On Wed, Mar 13, 2024 at 2:56?PM Peter wrote:
On 13/03/2024 18:25, Peter wrote:
If the camera was a client, uploading images or a video stream to a server (which has a properly secured user side) ...
It is a non-trivial task to secure a server. If it was easy there wouldn't be news articles like https://www.cnn.com/2024/03/08/tech/microsoft-russia-hack/index.html Russian state-backed hackers gained access to some of Microsofts core software systems in a hack first disclosed in January,
Sure, but how relevant is this to MbedTLS?
... how could the camera be attacked? It will be behind NAT, for a start.
Ages ago I ran a TOR middle node on my home network. I noticed some strange traffic on my internal, **behind a NAT device**, network and found out that NAT wasn't the magical network protection device you seem to think it is. It turns out that loose source routing defeated NAT - see https://en.wikipedia.org/wiki/Loose_Source_Routing
Clearly some attack on NAT is possible if you control the server which the client is connecting to, by sending malformed packets to the client during the time the NAT channel is open (it closes 180 secs after cessation of data, normally).
But you also need to know the holes in the client, so you can set up a way to run code of your choice on it (by sending it malformed packets). With Windoze there must be 1000 ways but with the average embedded box? It won't be open source ;) Most don't even have a filesystem (unless running Linux or similar) which can store code to run. I can see ways to set this up, by obtaining a client device and disassembling it, etc. It's a helluva stretch... and I'd say on most boxes (other than Linux stuff) there won't be any attack surface even if you did disassemble it. (Yes I know STM32 readout protection etc can be penetrated by VCC or clock or /NRST glitching).
And yes, *nobody* should be routing RFC-1918 address across the Internet, but you know what they say about theory and practice..
Sure.
- Attack server.
The MbedTLS version is not connected with that, however.
This showed up in my inbox today: [SECURITY] [DSA 5639-1] chromium security update ... Security issues were discovered in Chromium, which could result in the execution of arbitrary code
Do you use a browser on the same machine that you upload photos to from your camera?
I transfer photos from my phone to my PC via the home wifi. The phone is behind "NAT" of the telco if on 4G. But maybe I am not understanding you. If you built a camera with MbedTLS, it should still be a client. Do you mean the PC should be considered compromised, and then it could penetrate the camera (the phone) and run arbitrary code on the phone?
If so, your camera is not behind a NAT and is directly connected to a possibly compromised server.
Does your browser have javascript enabled? Take a look at https://en.wikipedia.org/wiki/DNS_rebinding and play with https://lock.cmpxchg8b.com/rebinder.html
Sure...
- Use the server as a relay to attack clients that connect to it.
The MbedTLS version is not connected with that, either. Plus the clients will be behind NAT so how can that server attack them? It can do no more than a 3rd party attacking random IPs.
Your browser PC is behind the same NAT - right? And there's no firewall or NAT device between your PC and whatever it is that's using the MbedTLS code - right?
I don't understand the config in this case.
Or:
- Attack some network equipment.
The MbedTLS version is not connected with that, either.
"some network equipment" being the ISP supplied router/modem that connects your network to the Internet.
Sure; NAT could be buggy, especially in no-name chinese consumer kit.
- Spoof the server.
The MbedTLS version is not connected with that, either.
I'd like to see your definition of "connected to." If the MbedTLS software doesn't connect to a server then why do you need TLS?
It is true that a lot of applications can be done with a fixed key and just using AES for session crypto. But TLS is a standard way to do this stuff nowadays. People feel happy :) The fact that 99.99999% of data in IOT applications is of no value whatsoever is not relevant.
- Use the spoofed server to attack clients that connect to it.
The MbedTLS version is not connected with that, either.
So I still don't see where tightening MbedTLS security helps.
If nothing else, it helps sales. Tell me what product you sell -- I'll make sure that I never buy it.
Rather more constructively, can you suggest how to do OTA on a typical IOT box, in a way which runs no risk of blowing up my company? :)
My box does have means of uploading new firmware but obviously it is not possible to just do it remotely.
The wider issue is that this stuff is now so complex that only people who have spent years working with MbedTLS know how to do it, and know how to incorporate the MbedTLS updates.
Peter