[rao-v]

I'm a little frustrated with articles like this that scattershot their critique by conflating genuine failures with problems that even FAANGs struggle with.

In particular, I don't love it when an article attacks a best practice as a cheap gotcha:

"and this time it was super easy! After some basic reversing of the Tapo Android app, I found out that TP-Link have their entire firmware repository in an open S3 bucket. No authentication required. So, you can list and download every version of every firmware they’ve ever released for any device they ever produced"

That is a good thing - don't encourage security through obscurity! The impact of an article like this is as likely to get management to prescribe a ham-handed mandate to lock down firmware as it is to get them to properly upgrade their security practices.

[hdgvhicv]

> I found out that TP-Link have their entire firmware repository in an open S3 bucket.

Nobody tell them about Linux!

[locknitpicker]

> Nobody tell them about Linux!

The blogger will blow a gasket when they discover that the likes of GitHub provides access to both installers and software. A hacker's candy store!

[plugger]

This blogger is the author of bettercap, safe to say they're fairly across Github

[evilsocket]

Do you people realize that there's a big difference between open source and proprietary technologies right?

[tyami94]

Doesn't matter really, keeping blobs hidden doesn't actually do anything except make it slightly harder to analyze the software. Making all blobs easily and readily available is exactly what I want the vendor to do. Black boxes don't make things secure.

[evilsocket]

Agreed 100%, never said the opposite

[NathanielK]

This blog post is pretty readable, but it's still obviously written with the help of an LLM. A common trend is that LLMs lack the nuance and write everything with the same enthusiasm. So in a blogpost it'll infer things are novel or good/bad that are actually neutral.

Not a bad blogpost because of this, but you need to be careful reading. I've noticed most of the article on the HN front page are written with AI assistance.

[jorvi]

I always wonder if the people who let LLMs write (and think) for them realize they're steadily atrophying their brain.

[void-star]

I think maybe you’re reading this wrong. Reverse-engineering blog posts like this are just a fun and instructive way of telling the story of how someone did a thing. Having written and read a bunch of these in the past myself, I found this one to be a great read!

Edit: just want to add, the “how I got the firmware” part of this is also the least interesting part of this particular story.

[jabedude]

I didn't notice a negative tone at all when he talked about the firmwares being publicly hosted. You did?

[AceJohnny2]

Yes, heavily, because of the use of adjectives and repeating the points.

Here, I'll emphasize the words that elicit the tone:

> After some basic reversing of the Tapo Android app, I found out that TP-Link have their entire firmware repository in an open S3 bucket. No authentication required. So, you can list and download every version of every firmware they’ve ever released for any device they ever produced: [command elided] The entire output is here, for the curious. This provides access to the firmware image of every TP-Link device - routers, cameras, smart plugs, you name it. A reverse engineer’s candy store.

Highlighting (repeatedly) the ease and breadth of access is a basic writing technique to illustrate the weakness of a security system.

[sally_glance]

To me the phrasing seems objective. Making your binaries available to the public is good (though source would be better).

Replace [firmware] with [random popular GitHub repo] and nobody would blink. Replace [firmware] with [customer email address] and it would be a legal case. Differentiating here is important.

[opello]

I think it fails to be objective because of the repetition. It's an open S3 bucket. No need to state that no authentication was required, it's already open. It's not about economy of writing but the repetition emphasizes the point, elevating the perceived significance to the author or that the author wants the reader to take away.

Furthermore, the repeated use of every when discussing the breadth of access seems like it would easily fall into the "absolutes are absolutely wrong" way of thinking. At least without some careful auditing it seems like another narrative flourish to marvel at this treasure trove (candy store) of firmware images that has been left without adequate protection. But it seems like most here agree that such protection is without merit, so why does it warrant this emphasis? I'm only left with the possible thought that the author considered it significant.

[pacifika]

If someone DDOSes an open s3 bucket they’ll get a huge bill. If there is something in front of it, they might not.

[wkat4242]

An 'open S3 bucket' sounds really bad. If it were posted on an HTTPS site without authentication, like the firmware for most devices, it wouldn't sound so bad.

Sure an open bucket is bad, if it's stuff you weren't planning on sharing with the whole world anyway.

[necovek]

Since firmware is supposed to be accessible to users worldwide, making it easier to get it is good.

But how is an open, read-only S3 bucket worse than a read-only HTTPS site hosting exactly the same data?

The only thing I can see is that it is much easier to make it writeable by accident (for HTTPS web site or API, you need quite some implementation effort).

[locknitpicker]

> An 'open S3 bucket' sounds really bad.

Only to gullible, clueless types.

Full blown production SPAs are served straight from public access S3 buckets. The only hard requirement is that the S3 bucket enforces read-only access through HTTPS. That's it.

Let's flip it the other way around and make it a thought experiment: what requirement do you think you're fulfilling by enforcing any sort of access restriction?

When you feel compelled to shit on a design trait, the very least you should do is spend a couple of minutes thinking about what problem it solves and what are the constraints.

[jacquesm]

No, it clearly has a gloating tone to it. 'A reverse engineer's candy store' is clearly meant as a slur.

When in fact TP-Link is doing the right thing with keeping older versions available. So this risks some higher up there thinking 'fuck it, we can't win, might as well close it all off'.

[evilsocket]

I just meant that it was very convenient to have the firmware images there on S3, nothing else :D Many vendors make the process of even just obtaining a copy of the firmware much harder than that, so for once I was glad it has been much easier. Also being able to bindiff two adjacent versions of the same firmware is great ... all in all I was just expressing my happiness :D

[locknitpicker]

> Highlighting (repeatedly) the ease and breadth of access is a basic writing technique to illustrate the weakness of a security system.

It's a firmware distribution system. It's read-only access to a public storage account designed to provide open access to software deployment packages that the company wishes to broadcast to all products. Of course there is no auth requirement at all. The system is designed to allow everyone in the world to install updates. What compells anyone to believe the system would be designed to prevent public access?

[lmz]

Maybe listing shouldn't be enabled even if all the files are public.

[locknitpicker]

> Maybe listing shouldn't be enabled even if all the files are public.

I don't see why. Support for firmware upgrades literally involve querying available packages and downloading the latest ones (i.e., apply upgrades). Either you use something like the S3 interface, or you waste your time implementing a clone of what S3 already supports.

Sometimes simple is good, specially when critics can't even provide any concrete criticism.

[lmz]

It's not a necessary interface. Do the clients actually use S3 listing to determine what the latest firmware is? Personally I would put a service in the middle that takes in the model number, region, etc and then returned the most recent firmware URL. There's no reason to have historical versions be easily listable by curious people.

[dns_snek]

Why not? It's just an annoyance step that is predicated on obfuscating information that has already been made publicly available.

[LoganDark]

Or to illustrate the convenience to the point of the article, being reverse engineering; not necessarily to critique their security practices here. Being easy to reverse engineer is not necessarily a weakness of security (as the inverse would simply be obscurity).

[moron4hire]

Yeah, that writing definitely reeks of incredulity.

[tecleandor]

Yep, I think it should always be that way, firmwares should be always available.

[Angostura]

I didnt really interpret that as a particular criticism really

[theropost]

I think this kind of critique often leans too hard on “security through obscurity” as a cheap punchline, without acknowledging that real systems are layered, pragmatic, and operated by humans with varying skill levels. An open firmware repository, by itself, is not a failure. In many cases it is the opposite: transparency that allows scrutiny, reproducibility, and faster remediation. The real risk is not that attackers can see firmware, but that defenders assume secrecy is doing work that proper controls should be doing anyway.

What worries me more is security through herd mentality, where everyone copies the same patterns, tooling, and assumptions. When one breaks, they all break. Some obscurity, used deliberately, can raise the bar against casual incompetence and lazy attacks, which, frankly, account for far more incidents than sophisticated adversaries. We should absolutely design systems that are easy to operate safely, but there is a difference between “simple to use” and “safe to run critical infrastructure.” Not every button should be green, and not every role should be interchangeable. If an approach only works when no one understands it, that is bad security. But if it fails because operators cannot grasp basic layered defenses, that is a staffing and governance problem, not a philosophy one.

[void-star]

I’m beginning to think maybe I’m the only one that read this whole thing. The firmware storage isn’t the security through obscurity problem being talked about here. The hardcoded TLS private key definitely is though. And yes, it deserves shaming… terrible practice leads to terrible outcomes. Nobody is surprised that this is coming from tp-link at this point though.

[fn-mote]

> An open firmware repository, by itself, is not a failure

Isn’t the complaint that the location of the repo is not publicized?

Nobody would complain if it were linked directly from the company’s web page, I assume?