On 13/03/2024 18:25, Peter wrote:
If the camera was a client, uploading images or a video stream to a server (which has a properly secured user side) how could the camera be attacked? It will be behind NAT, for a start.
- Attack server.
The MbedTLS version is not connected with that, however.
- Use the server as a relay to attack clients that connect to it.
The MbedTLS version is not connected with that, either. Plus the clients will be behind NAT so how can that server attack them? It can do no more than a 3rd party attacking random IPs.
Or:
- Attack some network equipment.
The MbedTLS version is not connected with that, either.
- Spoof the server.
The MbedTLS version is not connected with that, either.
- Use the spoofed server to attack clients that connect to it.
The MbedTLS version is not connected with that, either.
So I still don't see where tightening MbedTLS security helps.
Upgrading MbedTLS implies endless upgrades - because a customer will find out that a later version is out. These are damn hard or impossible to deploy.
There is a commercial risk. Let me give you a real example. I sell a product which used to go out with a driver CD. (Now it doesn't because win7 and higher grabs it from the MS website). The customer found out that a particular driver (not previously needed) was not on the CD. We had to scrap a few k CDs (at GBP 0.40 each) and re-pack a few k units of finished stock with a new CD. I can't remember if the customer returned to us his entire warehouse stock for re-packing.
Now translate this to a firmware upgrade on an IOT device. *Obviously* (unless stupidly installed, e.g. on an open port) we cannot access it remotely. The customer has to do something. There are multiple ways e.g. the device checks an update server periodically (OTA is dangerous; you could brick the entire installed base if something goes wrong -> the end of your company). My product has a USB port with a filesystem behind it so a physical visit is needed. It also had an HTTP server for LAN (or direct laptop) config but this can't be on an open port for already discussed reasons, but is OK on a private LAN / remotely over a VPN (the HTTP server can be locked to a client IP e.g. the VPN terminator IP).