cancel
Showing results for 
Search instead for 
Did you mean: 

Digital signature on BIOS download

semajy
Level 7
Greetings,

I want to update the BIOS to my motherboard but I'm concerned by several things with regards to trusting the source of the BIOS file:

1) The BIOS download from the Asus website is over http
2) The BIOS download file is not digitally signed


Due to the importance of the BIOS, it seems negligent to not have these two issues resolved. When can we expect these two issues to be fixed?
4,660 Views
11 REPLIES 11

R5Eandme
Level 12
I notice more and more these days that MD5 or SHA256 hashes are provided so you can verify that your downloaded file has not been tampered with. I assume that the tampering would occur on the source website? So I can see the usefulness of providing a signature so we can know we've downloaded an authentic file. Without us users manually verifying the authenticity of a downloaded BIOS file, I am not sure how that first trusted step in the boot process is protected. Maybe the downloaded file has a signature that is verified by the motherboard before it lets the system boot? Maybe an expert can chime in.

Your other comment about HTTP: without the encryption of HTTPS, a hacker can use packet sniffing of the BIOS files as they download. But anyone can go to the ASUS website and download the BIOS files for themselves. What extra protection is there from HTTPS in this case?

R5Eandme wrote:
I notice more and more these days that MD5 or SHA256 hashes are provided so you can verify that your downloaded file has not been tampered with. I assume that the tampering would occur on the source website? So I can see the usefulness of providing a signature so we can know we've downloaded an authentic file. Without us users manually verifying the authenticity of a downloaded BIOS file, I am not sure how that first trusted step in the boot process is protected. Maybe the downloaded file has a signature that is verified by the motherboard before it lets the system boot? Maybe an expert can chime in.

Your other comment about HTTP: without the encryption of HTTPS, a hacker can use packet sniffing of the BIOS files as they download. But anyone can go to the ASUS website and download the BIOS files for themselves. What extra protection is there from HTTPS in this case?


HTTPS stops man in the middle attacks. A digital signature will be better than just a SHA256 hash if the public key of the signer is reasonably trusted to be authentic as a provided SHA256 hash could theoretically be replaced (via hacking) with the SHA256 hash of the modified bios.

semajy wrote:
HTTPS stops man in the middle attacks. A digital signature will be better than just a SHA256 hash if the public key of the signer is reasonably trusted to be authentic as a provided SHA256 hash could theoretically be replaced (via hacking) with the SHA256 hash of the modified bios.

What you say about SHA-256 makes sense. I've even seen a hash for users to verify the hash for a file they downloaded! I guess a private key for a signature is safer. Maybe the ASUS BIOS file downloads contain a digital signature already, I don't know.

Concerning the man in the middle attack: How does that work? Would a hacker intercept an unencrypted (HTTP) BIOS download and replace it with a malicious version "on the fly", so you receive a bad BIOS file without knowing it? The hacker would have to somehow get set up ahead of time to intercept web traffic? I know that most websites have gone to HTTPS now, so that traffic is encrypted. Does that stop man in the middle attacks?

R5Eandme wrote:
I know that most websites have gone to HTTPS now, so that traffic is encrypted. Does that stop man in the middle attacks?


Yes, that is one of the main points of https, since traffic is encrypted, there is no easy and quick way to "attack it in the middle". So if the website is genuine (i.e. not hacked), you can be reasonably sure that the content is also genuine.

Sigtran wrote:
Yes, that is one of the main points of https, since traffic is encrypted, there is no easy and quick way to "attack it in the middle". So if the website is genuine (i.e. not hacked), you can be reasonably sure that the content is also genuine.


So unless ASUS BIOS downloads are already protected through a digital signature, their download pages should really be using HTTPS protocol like most websites these days. They should probably use HTTPS anyway.

VRBabe81
Level 7
What if the user is connected to a VPN? Would that stop it and could a man in the middle attack still happen?

Sent from my SM-G920F using Tapatalk
[SIGPIC][/SIGPIC]

VRBabe81 wrote:
What if the user is connected to a VPN? Would that stop it and could a man in the middle attack still happen?


VPN mainly help you from website blocking (if website has some limitation to your country or ISP), protects you from outside attacks (at least in some degree) and protects you from your ISP snooping (but transferring this "privilege" to your VPN provider). 🙂

VPN secures the path from your computer to VPN provider but not to website - simply put VPN is a secure tunnel from your computer to VPN provider who then act as a your proxy to Internet. This opens a question can you 100% trust VPN provider, since it is a new "man in the middle". And if website is not https, there is also same potential weakness for usual "man in the middle" attack on path between VPN provider and website, not to mention a possibility that website could be hacked without you noticing.

And even website is https and genuine, you are (yet only) reasonable safe - beside now having to trust your VPN provider (instead of your ISP before), there is for example a possibility you having some malware or virus on computer, that could also act as a kind of "man in the middle".

Conclusion: As in the real world, there is no 100% security&safety on Internet but https a reasonable measure to prevent some important issues that normal http is having. A don't forget to use some good internet security SW - antivirus/antimalware/firewall, even though they are new "man in the middle", but someone you have to decide to trust...

Thanks for this clear and informative description of VPN and security in general.

Sigtran wrote:
VPN mainly help you from website blocking (if website has some limitation to your country or ISP), protects you from outside attacks (at least in some degree) and protects you from your ISP snooping (but transferring this "privilege" to your VPN provider). 🙂

VPN secures the path from your computer to VPN provider but not to website - simply put VPN is a secure tunnel from your computer to VPN provider who then act as a your proxy to Internet. This opens a question can you 100% trust VPN provider, since it is a new "man in the middle". And if website is not https, there is also same potential weakness for usual "man in the middle" attack on path between VPN provider and website, not to mention a possibility that website could be hacked without you noticing.

And even website is https and genuine, you are (yet only) reasonable safe - beside now having to trust your VPN provider (instead of your ISP before), there is for example a possibility you having some malware or virus on computer, that could also act as a kind of "man in the middle".

Conclusion: As in the real world, there is no 100% security&safety on Internet but https a reasonable measure to prevent some important issues that normal http is having. A don't forget to use some good internet security SW - antivirus/antimalware/firewall, even though they are new "man in the middle", but someone you have to decide to trust...
Thanks for your advice Sigtran my VPN is nordvpn and they don't do any logging as they say but I don't trust anyone lol.

Sent from my SM-G920F using Tapatalk
[SIGPIC][/SIGPIC]