Security : FirmwareΒ #74
Description
Thank you for releasing the source code for the client side.
However, you have not provided the firmware code. In another issue, that you closed, you said:
There is no firmware code. For more information, please refer to [CH9329]
I do not quite understand this. Obviously there is firmware code on the device.
In addition, the link you provided is broken.
USB devices are still an attack vector, it is not good enough to say this is a simpler device that does not have an internet connection. It interfaces with the OS via the drivers, and can exploit flaws in the driver to access the OS networking capability.
Given your previous track-record, I believe it is necessary to provide assurances that the device is secure. I understand that's extra steps for you, but you would sell many more devices. Releasing only the client source code and not the firmware is a strange decision. Half open-source is not open-source.
Could you please:
- Disclose what is the original microcontroller you used to create this device
- Open source the firmware. If you haven't changed it from the original, please provide the original firmware
- Give us the step to check that the firmware code you provided is indeed the firmware that is on the device
Thank you