dCS Products Apparently Use HTTP Rather Than HTTPS to Check For/Download Firmware Updates

Whether you think this is a danger or not is up to you and your network security posture, I just found it interesting:

dCS products apparently use the insecure http protocol rather than https to check for and download firmware updates.

Is it a huge security risk?

No, but in general practice “HTTPS for everything” seems to be increasingly recommended.


Hi Bill,

There should be no security risk whatsoever with this - do you have a specific concern or is it simply that the query is via http: rather than https:?

The firmware update available query has no value in itself being sniffed and if someone were able to fake an “update available” response and intercept the firmware file download and replace it with another file then there are many other factors in play that prevent this being any kind of worthwhile attack vector.

I hope that helps…



1 Like

I don’t have a specific concern, and we know the downloaded firmware files have proper checksums embedded.

It was just a general concern as the “standard” for such transfers is moving to all HTTPS to avoid potential spoofing, even for such things as live audio streams from radio stations.

Hi Bill,

It’s more than that though Bill, anything nefarious would need to be developed for such an obscure and incredibly specific platform (and the different subsystems would have to be written to work together to achieve whatever goal the “hacker” wanted because - for example - the Control Board has no access to the network, that’s done by the streaming board so the streaming board would need to be separately programmed as well) that it would essentially just be a non-starter for anyone to spend the time and effort doing and spoofing - there are no “dCS Streamer” IDEs - and of course we use FPGAs rather than CPUs which means that as a platform it’s just an absolute nightmare for anyone to even start to think of doing anything with - and we don’t support WiFi either so there’s very little that it could even do in the way of sniffing network traffic and as such would be pretty useless as an attack vector…

…so hopefully a decent example of the phrase “Security through obscurity”, especially when it’s far easier to get someone to willingly hand over their details by offering them the chance to see who’s “Unfriended” them or who’s viewed their profile on Facebook. :wink: