Hello
You say that the router’s OS will automatically download and install security updates.
What if you get hacked yourselves? Or what if you are evil in the end? I am not sure if that feature is making your router more secure in every case.
I kinda agree with this. But since it’s all open source… I guess that will have an option to disable automatic updates.
You agree with it but do you have a concept of preventing updates in case of security issues on your side?
Could you be more specific?
Btw, commonly used router brands like Thomson have automatic firmware updates provided by the ISP on a centralized management platform.
This was introduced after their routers were vulnerable to wifi keys generation. They started to replace old routers with newer versions capable of remote automatic updates. Later on, when the WPS key bruteforce was found method was fond ISPs just issued an update to the firmware that limits the amount of PINs tried peer hour.
So this is not new, and seem to be working fine under normal equipment. You’re right, this kind of solution can be dangerous sometimes… but the only thing I know is that Turris should have an option to disable this feature if someone doesn’t like it for any reason.
There are lot’s of other software solutions that do automatic updates, like every single web server running cPanel on the Internet, Wordpress, lot’s of VPS running debian or ubuntu are installed with the unattended-upgrades package so they are always up to date.
Also, we’re taking about CZ.NIC, a NIC. I guess there are much more interesting targets for hackers on their network than a this routers. I’m sure they follow really strict security policies and at some level we can trust them.
As long as they use gpg on their software repositories we should be fine. But that’s a common security practice. Since they also brag that all their software is open-source, I’m really expecting they don’t force the routers to get all the software from their repositories either. Maybe they can retrieve basic packages directly form the trust OpenWRT repository and the web UI etc from them… (still I’m not sure if this is possible since I’m not aware of the internals of their architecture).
Hello! First of all I would like to say we are really paying attention on a security of the whole chain involved in preparing and releasing updates. We use GPG signing of our commits, we have dedicated server hardware placed in a server room with limited access and so on. But still you’ll be able to turn off the automatic updates and run them manually.
2 Likes
I generally don’t like things to auto-update when I’m about to leave on a trip (e.g. vacation or conference) or on a Friday afternoon unless I really have time to stop whatever I’m doing and deal with anything that goes wrong during the upgrade.
Could you support updates in a semi-automatic mode, e.g. downloading the updates for manual approval and providing an alert using iCalender task / to-do list?
1 Like