Why upgrading the firmware of a router is dangerous and how to add WPA2 support to XP

My colleague John Howard recently added a post talking about upgrading the firmware on his wireless router to add support for WPA2 (Wireless Protected Access 2) - click here to read John's post . As John points out KB893357 provides the required update for Windows XP. It is also necessary to apply a fireware update on the wireless Access point and Network Interface Card for each client unless they already support WPA2.

I am quite happy adding the update to Windows XP as the code is signed - the signature is validated via authenticode before installation takes place. Unfortunately the firmware update to (every Access Point I've ever seen) IS NOT signed hence it's perfectly possible for a trojan or malware to be included in the update. Many people rely upon their Access Point(s) to act as a security boundary and hence such a compromise would have serious consequences.

You may argue that a humble Access Point wouldn't have the "horse power" to validate a digital signature - I don't believe this to be the case but even if it were the firmware update has to be downloaded to a PC before being applied to the Access Point and therefore the signature validation could take place there.

WPA2 is also known as 802.11i - it was recently certified by the IEEE. It brings AES cryptography to replace DES and has some denial of service protection.

WPA is more than enough for a home environment IMHO but if you have the option of WPA2 then it's a nice to have.