Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tessel Security Post #53

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Tessel Security Post #53

wants to merge 5 commits into from

Conversation

HipsterBrown
Copy link
Contributor

I got some initial thoughts down and would love help with the details.

Copy link
Member

@Frijol Frijol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good start– my only real critique is that it's missing context. It drops the reader right into a checklist– from the title and intro, I was expecting something different. I'm not sure what I expected..
I think the quickest fix would be a title change along the lines of "Tessel's security scorecard" or "Security checklist– is Tessel 2 safe?" though ideally less clickbaity than that suggestion.

Other than that, I like the style, and that it's short & sweet.

Separate note: I feel like this would get some play on HackerNews or Medium


How Tessel covers the [5 Easy Ways to Secure Your IoT Devices](https://www.sparkfun.com/news/2264) from the start.

1. Unplug It
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list needs more introduction. Is this Sparkfun's list? It doesn't have an obvious connection to how Tessel ships.
Part of the clarification needed is because you mention "from the start", as in built into the Tessel when it arrives, but this list is more of a set of user-maintenance tips.


## Power Cycle

> Another interesting aspect of some malware like Mirai is that it only lives in volatile memory (e.g., RAM). That means simply turning off the device and turning it back on again will rid it of the malware
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mirai needs introduction if you are going to mention it– e.g. I was out-of-country/offline at that time and missed the whole thing


> Seriously, if you do only one thing to secure your device, do this.

We did! Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical connection, like USB, to setup.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/setup/set up


> The biggest security flaw in UPnP is that programs inside your network can automatically request port forwarding from the router.

We ship Tessel without any support for UPnP, as evidence by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/evidence/evidenced


We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet.

Thanks to the folks at Sparkfun for sharing that awesome post. The Tessel team is always working on improving the out-of-the-box experience for anyone getting started with hardware and Internet-connected devices, so we're happy to say that when you get a Tessel you're secure from the start!
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a header of its own or it falls into the Disable Telnet section


> it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion

Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained projects with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Someone should probably do that...

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol


> Mirai actually did its dirty work by trying to access a device through Telnet or SSH using default credentials.

We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be clear, OpenWrt only runs telnet on initial setup to let you set a root password. Tessel uses the USB connection through the coprocessor instead, so doesn't need telnetd for that.

@HipsterBrown
Copy link
Contributor Author

@Frijol @rwaldron I've updated the draft with a better introduction, including more context for Mirai. There is probably more to be said in the "Change the Default Password" section, so I'll still be working on that part a bit.

Copy link
Member

@Frijol Frijol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The most impactful improvement would be to make clearer connections between what features Tessel provides and how a user can take advantage of those features to best secure their own device. I have specific examples in-line. Excited for this post!

@@ -0,0 +1,52 @@
# Tessel's Security Scorecard

In late October of 2016, an estimated 100,000 Internet-connectied devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: connectied --> connected


In late October of 2016, an estimated 100,000 Internet-connectied devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Now that it is known how Mirai managed to infect all of these Internet-connected devices, Sparkfun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). The Tessel team has always been proud of the Tessel 2's out-of-the-box experience, so we wanted show off the board's security scorecard based on Sparkfun's list.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Now that it is known how" leaves me wondering: how? Is Sparkfun's list a comprehensive enumeration of the ways that Mirai got onto the devices?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From SparkFun's article:

Mirai scans for connected Internet of Things (IoT) devices running some form of embedded Linux, including routers. It then attempts to “log in” to the device using some 60 known factory default usernames and passwords. Once in, Mirai infects the machine, turning it into a “bot” for use by the attacker and continues scanning for other connected IoT devices. The source code for Mirai was released in October.

Without bringing in this whole summary, because I think folks should read the article as well, I will reference that Mirai has been open sourced. That allows us to know how it managed to infect those devices.


In late October of 2016, an estimated 100,000 Internet-connectied devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Now that it is known how Mirai managed to infect all of these Internet-connected devices, Sparkfun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). The Tessel team has always been proud of the Tessel 2's out-of-the-box experience, so we wanted show off the board's security scorecard based on Sparkfun's list.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second sentence feels a little non sequitur– I see the "out of the box experience" as the unboxing-to-successful-project experience, which seems tangential to security. The proud phrasing (accurate though it is) also feels like a foregone conclusion: we are writing this to show you that it is good.

I would suggest phrasing like: "We checked the Tessel 2 against Sparkfun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack"

In late October of 2016, an estimated 100,000 Internet-connectied devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Now that it is known how Mirai managed to infect all of these Internet-connected devices, Sparkfun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). The Tessel team has always been proud of the Tessel 2's out-of-the-box experience, so we wanted show off the board's security scorecard based on Sparkfun's list.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Header: Sparkfun's list


> The best possible safeguard against hackers is to simply not have the device available for them.

You control where to power Tessel and even how to power it. Battery, wall socket, or personal computer, you can unplug Tessel anytime.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make a more direct connection to how the ability to change T2's power source leads to better device security? It seems to me like Sparkfun is saying "a safe IoT device is a device that's not turned on", which I don't think is what we want from control over Tessel's power options.


> The biggest security flaw in UPnP is that programs inside your network can automatically request port forwarding from the router.

We ship Tessel without any support for UPnP, as evidenced by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have backstory to this? Was UPnP disincluded specifically for security purposes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding a link to the OpenWRT recommendation to not enable UPnP and using it as our reason for not supporting it out-of-the-box.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenWrt miniupnp package is an UPnP server, that is, the thing that listens to UPnP requests on the router and sets up port forwarding and firewall rules. Independent of any security implications of UPnP, the reason T2 doesn't include it is because Tessel isn't intended to be used as a router, so it makes no sense to include it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Tessel's role in a UPnP system would likely be as a client, requesting that an upstream router map an external port to it, and well, that's something for the user writing the code for it to include or exclude.


> Mirai actually did its dirty work by trying to access a device through Telnet or SSH using default credentials.

We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/literally/currently (or remove)


> Mirai actually did its dirty work by trying to access a device through Telnet or SSH using default credentials.

We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth mentioning that we're against SSH with password, which is why we require the more secure key exchange


## Wrap Up

Thank you Sparkfun for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. Check out the [Johnny-Five Inventor's Kit](https://www.sparkfun.com/products/13847) to start creating your own IoT projects and experiment. Join the [Tessel community](https://tessel.io/community) to learn more about what other people are building and how to start contributing to the Tessel project.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be "Thank you, Sparkfun, ..."


## Wrap Up

Thank you Sparkfun for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. Check out the [Johnny-Five Inventor's Kit](https://www.sparkfun.com/products/13847) to start creating your own IoT projects and experiment. Join the [Tessel community](https://tessel.io/community) to learn more about what other people are building and how to start contributing to the Tessel project.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need a paragraph break before "Check out the Johnny..."


> Another interesting aspect of some malware like Mirai is that it only lives in volatile memory (e.g., RAM). That means simply turning off the device and turning it back on again will rid it of the malware

When you deploy your project to T2's Flash memory, consider including a periodic auto-reboot to clear anything that may have been introduced to RAM. This is easy with the Tessel [power management API](https://tessel.gitbooks.io/t2-docs/content/API/Hardware_API.html#board).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link in this paragraph is dependent on a t2-docs PR to be merged first.

tessel/t2-docs#142

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand how this section applies to Tessel. T2 has a writable root filesystem overlay, so changes are persisted across reboots.

@HipsterBrown
Copy link
Contributor Author

@Frijol Thank you for the thorough review. The post is more clearly connected to Tessel's advantages as a board and project.

@HipsterBrown HipsterBrown changed the title [WIP] Tessel Security Post Tessel Security Post Jan 19, 2017
@@ -0,0 +1,57 @@
# Tessel's Security Scorecard

In late October of 2016, an estimated 100,000 Internet-connected devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an estimated 100,000 Internet-connected devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS

Can you find a concrete, credible source for this and link to it via footnote (or inline)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mirai

Link to it


In late October of 2016, an estimated 100,000 Internet-connected devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Since the attack, Mirai's source code has been released and revealed how it managed to infect all of these Internet-connected devices. With this knowledge, SparkFun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). We checked the Tessel 2 against SparkFun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mirai's source code has been released and revealed

Link to it


> The best possible safeguard against hackers is to simply not have the device available for them.

You may not need to directly unplug your Tessel in order to follow this tip. Instead, you can use Tessel's [network API](https://tessel.gitbooks.io/t2-docs/content/API/Network_API.html#wifi) and control when the board is connected to your network. It could be programmed to disconnect from the network during certain times of day or night, or through some type of hardware control, like a big red button shown in SparkFun's article.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and control

"to control"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be programmed

"The Tessel can be programmed"


> Another interesting aspect of some malware like Mirai is that it only lives in volatile memory (e.g., RAM). That means simply turning off the device and turning it back on again will rid it of the malware

When you deploy your project to T2's Flash memory, consider including a periodic auto-reboot to clear anything that may have been introduced to RAM. This is easy with the Tessel [power management API](https://tessel.gitbooks.io/t2-docs/content/API/Hardware_API.html#board).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

T2

If you want to call it "T2", then you should define that earlier in the article, otherwise continue calling it "Tessel"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevinmehall does this clarify:

  • Rebooting a Tessel 2 that has an application deployed to Flash memory, which is also writing to the filesystem in the Flash memory is persisted and will not clear those bits
  • Rebooting a Tessel 2 that has an application deployed to RAM, which is also writing to the filesystem in RAM, will reset those bits
  • Rebooting a Tessel 2 that has an application deployed to Flash memory, but which is writing to RAM (eg. /tmp/), will reset those bits located in RAM


> Seriously, if you do only one thing to secure your device, do this.

Tessel 2 doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tessel 2

Pick one and use it throughout:

  • Tessel
  • Tessel 2
  • T2


### Update Firmware

> it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion

"... it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion."

  • adds elision ellipsis at start
  • adds period at end


> it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion

Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained projects with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed. Once these updates are released, the [Tessel CLI](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#how-do-i-know-if-i-need-to-update-my-t2) will automatically inform you when it's available.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

projects

"project"


Since the attack, Mirai's source code has been released and revealed how it managed to infect all of these Internet-connected devices. With this knowledge, SparkFun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). We checked the Tessel 2 against SparkFun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack.
Since the attack, [Mirai's source code has been released](https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/) and revealed how it managed to infect all of these Internet-connected devices. With this knowledge, SparkFun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). We checked the Tessel against SparkFun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Member

@Frijol Frijol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! I have a couple of suggestions, but nothing blocking. Thanks for all your hard work on this :)


### Unplug It

> The best possible safeguard against hackers is to simply not have the device available for them.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a quote from Sparkfun's article? Make attribution clear if it is

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every section contains a quote from the corresponding step in the SparkFun article. Do I add attribution below each of the quotes?


> Seriously, if you do only one thing to secure your device, do this.

Tessel doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(it also uses RSA rather than password)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good note, will add.

### Update Firmware

> ... it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That section in the T2 CLI docs is really nice, I didn't know we had that! Though it doesn't mention in those docs that it will show up automatically

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made an issue on that tessel/t2-docs#146


> Mirai actually did its dirty work by trying to access a device through Telnet or SSH using default credentials.

We have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). The Tessel team is against `ssh` with passwords, which is why we require that shared key creation through `t2-cli` over a physical, USB connection, meaning no root access for rogue, third-party bots scavenging the Internet.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it important to point to the specific commit? It makes me think it's in a PR and not safe yet.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I like showing how earlier on this decision was made.

It makes me think it's in a PR and not safe yet.

I don't understand that assumption. I could point to the file itself instead.

@HipsterBrown
Copy link
Contributor Author

Thanks again for the review, @Frijol. I'm going to wait until this t2-docs PR is merged before prepping this to publish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants