novice


Joined: 08 Aug 2019
Posts: 5

PostPosted: Thu Aug 08, 2019 20:06    Post subject: Reply with quote
From a security, perspective, as I said, it is meaningless. Whatever the update process is. It's doesn't matter that
Quote:
the flashing process overwrites the entire flash area.


Nor is a matter of nvram. If you flash "my" maliciously modified build when you then update it I can make you download whatever I want and even display you a message in bright green that says:

"Build verified. Update completed successfully".

This happens everyday, there are thousands of compromised router feeding large or very large botnets. The infrastructure is always untrusted, this is why most browsers flag as insecure very respectable websites that serve you content (not to mention executable code) over HTTP or FTP . Today there is no respectable operating system, driver or firmware that is distributed unsigned.

Unless this firmware is a toy project never meant to replace the official home/office router, this is a serious concern, and I'm surprised that somebody is downplaying it.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6975
Location: Texas, USA

PostPosted: Thu Aug 08, 2019 22:59    Post subject: Reply with quote
Do an md5 checksum on the .chk files and get creative. Seriously, though, the code repository would then definitely have to be broken apart by chipset and manufacturer to sign firmware files like the factory firmware files are signed. If you're paranoid and don't wish to flash BS or <Kong> firmware builds or anyone else's DD-WRT builds, I am sure you can find the door, just don't let it crack your tailbone on the way out. Arrow Mr. Green

P.S. there are plenty of custom and non-custom firmwares out there that are not signed. Are you pissing in their punch bowls, too?
acs
DD-WRT Novice


Joined: 08 Aug 2019
Posts: 5

PostPosted: Fri Aug 09, 2019 8:41    Post subject: Reply with quote
First of all I really do not understand what you mean by:

Quote:
Do an md5 checksum on the .chk files and get creative.


With MD5 you can certainly get very creative finding collisions! This protocol has been broken in 1996 and today if you want to hash something you will use SHA-1, if you are lazy, or SHA-256 and beyond if you are security conscious.

Secondly, you really do not understand what asking for .chk file signature means. It is an act of trust towards the developer. It means: "I trust you, I trust that when you develop your code and use third party modules you are responsible and security aware and that the final binaries you release are reasonably secure."

I am certainly not asking that you provide a signature for each third party code you embed in the project. I rely on your own judgment, trusting that you will check the signatures of what you download and I am happy to verify the signature of the final .chk package you release.

Third, it's not a matter of being paranoid. 25 years ago I was too downloading over HTTP and FTP, logging on remote servers using Telnet and installing unsigned stuff. But it was 1995 and that was a different world. At that time strong cryptography like 3DES was considered a weapon! and could not be exported to Europe, where I live. There were no botnets with half a million of compromised routers, nor APT groups.

Quote:
there are plenty of custom and non-custom firmwares out there that are not signed


I am not saying that there are not executables, drivers or firmwares unsigned. I know there are plenty. What I am saying is that today all serious and respectable projects provide signed packages. Period. All linux distributions are signed, the linux kernel itself is signed, all windows, mac and linux packages are signed, OpenWRT is signed. And I could go on forever.

But there is one important thing that I have learnt from this conversation: this very relaxed and naive attitude towards security is an indicator that may be the trust I place in this project is misplaced.

This is why I will certainly move to a different hardware (not Broadcom based) and flash a different firmware.

Thanks anyway.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 6975
Location: Texas, USA

PostPosted: Fri Aug 09, 2019 9:35    Post subject: Reply with quote
If you weren't following the bouncing ball, then I don't know what to tell you. Also, if not md5 hash, then check the .sig files. Obviously, you're not thinking very far outside the box. I kinda regret saying anything (here's your one finger salute).

ANYWAY... how's about YOU figure out how to insert proper cryptographic signature methods into the build system and development environment of DD-WRT and make the suggestion to the lead developer. Good luck.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum