Hacker News new | past | comments | ask | show | jobs | submit login

> How reasonable do you think it is to be this automatically suspicious of any computer coming from China? A generic low-cost barebones Intel PC certainly has plenty of space for compromised firmware to hide

The problem seems to be that this firmware doesn’t really get updated once the machine is sold.

That’s legitimate criticism for a security-critical network component.




It's not ideal, but it's not a deal-breaker for every use case. The kind of firmware you get on a barebones industrial-oriented miniPC style router from China doesn't have much potential for a remotely-exploitable vulnerability. Most of the NICs aren't even going to be touched by the boot firmware. The user-supplied OS can take care of applying CPU microcode updates. If the PC doesn't ship with a rootkit already present in the firmware, it's pretty hard for the firmware to be a security problem unless it's secondary to a security vulnerability in the OpenWRT or pfSense software.

Running an up-to-date OpenWRT or pfSense on a normal PC hardware platform with outdated UEFI firmware is still a big step up in security compared to running factory firmware+OS on a cheap consumer wireless router.


I would say that there is no special value to firmware updates when you have no visibility into or control over the authors of the updates.

We need adversarial competitive firmware that comes from different sources the same as we have for software.

I know why we don't have that. It doesn't change the fact that that is what we need.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: