Security #2583
Replies: 45 comments
-
Posted at 2016-12-19 by @gfwilliams Nothing - by default. Having said that you can:
So a whole bunch of options really. Eventually there'll also be the ability to whitelist and also do Bonding (ensuring an encrypted connection) - but that's not in the firmware yet |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-06 by BrunoBronosky Yes! Security please! I really appreciate how easy it was to give a puck.js to each of my daughters (8 & 9 years old) for Christmas and have them open them and go straight to hacking. Very simple. Very Awesome. I really appreciate how I was able to pass my puck around the office merely saying "Google this" and introduce "hardware hacking" to a dozen people who expressed an interest in microprocessors but were overwhelmed by where to start. But now I have a problem. It's become sport for people to send code to my pucks. I'm glad to hear that I can tell them to go buy their own pucks. However, they are hesitant to do so because they see how I am unable to secure my devices from their pranks. I think it's worth having an official write-up on how to prevent unauthorized pairing. I don't understand the consequences of the 4 different options Gordon has explained above, or how to implement them. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-06 by @gfwilliams Argh. Yes, I can see how that would be a problem. Just writing Or you can do the following:
Tap in once, the light flashes green, and it's connectable via serial. Tap it again, it flashes red, and it's not. But yes, I'll add security to my list of tutorials to write :) |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-22 by Simon Hi Ive have just got a ESP8266 and this was my first thought, my best attempt at the moment is below:
this works for when the board boots but after i login once I have to remember to reset() or E.lockConsole() is there a better solution at the moment ? |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-23 by CanyonCasa Perhaps you could add a timeout to autolock the console after a period of inactivity. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-23 by @MaBecker Could the WebIDE send |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-23 by @gfwilliams It should automatically lock when the connection drops? I imagine it will work on Telnet (and it works on USB with normal Espruino boards, and on Bluetooth onn Puck.js) - but I guess because serial is always connected it doesn't. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-24 by Simon I have also found another security hole, is there a way of disabling the port 88 web server used for wifi flashing otherwise anyone on the same WiFi network could just flash the device and take control that way. Now im no hacker but ive found these holes pretty easily so looks to be quite a bit of work to be done before I could use this in a commercial environment. I have come from using the Particle Photon witch is secure out of the box but was looking for a device I could program in JavaScript. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-24 by Ollie @simon Espruino on ESP8266 is a port. It works very well, but it's not an official board, so it's not a security hole in Espruino as such. Reflashing over wifi on that port would depend on many factors, but it wouldn't normally give up control of your device. Wifi settings and program memory persist post-flash. A failed flashing attempt reverts to good binary stored on flash AFAIK. Whether your stuff works after someone in the know and with access to board successfully flashes your ESP8266 is another matter. A successful flash 'could' leave saved code orphaned if the new Espruino version is different. Maybe of interest, and you reminded me - the ability to flash over Wifi is disabled on ESP8266-01 - it does not have enough space to keep the good copy should flashing fail. What I don't know is whether flashing the 01 bin to 4Mb board like ESP8266-12 or NodeMCU (because you can) would give you pin availability but disable Wifi Flash. I have wondered myself, but never asked. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-01-25 by @gfwilliams Thanks - the port 88 thing is interesting - I wasn't aware that it was on by default (it'd be good to be able to disable it on the ESP8266 port or at the very least have a very prominent note about its existence as it is quite a big hole). However it's only available to people with access to the WiFi network - and as there is no HTTPS/TLS on the ESP8266 port at the moment you're going to have security issues there as well.
You could look at http://www.espruino.com/WiFi - which doesn't have any ports open by default and has HTTPS and TLS support. You're comparing Particle Photon (which is sold for $20, and costs $80/year for commercial use) to the ESP8266, which is sold for about $3 (none of which pays for Espruino software development). The ESP8266 port has been created by some very impressive work from the Espruino community. The people working on the ESP8266 port are doing it for free - they have absolutely no responsibility to do anything if they don't want to. This is why I have the official devices that I sell, where I take a responsibility for making sure things 'just work' and spend a lot of time supporting users and trying to make sure that they're reliable, secure and well documented. So please don't assume that Espruino isn't secure just because you tried a totally unsupported version of it :) |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-02-27 by user73560 Hi Guys,
Expected behavior: No client can ever connect to the Puck and is always disconnected. Current firware version is 1v91. How can always disconnect clients and partially when unknown address is found ? (i.e. apply http://www.espruino.com/Puck.js+Security) Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-02-27 by @gfwilliams Hi - thanks for letting me know. I'll look into this. I've filed an issue for it here: espruino/Espruino#1088 3 LEDs lit happens when the Puck itself reboots - so it looks like there might have been some internal error. If you |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-02-28 by @gfwilliams Just a note to say it's fixed now - it'll be in the 1v92 release |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-02-28 by user73560 Thank you Gordon. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-04-26 by user73560 Hi @gfwilliams, Could you specify the format of "addr" on
It seems to be "xx:xx:xx:xx:xx:xx public", this way some of the security examples will not work. Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-03 by user73560 Hi @gfwilliams, The fix is working as expected. Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-11 by user73560 Hi, Do you think that following approaches are good for production:
All possible password combinations based on this https://math.stackexchange.com/questions/2103361/derive-an-algorithm-for-computing-the-number-of-restricted-passwords-for-the-gen#2103361
Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-11 by @gfwilliams Do you absolutely need access to the UART on the device? If not I'd suggest turning it off completely for production (with You could then turn it on only if the button is pressed in a specific pattern? But if those don't work then yes, the first option would be fine (I don't think the second is a good idea). It would be possible (with a massive amount of difficulty) to solder debug wires onto the device, reverse engineer it, and get the password out - but even I'd struggle with that, and I made it :) It's almost certainly easier to reverse engineer the app! Another thing to note is that by default the transmissions over BLE are not encrypted, so could be spied on. To work around this, you could make your app request Bluetooth LE 'bonding' be performed (which starts encryption) and then only send the password after that has happened. But again, it's very unlikely that would ever be a problem depending on your device. By enabling the password you're already substantially more secure than the majority of Bluetooth LE devices. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-12 by user73560 Hi @gfwilliams, Thank you for your advises!
Thank you! |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-12 by @gfwilliams That's fine - if you apply the battery with the button held down (normal firmware update process) you can totally update the firmware even with the password set - however you can't read the memory back that way, so it's still relatively safe with the password. You can request bonding with something like this (
Having said that, it seems to work but isn't properly tested yet |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-12 by user73560 Hi @gfwilliams, I think that a workable security scenario could be:
What do you think ? Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-13 by @gfwilliams I'm not quite sure I understand - by IP you mean the MAC address? But it sounds pretty secure to me. Also - nothing stops you from just issuing them a new firmware for their device that they can update with nRF connect/similar? |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-15 by user73560 Hi @gfwilliams, IP is the MAC address of the device that can connect to the Puck. Concerning the process of update through firmware, how secure is it ? Once the package is on the party which is doing the update could it be decoded and source revealed, if we talk about the "bin" and "dat" file in the firmware I think not, but please confirm. If not, should I build from https://github.com/espruino/Espruino with my code added in it ? Should I write the new firmware functions in "C" or I can pass my existing my Javascript code and Espurino translate it to C and include it into the distribution package ? Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-15 by user73560 Hi @gfwilliams, Thank you for the bonding functionality, I tested it with latest build and it seems to work! How can I execute https://www.espruino.com/Puck.js+BLE+UART with bonding ? In general, accessing the primaryService and characteristics should happen after bonding right ? Do you have any docs for it ? Thank you. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-22 by @gfwilliams
Assuming you upload normally (and not with 'save on send') the JS code will be fragmented over the memory area, and then compressed. With a huge amount of difficulty, it could be decoded (but even I'd struggle). The best solution would be to turn on minification when you upload your code to Espruino, which would make the uploaded code almost unreadable even if it could be deciphered. At that point it's going to be much more difficult to work anything out from your code than it would be if someone disassembled compiled C code, so I really wouldn't worry about it. You could translate your JS code to C (or for simple functions you can use http://www.espruino.com/Compilation), but I wouldn't advise it. Personally I'd say the difficulty of reverse engineering minified JS after it's been encoded into datastructures and compressed with heatshrink makes it about as difficult as you're going to get. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2017-05-22 by @gfwilliams For bonding, I believe that if you follow the steps to bond first, then disconnect, any subsequent connections will also be bonded - so just running the code posted above, and then the BLE UART code, would be fine. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2018-03-05 by user73560 Hi @gfwilliams, Is there a way the source code hex to be protected from reading ? Why do I need this ? Suppose you have a device which code is protected from reading, but its hex is not, then third party could use this hex to program new devices which will work no matter there is no understanding why. Thank you! |
Beta Was this translation helpful? Give feedback.
-
Posted at 2018-03-06 by @gfwilliams You could add some code to your software that checks |
Beta Was this translation helpful? Give feedback.
-
Posted at 2018-06-06 by user73560 Hi @gfwilliams, Could you explain more about "DFU_PRIVATE_KEY=targets/nrf5x_dfu/dfu_private_key.pem" specified during the build ? This file contains private and public key. My understanding is that the generated zip file used for DFU and initial firware upload will be signed with the private key but will contain only the public key. When the device needs a DFU update the uploaded zip file will be tried to be opened with the public key on the device. If the zip cannot be opened then it is signed with different private key, thus we can be sure that on the device can be uploaded only firmware singed with the appropriate private key right ? Thank you! |
Beta Was this translation helpful? Give feedback.
-
Posted at 2018-06-06 by @gfwilliams Nordic has lots of resources on this - it's their bootloader. For instance https://devzone.nordicsemi.com/b/blog/posts/getting-started-with-nordics-secure-dfu-bootloader Espruino's private key is in the repository which means that anyone can create a signed over the air update for it - defeating the point somewhat. However in order to do an update you need physical access to the device, and if you have physical access you could just reflash it via the SWD pins. It's one reason I have resisted allowing you to enter DFU mode without pressing BTN during boot - because that really would be a security issue. If you're trying to understand this so that you can create secure update zip files for your own devices then I'm happy to do some consultancy work to help out. Also, you'd asked before about adding microphones. I recently got the MP34DB02 working with the nRF52 for the Nordic Thingy - it's a fully digital mic, so if you hadn't already got something sorted out it could be quite interesting as it's basically a single-chip solution. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2016-12-16 by user71324
When I pair with my Puck.js in the Espruino Web IDE my Puck shows up in a list and I never have to enter a pairing code or authenticate in any other way. What keeps a third party from connecting to my puck in the same way and uploading their own instructions to it?
Beta Was this translation helpful? Give feedback.
All reactions