[MDC-506] simet-openwrt-feed: simet-openwrt-base: add http timesync OpenWRT typically depends on NTP to set the system time properly on devices that lack an RTC (such as most of the wifi routers, for example). It does have a sysfixtime init script that updates the clock to the date of the newest file it can find in /etc. Unfortunately, this strategy to update the system clock is not anywhere near enough if firmware is too old: the system time may be so out of sync that TLS certificate validation will stop working. Let's encrypt certificates, for example, requires the system clock to be within 90 days of the issuance date of the certificate. Eventually, volumetric DDoS attacks became trendy, ISPs got massive numbers of notifications about their misconfigured network equipment being used in NTP-based amplification attacks, and *of course* a fraction of them deployed improperly configured defenses that blocked subscriber access to NTP servers instead of fixing things properly. This, in turn, caused their subscriber's IoT devices that lacked an RTC to be widely out-of-date, enough that they could not reach TLS-protected firmware update servers(!!!!) or external APIs. OpenWRT on RTC-lacking devices being no exception. Add a hotplug script that attempts to set the system clock from a plain HTTP server. HTTPS/TLS *must not* be used for this, since certificate validation would have to be disabled: it would just increase the danger of a remote root exploit. The hotplug script uses a semasphore in /var/run to set the system clock once per boot (and it will do no harm if it runs several instances in parallel). Note that an attacker can easily MITM this and set the clock too much into the future, effectively keeping the device crippled as far as TLS goes. This is no worse than the clock being widely into the past, though.
↧
[MDC-506] simet-openwrt-feed: simet-openwrt-base: add http timesync
↧