This is actually correct. This isn't an internet connected device remember so our main concern is not with RCE (remote code execution) from an unpatched vulnerability. Rather, our biggest threat in an airgapped system is the firmware update itself lmao. So reserving that update to only critical patches (which are typically geared towards defending against physical attacks, but could also maybe one day include an anti-exfil mitigation) is actually the right answer here.
What most corporate signing devices do, is have the old firmware verify that the signature of the new firmware matches before it allows the new firmware to install. This could technically be done in DIY devices too, but I feel it would have its trade offs. Not all development teams are good at keeping their signing keys from leaking due to them getting hacked (This happened to Samsung).
Right. Companies can definitely screw up w.r.t. cryptography. Sony PS3 is another famous example that comes to mind: https://arstechnica.com/gaming/2010/12/ps3-hacked-through-poor-implementation-of-cryptography/
Even when the cryptography is correct, the signature is only as good as the person/group guarding the private key. So signed firmware significantly mitigate risks, but don't completely eliminate all issues. (This is why if you're super paranoid, multi-vendor multisig is still the most rational solution).
reply