I'm new to Shelly products - quickly learning, testing the products and system for potential use. I'm a cyber sec guy and part of my testing is of this aspect. Hence also this question.
I've been looking at the various firmware packages downloadable via OTA and saw that they contain a digital signature component - this is critically important if you're doing OTA updates, all the more so since it seems that the Shelly OTA updates are being done via HTTP (and not HTTPS). I assume(...) that each device tests the sig against a vendor public key that is hardcoded in their existing f/w, and only if the signature matches, marks the incoming f/w package as valid and allows the update.
Now when I downloaded a 1.10.4 version firmware - e.g. latest SHPLG2-1.zip - and analyzed it, I could not find a trace of a digital signature. The zip file contains less files than in previous versions, basically just the manifest and bin files, and the manifest does not seem to contain such signature either. (It does contain SHA1/SHA256 hashes, but these do not validate authenticity - they can be used to assert integrity).
I'm sure I'm missing something - I don't find it conceivable that the vendor would remove such a critically important feature, and leave the OTA process open to trivial attacks.
Can anyone help me out here? Thanks for any insight.