Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel3

Security for embedded systems is a serious issue, albeit though often overlooked. This chapter gives an overview of common security risks that might occur during the deployment and lifespan of the product. We also give hints and tips on the implementation of some chosen security mechanisms. Since we are not able to cover every possible risks in the manual, users are strongly recommended to read on further topics regarding this these issues.

Note

For the following list of security risks, no claim of completeness can be made. There may arise other risks or - on the opposite - limitations in the design of your application by following the instructions provided in this chapter.

Services

...

SECO Northern Europe devices are initially shipped with a “developer friendly” state. That means, all services are available and already activated. This provides a helpful state on which customers can easily deploy further application. However, leaving those services unchecked can lead to potential security risks. Once the customers have finalized their deployment on the devices, we recommend a review of the services in-used and to disable all those that are not required for the applications. See chapter [Services] on how to disable.

Independent of the device’s application, following special cares need to be taken:

SSH

An SSH services is enabled by default on SECO Northern Europe devices with Yocto. In addition to the password and user suggestions from [User permissions concept], there are more hints on securing the ssh service in the chapter [SSH service]. It is possible to restrict users allowed using this service, lock SFTP access to a subfolder only and create custom crypto keys.

User permissions concept

...

Linux is designed as a multi-user system and provides a mechanism known as file permissions. Each file has an owner, a group and flags that grant write, read and/or execute permissions to the owner, the group or anybody. Additionally there is a super user, called root, who has access to all files. More information on this concept can be found here.

Customers should follow the principle of minimal privilege for user rights on the devices. Please note that SECO Northern Europe tools are usually assigned with access rights for all users since it is more developer friendly.

Root password

Since SECO Norther Northern Europe is an OEM manufacturer and we are delivering serial-produced devices to several customers, a default root password would lead to a form of pseudo security. Moreover a default password for all devices is highly vulnerable. For this purpose our devices usually have no root password set. It is essential that a password will be set by customers before the devices are deployed. This is the minimum security measure to be done.

...

Blocking root access. Linux offers the opportunity to disable the root-login for specific services like ssh, or the serial console. Since the root login is is always a popular target for attackers this easy mechanism will decrease the risk for those kinds of brute force attacks.

Expand
titleBlocking Block root access

This can be done by setting the root account’s shell to /sbin/nologin in the /etc/passwd file:

Code Block
root:x:0:0:root:/root:/sbin/nologin
...
Note

Ensure that another user account with the possibility to gain super user (su) rights is created before the root access is disabled. Otherwise, you might completely lose access to the device.

Non-root users

Normally a non-root user should be used for "everyday tasks" on the system.

Expand
titleCreating a non-root user

The tool adduser can be used to create a non-root user

Code Block
root@santaro:~# adduser <user name>
Changing password for <user name>
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:<enter your secure password>
Re-enter new password:<enter your secure password>
passwd: password changed.

This creates a new user <user name> with group <user name> and the home directory /home/<user name>/.

The new user can be used to login immediately. See the man page of adduser for more options.

...

Superuser privileges for non-root users

sudo allows non-root users to have access to single commands with root user privileges. If login for root user is disabled, this can be used by non-root user to do system tasks. To enable usages of this feature, the group sudo should be enabled in the sudoer file and the user needs to be added to this group.

Expand
titleEnabling sudo

Edit the file /etc/sudoers with the command:

Code Block
nano sudo

and uncomment the following line:

Code Block
%sudo ALL=(ALL) ALL

This enables the sudo privilege for users in the group "sudo". To add a user to this group, execute the following command:

Code Block
usermod -G sudo -a user

Now it is possible to execute commands with root previleges when logged in as <user name>:

Code Block
user@santaro:~$ cat /etc/sudoers
cat: can't open '/etc/sudoers': Permission denied
user@santaro:~$ sudo cat /etc/sudoers
Password:
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
...

Flash-N-Go System

...

Newer SECO Northern Europe devices are equipped with an Flash-N-Go System as backup OS. Within Flash-N-Go the user has full control of the device’s configuration and the partitions on the flash disk respectively eMMC without a password or further authentication.

As described in [Deploying the Linux system to the target] booting into Flash-N-Go System can be triggered by pressing the bootmode switch or with the bootselect tool from the yocto OS.

The bootselect tool can only change the bootmode when called with root privileges, so following password and user suggestions from [User permissions concept] should solve this issue.

...

Note

Updating the system normally without the backup OS Flash-N-Go System is impossible. Though it is possible to revert the change and re-enable Flash-N-Go System from the normal OS, if it is functional.

Networking

...

Firewall - netfilter/iptables

By default, all network communication is allowed. However, Linux can be configured to block certain IP packets depending on its header (e.g. by port or by protocol) using iptables, which is basically a firewall. As this mechanism is very powerful and complex, it is not documented here in detail. Please take a look at the following link for a basic introduction.

...

Expand
titleWorking with netfilter/iptables

Block all network traffic:

Code Block
root@santaro:~# iptables -F
root@santaro:~# iptables -A INPUT -j DROP

This is the first step and it is a mandatory preparation for the following steps.

Open SSH access only:

Code Block
root@santaro:~# iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -m state --state NEW, ESTABLISHED -j ACCEPT
root@santaro:~# iptables -I OUTPUT 1 -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Open network access on port 80 and DNS replies on port 53 from the device:

Code Block
root@santaro:~# iptables -I INPUT 1 -p udp --source-port 53 -j ACCEPT
root@santaro:~# iptables -I OUTPUT 1 -o eth0 -p tcp --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
root@santaro:~# iptables -I INPUT 1 -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT

Save the firewall configuration as persistent:

Code Block
root@santaro:~# iptables-save > /etc/iptables.rules
root@santaro:~# echo "iptables-restore < /etc/iptables.rules" > /etc/network/if-pre-up.d/iptables
root@santaro:~# chmod +x /etc/network/if-pre-up.d/iptables

Disable the firewall:

Code Block
root@santaro:~# iptables -F

Using secure network protocols

Newer and more secure network protocols, e.g. HTTPS, FTPS and SSH, are strongly recommended over their outdated counterparts.

Further mechanisms regarding the security for network connected Linux systems are described here.

Restrict physical access

...

Each physical interface like USB, SD-Card or Ethernet socket can serve as possible entrance gates for attackers. Unessential ports should be physically disabled or restricted from easy outside access. This reduces the likelihood that an attacker can connect to the system and therefore lower the risk of a potential security issue.

Application security

...

Application security is seldom a high priority for embedded devices. But it is, of course, essential to take account of identifying risks in embedded applications. Since application development is a very complex subject and it is out of scope for SECO Northern Europe, we will refer to secondary lecture at this point.