The OpenWRT open-source operating system that supports routers and embedded devices are very popular. For router users, they can install various software packages to achieve different functions according to their needs, so this system has become increasingly popular in recent years.
However, recently researchers have discovered that the operating system has several security flaws, and attackers can easily use these flaws to control the corresponding devices.
Like most operating systems, OpenWRT also verifies pre-installed files. In theory, only installation files that pass signature verification can be installed.
This signature verification method can ensure that only the installation packages allowed or approved by the developer are installed, and the illegal files produced by the attacker cannot theoretically be installed.
However, the research found that the system existed a bug when the 2017 update was released. This problem allows the signature verification system to be easily bypassed and unprotected.
Specifically, there is a problem with the function that the system uses to check the hash value. An attacker can simply bypass the hash check by adding a space before the input string.
This vulnerability is easy to exploit, so an attacker can easily bypass the verification to install malware, which can directly control the entire operating system.
At the same time, the OpenWRT project team has not adopted HTTPS encrypted transmission so far, which means that attackers can launch man-in-the-middle attacks, etc.
By hijacking the domain name of the update server and download server of the OpenWRT system, the files to be installed by the user can be replaced with malicious files.
With the error of the hash check system, the check can be bypassed and the malicious file can be successfully installed. After installation, the attacker can remotely control the infected router and so on.
But not using HTTPS encryption is the intention of the project team, because there are many old routing or embedded devices that do not support HTTPS encrypted data transmission.
Researchers have confirmed and fixed the vulnerability after submitting it to the project team. Users need to upgrade to at least OpenWRT 18.06.7 or 19.07.1 to ensure security.
The above version has completely repaired the hash value verification vulnerability, but for now, the update is initiated directly from within the system and the plain text transmission protocol is still used.
If the user is not using the official version of OpenWRT but a third-party customized version, please contact the firmware maintainer in time to update to ensure that the vulnerability has been fixed.
The project team is considering developing a new update method for users to use HTTPS to download and update in real-time in the browser, which can prevent man-in-the-middle attacks.