Is this (going to be) a problem? Has anyone knowledgeable looked into it?
Attackers subverted a widely used tool for software development environment GitHub, potentially giving them access to software development environment secrets from thousands of private code repositories.
WLED is public.
So, is it possible that code could be maliciously modified in the official main or beta branch? I really don’t understand how GitHub works with commits…
very highly unlikely. they would need to modify every branch of every dev the same way without anyone noticing.
Thanks for the info!
It is the tools needed to build WLED that may get compromised (supply chain) not WLED itself.
Among the most abused are Python repositories (as well as NodeJS) as those get used most in projects like WLED.
What that means is that you, as a developer, need to take care not to install rogue tools or libraries.
WLED extensively uses NPM (NodeJS package manager) for various tasks during build process and relies on Python for PlatformIO.
If you want to be on the safe side use npm ci when installing NPM packages and leave Python to PIO and its update process. Or, if you are diligent, take extreme care when installing packages and tools and update them when vulnerabilities are discovered.
thanks for the insight. compromised building tools is an issue, though it would only affect local builds right?
in order to affect WLED official builds, the github tools would need to be compromised. Is that a possible scenario?
It would affect your computer. Which is worse!
Supply chain attack is often the vector of attack for an entity to gain foothold in ones environment. Such as gaining control of a developer’s computer to then spread laterally (or vertically) inside an organisation.
Or propagating to a popular open source project…
So, is there a way to record audio on systems that have the Audio Reactive build? Perhaps gain access to the (ESP32) hardware and use UPnP to create port forwardings on the lcal router and send the public IP to a C&C server? I can think of many scenarios that a compromised IoT device could be used for… The compromised tools don’t even need to be on my computer, yours would do just fine if the build on my hardware came from your computer… Are MD5s published for the official files and builds?
Edit 1:
Even if there were MD5s published, it would likely be automated, so they would be correct…
for official builds to be affected, the source code needs to be changed. for that to happen github itself would need to be hacked to insert code without anyone noticing. in theory possible but very unlikely. also there needs to be a good reason to hack it as it involves a lot of effort, again in theory someone could do it “for fun” but that is even more unlikely.
Yes, of course. But that would be more appropriate to PC/Mac or mobile project than IoT (which WLED isn’t exactly) on a limited device. Still, possibility exists.
There are 3 components, that may feature such vector: core Espressif networking libraries, AsyncTCP/UDP libraries and AsyncWebServer. Except for Espressif library other 3 are under WLED developer’s scrutiny and 2 of them are used from WLED’s developer’s forks.
If someone would want to “record audio” and transmit it to an adrversary that would need to happen in Audioreactive usermod as no other components use audio recording capabilities. You are free to examine that code.
So, you believe that the likelihood is small that the core WLED could be maliciously altered without being noticed, and any type of data transfer would need to come from a user mod?
Core WLED (including included usermods) cannot be modified unless approved (or modified) by one of 6 people eligible to do that.
There is a possibility of compromised accounts or breached Github though. But someone would notice that within a day.
You can always fork and use your fork for your own purposes. And pull only changes you are comfortable with.
Thank you.