> And they log in every day and confirm the hash of the firmware you're running
If you can modify the firmware you can change it to respond to their query with the "correct" firmware signature, so this doesn't seem useful to me. Source?
Also, is the 802.11n radio connected to an antenna? If not, can't really do any surveys with it. Sounds like a fun box to play with for evil maid attacks, though!
You can only load verizon/actiontec signed firmware via the UI. I suppose you probably could reflash it directly if you connected leads to the smt chip on the board, that is assuming it's not on the SOC and assuming the stage 1 loader doesn't verify the signature. It's mostly to prevent rollback attacks where a known vulnerable firmware is flashed to take advanatge of a flaw.
(technically it's implemented by an automatic process that verizon runs that logs in via their TR069 carrier management port and then does various (unlogged things) including enforcing that you're on approved firmware.
yeah the box has two antennas each one attached to the radios. Almost all of the other actiontec customers use it as a 2nd channel to get 300mbit, but for whatever reason verizon's is set to only use 1.
If their stage 1 is verifying the signature it's going to be pretty hard to hack the firmware (since you need to crack the key or find some other hole to get your firmware to run), so at that point they could care less about logging in to double-check the key wasn't cracked. In that case the integrity check is more likely just making sure the firmware isn't corrupt, or just checking the version to see if it needs an upgrade in general. If on the other hand they are just verifying which firmware is applied, the stage 1 probably isn't verifying the signature, so in that case we really could fake out the check.
Flashing the chip directly is probably significantly easier than attacking the UI's signature verifying feature. Once you learn how it's pretty fun to examine random devices' firmware directly ^_^
Yeah, glancing at the specs it looks like you're almost surely correct, that it's just checking a version string thats returned.
I got a little carried away, but really my point wasn't that it's impossible to avoid the risks, just that undoubtedly 99%+ of their customer base could be subjected to this and im sure most don't realize it. I thought my concerns with it were pretty tin foil hat until reading this story about the exact company doing something very, very similar.
If you can modify the firmware you can change it to respond to their query with the "correct" firmware signature, so this doesn't seem useful to me. Source?
Also, is the 802.11n radio connected to an antenna? If not, can't really do any surveys with it. Sounds like a fun box to play with for evil maid attacks, though!