From 940ae96b25f6960159d646609612bfaacd174cfa Mon Sep 17 00:00:00 2001 From: HipsterBrown Date: Tue, 10 Jan 2017 22:14:52 -0500 Subject: [PATCH 1/5] initial draft --- 2017-01-11-Secure-Out-of-the-Box.md | 48 +++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 2017-01-11-Secure-Out-of-the-Box.md diff --git a/2017-01-11-Secure-Out-of-the-Box.md b/2017-01-11-Secure-Out-of-the-Box.md new file mode 100644 index 0000000..7c705e3 --- /dev/null +++ b/2017-01-11-Secure-Out-of-the-Box.md @@ -0,0 +1,48 @@ +# Secure Out-of-the-Box + +How Tessel covers the [5 Easy Ways to Secure Your IoT Devices](https://www.sparkfun.com/news/2264) from the start. + +1. Unplug It +2. Power Cycle +3. Change The Default Password +4. Update Firmware +5. Disable Universal Plug and Play (UPnP) +6. (Bonus) Disable Telnet and SSH + +## Unplug It + +> The best possible safeguard against hackers is to simply not have the device available for them. + +You control where to power Tessel and even how to power it. Battery, wall socket, or personal computer, you can unplug Tessel anytime. + +## Power Cycle + +> Another interesting aspect of some malware like Mirai is that it only lives in volatile memory (e.g., RAM). That means simply turning off the device and turning it back on again will rid it of the malware + + There is a handy `t2-cli` command for doing this: `t2 reboot` + +## Change the Default + +> Seriously, if you do only one thing to secure your device, do this. + +We did! Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical connection, like USB, to setup. + +## Update Firmware + +> it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion + +Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained projects with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed. + +## Disable UPnP + +> The biggest security flaw in UPnP is that programs inside your network can automatically request port forwarding from the router. + +We ship Tessel without any support for UPnP, as evidence by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP. + +## (Bonus) Disable Telnet and SSH + +> Mirai actually did its dirty work by trying to access a device through Telnet or SSH using default credentials. + +We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet. + +Thanks to the folks at Sparkfun for sharing that awesome post. The Tessel team is always working on improving the out-of-the-box experience for anyone getting started with hardware and Internet-connected devices, so we're happy to say that when you get a Tessel you're secure from the start! From d0bff37552345bca3a24d73279053c0286017b67 Mon Sep 17 00:00:00 2001 From: HipsterBrown Date: Mon, 16 Jan 2017 16:07:00 -0500 Subject: [PATCH 2/5] updates after review feedback --- ...md => 2017-01-15-tessel-security-scorecard.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) rename 2017-01-11-Secure-Out-of-the-Box.md => 2017-01-15-tessel-security-scorecard.md (55%) diff --git a/2017-01-11-Secure-Out-of-the-Box.md b/2017-01-15-tessel-security-scorecard.md similarity index 55% rename from 2017-01-11-Secure-Out-of-the-Box.md rename to 2017-01-15-tessel-security-scorecard.md index 7c705e3..16273a1 100644 --- a/2017-01-11-Secure-Out-of-the-Box.md +++ b/2017-01-15-tessel-security-scorecard.md @@ -1,6 +1,8 @@ -# Secure Out-of-the-Box +# Tessel's Security Scorecard -How Tessel covers the [5 Easy Ways to Secure Your IoT Devices](https://www.sparkfun.com/news/2264) from the start. +In late October of 2016, an estimated 100,000 Internet-connectied devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times. + +Now that it is known how Mirai managed to infect all of these Internet-connected devices, Sparkfun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). The Tessel team has always been proud of the Tessel 2's out-of-the-box experience, so we wanted show off the board's security scorecard based on Sparkfun's list. 1. Unplug It 2. Power Cycle @@ -21,11 +23,11 @@ You control where to power Tessel and even how to power it. Battery, wall socket There is a handy `t2-cli` command for doing this: `t2 reboot` -## Change the Default +## Change the Default Password > Seriously, if you do only one thing to secure your device, do this. -We did! Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical connection, like USB, to setup. +We did! Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical connection, like USB, to set up. ## Update Firmware @@ -37,7 +39,7 @@ Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https:/ > The biggest security flaw in UPnP is that programs inside your network can automatically request port forwarding from the router. -We ship Tessel without any support for UPnP, as evidence by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP. +We ship Tessel without any support for UPnP, as evidenced by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP. ## (Bonus) Disable Telnet and SSH @@ -45,4 +47,6 @@ We ship Tessel without any support for UPnP, as evidence by the [config files in We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet. -Thanks to the folks at Sparkfun for sharing that awesome post. The Tessel team is always working on improving the out-of-the-box experience for anyone getting started with hardware and Internet-connected devices, so we're happy to say that when you get a Tessel you're secure from the start! +## Wrap Up + +Thank you Sparkfun for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. Check out the [Johnny-Five Inventor's Kit](https://www.sparkfun.com/products/13847) to start creating your own IoT projects and experiment. Join the [Tessel community](https://tessel.io/community) to learn more about what other people are building and how to start contributing to the Tessel project. From 98f0abd08302ec589c51c20033dd2b3ce9b1f39d Mon Sep 17 00:00:00 2001 From: HipsterBrown Date: Wed, 18 Jan 2017 23:25:24 -0500 Subject: [PATCH 3/5] updates with clear connection to Tessel tooling --- 2017-01-15-tessel-security-scorecard.md | 35 ++++++++++++++----------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/2017-01-15-tessel-security-scorecard.md b/2017-01-15-tessel-security-scorecard.md index 16273a1..9ee3735 100644 --- a/2017-01-15-tessel-security-scorecard.md +++ b/2017-01-15-tessel-security-scorecard.md @@ -1,8 +1,10 @@ # Tessel's Security Scorecard -In late October of 2016, an estimated 100,000 Internet-connectied devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times. +In late October of 2016, an estimated 100,000 Internet-connected devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times. -Now that it is known how Mirai managed to infect all of these Internet-connected devices, Sparkfun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). The Tessel team has always been proud of the Tessel 2's out-of-the-box experience, so we wanted show off the board's security scorecard based on Sparkfun's list. +Since the attack, Mirai's source code has been released and revealed how it managed to infect all of these Internet-connected devices. With this knowledge, SparkFun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). We checked the Tessel 2 against SparkFun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack. + +## Sparkfun's List 1. Unplug It 2. Power Cycle @@ -11,42 +13,45 @@ Now that it is known how Mirai managed to infect all of these Internet-connected 5. Disable Universal Plug and Play (UPnP) 6. (Bonus) Disable Telnet and SSH -## Unplug It + +### Unplug It > The best possible safeguard against hackers is to simply not have the device available for them. -You control where to power Tessel and even how to power it. Battery, wall socket, or personal computer, you can unplug Tessel anytime. +You may not need to directly unplug your Tessel in order to follow this tip. Instead, you can use Tessel's [network API](https://tessel.gitbooks.io/t2-docs/content/API/Network_API.html#wifi) and control when the board is connected to your network. It could be programmed to disconnect from the network during certain times of day or night, or through some type of hardware control, like a big red button shown in SparkFun's article. -## Power Cycle +### Power Cycle > Another interesting aspect of some malware like Mirai is that it only lives in volatile memory (e.g., RAM). That means simply turning off the device and turning it back on again will rid it of the malware - There is a handy `t2-cli` command for doing this: `t2 reboot` +When you deploy your project to T2's Flash memory, consider including a periodic auto-reboot to clear anything that may have been introduced to RAM. This is easy with the Tessel [power management API](https://tessel.gitbooks.io/t2-docs/content/API/Hardware_API.html#board). -## Change the Default Password +### Change the Default Password > Seriously, if you do only one thing to secure your device, do this. -We did! Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical connection, like USB, to set up. +Tessel 2 doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up. -## Update Firmware +### Update Firmware > it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion -Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained projects with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed. +Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained projects with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed. Once these updates are released, the [Tessel CLI](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#how-do-i-know-if-i-need-to-update-my-t2) will automatically inform you when it's available. -## Disable UPnP +### Disable UPnP > The biggest security flaw in UPnP is that programs inside your network can automatically request port forwarding from the router. -We ship Tessel without any support for UPnP, as evidenced by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP. +Following the [recommendation in OpenWRT documentation](https://wiki.openwrt.org/doc/howto/upnp), Tessel ships without any support for UPnP, as evidenced by the [config files in our `openwrt-tessel` repo](https://github.com/tessel/openwrt-tessel/tree/master/files/etc/config). OpenWRT requires the [miniupnpd package and corresponding config file](https://wiki.openwrt.org/doc/howto/upnp) to enable UPnP. -## (Bonus) Disable Telnet and SSH +### (Bonus) Disable Telnet and SSH > Mirai actually did its dirty work by trying to access a device through Telnet or SSH using default credentials. -We literally have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). That process can only happen using `t2-cli` over a physical, USB connection, meaning no root access for rouge, third-party bots scavenging the Internet. +We have a commit to our `openwrt-tessel` repo to [disable telnet](https://github.com/tessel/openwrt-tessel/blob/master/files/etc/init.d/telnet). As mentioned before, `ssh` is not disabled but it is only allowed by devices [provisioned with a shared key](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan). The Tessel team is against `ssh` with passwords, which is why we require that shared key creation through `t2-cli` over a physical, USB connection, meaning no root access for rogue, third-party bots scavenging the Internet. ## Wrap Up -Thank you Sparkfun for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. Check out the [Johnny-Five Inventor's Kit](https://www.sparkfun.com/products/13847) to start creating your own IoT projects and experiment. Join the [Tessel community](https://tessel.io/community) to learn more about what other people are building and how to start contributing to the Tessel project. +Thank you, Sparkfun, for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. + +Check out the [Johnny-Five Inventor's Kit](https://www.sparkfun.com/products/13847) to start creating your own IoT projects and experiment. Join the [Tessel community](https://tessel.io/community) to learn more about what other people are building and how to start contributing to the Tessel project. From 3d24eaa40c56de4a6e8f75064d15119593eafa82 Mon Sep 17 00:00:00 2001 From: HipsterBrown Date: Thu, 19 Jan 2017 11:32:13 -0500 Subject: [PATCH 4/5] adds links to relevant sources, consistent naming --- 2017-01-15-tessel-security-scorecard.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/2017-01-15-tessel-security-scorecard.md b/2017-01-15-tessel-security-scorecard.md index 9ee3735..f6c1512 100644 --- a/2017-01-15-tessel-security-scorecard.md +++ b/2017-01-15-tessel-security-scorecard.md @@ -1,10 +1,10 @@ # Tessel's Security Scorecard -In late October of 2016, an estimated 100,000 Internet-connected devices were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called Mirai, allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times. +In late October of 2016, an estimated [100,000 Internet-connected devices](http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/) were used by a group of hackers to attack DNS services as a distributed denial-of-service (DDoS). These devices, mostly routers, printers, and IP cameras, were infected with malware called [Mirai](https://en.wikipedia.org/wiki/Mirai_(malware)), allowing the hackers to take control of those devices and cause outages for major services, like Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times. -Since the attack, Mirai's source code has been released and revealed how it managed to infect all of these Internet-connected devices. With this knowledge, SparkFun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). We checked the Tessel 2 against SparkFun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack. +Since the attack, [Mirai's source code has been released](https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/) and revealed how it managed to infect all of these Internet-connected devices. With this knowledge, SparkFun wrote about ["5 Easy Ways to Secure Your IoT Devices"](https://www.sparkfun.com/news/2264). We checked the Tessel against SparkFun's security scorecard to see if an out-of-the-box Tessel is vulnerable to a Mirai-type attack. -## Sparkfun's List +## SparkFun's List 1. Unplug It 2. Power Cycle @@ -18,25 +18,25 @@ Since the attack, Mirai's source code has been released and revealed how it mana > The best possible safeguard against hackers is to simply not have the device available for them. -You may not need to directly unplug your Tessel in order to follow this tip. Instead, you can use Tessel's [network API](https://tessel.gitbooks.io/t2-docs/content/API/Network_API.html#wifi) and control when the board is connected to your network. It could be programmed to disconnect from the network during certain times of day or night, or through some type of hardware control, like a big red button shown in SparkFun's article. +You may not need to directly unplug your Tessel in order to follow this tip. Instead, you can use Tessel's [network API](https://tessel.gitbooks.io/t2-docs/content/API/Network_API.html#wifi) to control when the board is connected to your network. Tessel can be programmed to disconnect from the network during certain times of day or night, or through some type of hardware control, like a big red button shown in SparkFun's article. ### Power Cycle > Another interesting aspect of some malware like Mirai is that it only lives in volatile memory (e.g., RAM). That means simply turning off the device and turning it back on again will rid it of the malware -When you deploy your project to T2's Flash memory, consider including a periodic auto-reboot to clear anything that may have been introduced to RAM. This is easy with the Tessel [power management API](https://tessel.gitbooks.io/t2-docs/content/API/Hardware_API.html#board). +When you deploy your project to Tessel's Flash memory, consider including a periodic auto-reboot to clear anything that may have been introduced to RAM. This is easy with the Tessel [power management API](https://tessel.gitbooks.io/t2-docs/content/API/Hardware_API.html#board). ### Change the Default Password > Seriously, if you do only one thing to secure your device, do this. -Tessel 2 doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up. +Tessel doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up. ### Update Firmware -> it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion +> ... it won’t be long before we start seeing attacks that target IoT services and open ports as potential means for intrusion. -Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained projects with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed. Once these updates are released, the [Tessel CLI](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#how-do-i-know-if-i-need-to-update-my-t2) will automatically inform you when it's available. +Tessel runs an open-source, embedded Linux distribution called [OpenWRT](https://openwrt.org), an actively maintained project with frequent updates. We watch for security patches and keep our [version](https://github.com/tessel/openwrt-tessel) updated as needed. Once these updates are released, the [Tessel CLI](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#how-do-i-know-if-i-need-to-update-my-t2) will automatically inform you when it's available. ### Disable UPnP @@ -52,6 +52,6 @@ We have a commit to our `openwrt-tessel` repo to [disable telnet](https://github ## Wrap Up -Thank you, Sparkfun, for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. +Thank you, SparkFun, for sharing that awesome post. Be sure to review all your Internet-connected devices' security scorecard and rest assured that the Tessel project is focused on keeping our boards secure. Check out the [Johnny-Five Inventor's Kit](https://www.sparkfun.com/products/13847) to start creating your own IoT projects and experiment. Join the [Tessel community](https://tessel.io/community) to learn more about what other people are building and how to start contributing to the Tessel project. From bebda2aabbf0539b52f5cc04124e8b3f8ceb9d5d Mon Sep 17 00:00:00 2001 From: HipsterBrown Date: Thu, 26 Jan 2017 22:23:17 -0500 Subject: [PATCH 5/5] note RSA instead of password --- 2017-01-15-tessel-security-scorecard.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/2017-01-15-tessel-security-scorecard.md b/2017-01-15-tessel-security-scorecard.md index f6c1512..96d4fa0 100644 --- a/2017-01-15-tessel-security-scorecard.md +++ b/2017-01-15-tessel-security-scorecard.md @@ -13,7 +13,6 @@ Since the attack, [Mirai's source code has been released](https://krebsonsecurit 5. Disable Universal Plug and Play (UPnP) 6. (Bonus) Disable Telnet and SSH - ### Unplug It > The best possible safeguard against hackers is to simply not have the device available for them. @@ -30,7 +29,7 @@ When you deploy your project to Tessel's Flash memory, consider including a peri > Seriously, if you do only one thing to secure your device, do this. -Tessel doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up. +Tessel doesn't come with a default password because of this specific security consideration. Our [provisioning system](https://tessel.gitbooks.io/t2-docs/content/API/CLI.html#lan) is the only way to access the root system of Tessel over a network and requires a physical, USB connection to set up. This system uses an [RSA key](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) instead of a password. ### Update Firmware