Firmware Upgrade/Update Security

gladly · February 27, 2020, 5:24pm

Hello

Is there a difference in security between Online Upgrade and Local Upgrade?

For local upgrade I would just download from GL.iNet download center… Are those MD5’s in the list.txt files that I could check?

Does Online Upgrade do exactly the same or something more or different?

Also, in case there is ever a problem, does reset button on router revert only settings to factory state or resets absolutely everything including firmware?

Thank you

P.S. Please add SHA256 and signatures.

gladly · February 28, 2020, 9:44am

@alzhao or anyone else, any information about this? Thank you.

alzhao · February 28, 2020, 2:42pm

md5 only check if the firmware is downloaded correctly. It cannot help to secure the firmware. The security is based on website ssl.

To be more secure, the firmware need to be signed. And only signed firmware can be flashed to the router. In that case, users cannot make their own firmware and flash to the router.

gladly · February 28, 2020, 7:18pm

Thank you for the reply but my question is the difference between the two options in the UI:

“Local Upgrade” - I download the firmware file from the website, check the MD5, and drag and drop into the router UI for a “Local Upgrade”.

“Online Upgrade” - does the router do exactly the same? Download from the same website and check MD5? Or does it do something more like check signatures? Is it more secure?

Thank you.

Henry_Bruns · February 28, 2020, 7:35pm

Its looks for me on this time, gl:

dont check the auto firmware update by anything, not by sha256 and not by md5 !!!
the gl website has improved about a week ago after some comments from me, from a class b ssl security to a class A changed ssl security. But gl has to keep working on it. They still use a long list of weake shipper suites … This should be fixed. After all, this is not only a company website, but even a company that sells IT products, which advertise to improve IT security for their customers.

A part of this discussion you find on follow link:

750-3.100-1217, unsecure firmware validation check - #11 by Johnex

gladly · February 29, 2020, 8:16am

I agree with you.

GL.inet makes good hardware and it’s very good that the software is based on open source and trusted openwrt. But GL.inet can really be the leading router company with users concerned privacy and security if they do a few extra things, for example:

secure their firmware with proper up to date signatures and checksums
update and improve their privacy policy (https://forum.gl-inet.com/t/privacy-policy-update)
maybe open source their excellent UI (not sure of the status)

This is good for the confidence and trust of users but also makes good business sense. They would get even more recommendations and positive reviews from privacy and security people and organizations.

Henry_Bruns · March 1, 2020, 9:50pm

The customer buy the devices depend on security. Thats are what can speed up the success of gl.

Technicavolous · March 2, 2020, 3:27am

I hope they never do this … it sets apart GL from the others. I’m sure GL contributes to the openWRT codebase, but the GUI is purely GL.

Sometime purist is not the best way to go. As said above, if firmware is signed then users cannot write their own code, which is a great feature of GL.