750-3.100-1217, unsecure firmware validation check

gladly · February 29, 2020, 8:20am

I am not a security expert so I don’t know all the details, and I think GL.inet routers are some of the best in the world right now, but I thnk it’s not a very big investment to improve the security from average or maybe OK to excellent.

Just like the firmware and hardware is much better than most of the normal routers, GL.inet should also make their security (and privacy) much better than the other companies.

It only takes one incident where firmware was changed or hacked, and the whole reputation can be spoiled for a long time. The risk of bad security is bad for business!

Henry_Bruns · March 1, 2020, 9:38pm

Its looks for me the gl firmware auto update process are neither by secured by actual sha256 nor by since many years broken MD5.

GL secured his webpage a little bit, some days ago. A this can be only one first step. If I remember right:

The unsecure TLS 1.1 and older are now deactivated. Thanks.
The actual TLS standard, TLS 1.3 are still not supported.
A long list of weak shipper suites are still used (The list of used weak shipper suites its much shorter than one or two weeks ago)

Leo · March 2, 2020, 2:39am

Thanks for your feedback.
I will try to improve the security again, after done, I will reply this thread.

Leo · March 9, 2020, 1:39am

Hi, how about this now, SSL Server Test: dl.gl-inet.com (Powered by Qualys SSL Labs)
TLS 1.3 are supported, no weak cipher,
Thanks for your suggestions!

Johnex · March 9, 2020, 11:57am

Very nice Leo

Henry_Bruns · March 9, 2020, 12:17pm

Thanks a lot, Leo.
Can you please also take a look at www.goodcloud.xyz if you can. There the general situation is already quite good. There the choice of the chipper suites can possibly be improved a bit.

Leo · March 10, 2020, 8:26am

Done.
Thank Henry again for your advice.

Henry_Bruns · March 10, 2020, 9:33am

Thanks a lot, Leo. Thats looks now excellent for me.

On other point for possible improvements are the actual by gl used validation check for firmware by MD5.

It can be, it’s possible, to optimize the security in this point a little bit too from good to excellent, by replace the MD5 by sha256.

VBR

Leo · March 11, 2020, 1:50am

I have given this advice to the firmware development team, they will improve the side.

Henry_Bruns · March 13, 2020, 6:04pm

For some customers are, improving safety from Good to Excellent is an important argument for their purchase decision.

Thank you, Leo.

Addendum:
Is there already an approximate timetable ?
THX

Addendum:
Push up from the Easter Bunny

Henry_Bruns · April 28, 2020, 9:05am

Push up from end of April.
Thank you, Leo.
Is there already an approximate timetable ?
THX

Leo · April 28, 2020, 3:28pm

I have urged relevant colleagues today, and there is no timetable yet. Thank you for your patience.

Henry_Bruns · May 3, 2020, 8:22am

Today I discovered by chance a little How Too about the differences in the technical implementation of an integrity check by e.g. MD5 and SHA256, which is probably at least a partial solution for.

Just in case someone is interested in this for e.g. own projects. Experienced programmers, will surely know even more uncomplicated ways of implementation.

Henry_Bruns · May 21, 2020, 10:55am

Does it good news on father day about a more secure firmware update handling ?

A small partly how to:

hash - How to verify the checksum of a downloaded file (pgp, sha, etc.)? - Information Security Stack Exchange

Henry_Bruns · May 30, 2020, 10:30pm

Now we have the half year jubilee of "unsecure-firmware-validation-check reporting on gl forum. Thats time for a party. Lets open champagne.

Ok. the bug report can be much older. Its not possible to check the bug reports from weeks of testing gl products, because the bug tracker was deleted:
GL.iNet - Connecting The World To Secure Wi-Fi

How ever. Today ist time for a party.
Looks forward.

Henry_Bruns · September 4, 2020, 2:10pm

There any news of fixing this security issue ?

THX

hogan · September 5, 2020, 9:44am

We conducted internal exchanges and discussions, and only optimized subsequent new products. (E.g. GL-X300B etc.)

Henry_Bruns · September 8, 2020, 10:11am

Now for remembering the small partly how to for fixing this ooooooolllllllllllllld and easy to fix security issue:

https://security.stackexchange.com/questions/189000/how-to-verify-the-checksum-of-a-downloaded-file-pgp-sha-etc

The shareholder and the costumer will love the improvement of the products.

THX

Henry_Bruns · October 11, 2020, 3:55pm

Small remembering of unsecure firmware validation check security issue…

Full list of 3.104 test result can found on:

Short test of openwrt-ar750-3.104.bin
it can be some more can found on deleted bug tracer

Leo · November 19, 2020, 10:07am

Looks like the firmware team are working on it since GL-MT1300
check the link below
https://dl.gl-inet.com/firmware/mt1300/testing/