On Wed, Mar 13, 2024 at 6:43 PM Peter wrote:
On Wed, Mar 13, 2024 at 2:56?PM Peter wrote:
On 13/03/2024 18:25, Peter wrote:
If the camera was a client, uploading images or a video stream to a server (which has a properly secured user side) ...
It is a non-trivial task to secure a server. If it was easy there wouldn't be news articles like https://www.cnn.com/2024/03/08/tech/microsoft-russia-hack/index.html Russian state-backed hackers gained access to some of Microsoft’s core software systems in a hack first disclosed in January,
Sure, but how relevant is this to MbedTLS?
I was taking issue with your "... server (which has a properly secured user side)" which makes it sound trivially easy to secure a server.
... how could the camera be attacked? It will be behind NAT, for a start.
Ages ago I ran a TOR middle node on my home network. I noticed some strange traffic on my internal, **behind a NAT device**, network and found out that NAT wasn't the magical network protection device you seem to think it is. It turns out that loose source routing defeated NAT - see https://en.wikipedia.org/wiki/Loose_Source_Routing
Clearly some attack on NAT is possible if you control the server which the client is connecting to, by sending malformed packets to the client during the time the NAT channel is open (it closes 180 secs after cessation of data, normally).
Take another look at loose source routing - it's not an "attack on NAT" but a bypass of NAT: Loose source routing uses a source routing option in IP to record the set of routers a packet must visit.
Anyone can send traffic with that option and the 'set of routers a packet must visit' being a single IP address - the "outside" IP address of your NAT device and the destination address being something on your internal network.
- Attack server.
The MbedTLS version is not connected with that, however.
This showed up in my inbox today: [SECURITY] [DSA 5639-1] chromium security update ... Security issues were discovered in Chromium, which could result in the execution of arbitrary code
Do you use a browser on the same machine that you upload photos to from your camera?
I transfer photos from my phone to my PC via the home wifi. The phone is behind "NAT" of the telco if on 4G. But maybe I am not understanding you. If you built a camera with MbedTLS, it should still be a client. Do you mean the PC should be considered compromised, and then it could penetrate the camera (the phone) and run arbitrary code on the phone?
Yes. You've been using the browser on your PC. How do you know your PC hasn't been compromised? When the camera is talking to the PC there is nothing protecting the camera from the PC .. or anything else on the "internal" network behind the NAT device.
By the same token, you've probably been browsing the Internet on your phone. How do you know your phone hasn't been compromised? What's protecting all the devices on your home network when your phone is connected to your home wifi?
- Use the server as a relay to attack clients that connect to it.
The MbedTLS version is not connected with that, either. Plus the clients will be behind NAT so how can that server attack them? It can do no more than a 3rd party attacking random IPs.
Your browser PC is behind the same NAT - right? And there's no firewall or NAT device between your PC and whatever it is that's using the MbedTLS code - right?
I don't understand the config in this case.
Take the situation you must mentioned - I transfer photos from my phone to my PC via the home wifi. What's protecting the phone from your PC? Or what's protecting your PC from the phone since I'm betting you use a browser on both phone & PC. There's no NAT involved on your home wifi is there?
Or:
- Attack some network equipment.
The MbedTLS version is not connected with that, either.
"some network equipment" being the ISP supplied router/modem that connects your network to the Internet.
Sure; NAT could be buggy, especially in no-name chinese consumer kit.
Wow, you sure have nat on the brain. I took "attack some network equipment" as total ownage of your Internet router. If I control your Internet router and can run whatever code on it I feel like, what could I do?
If you're having trouble answering that take a look at https://m.xkcd.com/341/ which is probably based on https://pete.ex-parrot.com/upside-down-ternet.html
- Spoof the server.
The MbedTLS version is not connected with that, either.
I'd like to see your definition of "connected to." If the MbedTLS software doesn't connect to a server then why do you need TLS?
It is true that a lot of applications can be done with a fixed key and just using AES for session crypto. But TLS is a standard way to do this stuff nowadays. People feel happy :) The fact that 99.99999% of data in IOT applications is of no value whatsoever is not relevant.
You kept repeating the MbedTLS version is not connected to that; it seems like the MbedTLS version isn't connecting to anything, so why run the MbedTLS software?
- Use the spoofed server to attack clients that connect to it.
The MbedTLS version is not connected with that, either.
So I still don't see where tightening MbedTLS security helps.
If nothing else, it helps sales. Tell me what product you sell -- I'll make sure that I never buy it.
Rather more constructively, can you suggest how to do OTA on a typical IOT box, in a way which runs no risk of blowing up my company? :)
I thought me avoiding insecure products was very constructive :)
My box does have means of uploading new firmware but obviously it is not possible to just do it remotely.
I have a ROKU box that manages to update itself without any interaction on my part, so clearly it _is_ possible. Maybe it's not possible for what you're selling, but that's why I would like to know what it is you're selling so I can avoid it.
The wider issue is that this stuff is now so complex that only people who have spent years working with MbedTLS know how to do it, and know how to incorporate the MbedTLS updates.
So hire a contractor that knows how to do it. It can't be all that hard to find somebody competent.
Regards Lee