Archive

Posts Tagged ‘security’

Fingbox Helps You Monitor & Manage Devices on Your Network with Your iOS/Android Smartphone

November 19th, 2017 6 comments

Fing network scanner mobile app available for iOS and Android that allows you to discover which devices are connected to your Wi-Fi network, map devices, detect intruders, assess network security risks, troubleshoot network problems, and optimize wireless network performance.

But in order to go beyond network monitoring, the developers have designed Ubuntu Core based Fingbox hardware to add features such as access control (e.g. parental control), analyze the usage of bandwidth for each clients, find Wi-Fi sweet spots/ avoid black spots, verify your Internet speed, monitor devices in your network, and protects it with a digital fence that works against threats.

From a hardware perspective Fingbox is a round shaped Ethernet node with the following specifications:

  • Processor – ARMv7 processor
  • System Memory – 1GB RAM
  • Connectivity – Gigabit Ethernet

The Linux (Ubuntu Core) device just needs to be connected to your network via an Ethernet cable, and powered by its adapter. You’d then run Fing app on Android or iOS, which will automatically detect the Fingbox, and allow you to easily monitor and control devices on your home network. The best way to clearly understand what the device brings to the table is to watch the demo embedded below.

Fingbox was launched through an Indiegogo campaign, that ended up very successfully with 20,000 backers, and over @1.6 millions raised, but now you can purchased it directly from Amazon for $129 with shipping to US, UK, EU, and Canada, or Fing website for other countries.

When I think about it, I’m wondering why we don’t get such functionality from the router directly, as surely that’s something vendors could implement in the firmware, except possibly on the cheapest models due to storage and/or memory limitations, with no added hardware cost. Feel free to comment if you can already use your smartphone to monitor and manage other devices via your router, or is Fingbox the only workable solution right now?

MINIX based Intel Management Engine Firmware & UEFI are Closed Source & Insecure, NERF to the Rescue!

November 7th, 2017 8 comments

You may have heard a few things about Intel Management Engine in recent months, especially as security issues have been found, the firmware is not easily upgradeable, and the EFF deemed it a security hazard asking Intel for ways to disable it.

In recent days, I’ve seen several media reports about the Management Engine being based on an Intel Quark x86-based 32-bit CPU running MINIX open-source operating system. Keep in mind, there’s nothing nefarious about MINIX, it’s just that Intel keeps its own developments on top closed. One of sources for the information is a blog post explaining how to disable Intel ME 11, but ZDNET also points to one of the talks at the Embedded Linux Conference Europe 2017 entitled “Replace Your Exploit-Ridden Firmware with Linux” by Ronald Minnich, Google which explains the problem, and proposes a solution to (almost) disable Intel’s ME, and replace UEFI by a small open source Linux kernel and ramdisk.

Click to Enlarge

To better understand about the issue, we’ll first need to talk about rings… yes… rings. Protection rings with numbers from -3 to +3 indicate the level of privileges with Ring 3 being the lowest priviledge, and Ring -3 giving full access to all hardware. It’s unrelated to OS privileges and normal users and root are are part of the same Ring 3 privileges.

Ring 0 to 3 are well documented, Ring -1 is for hypervisors like Zen so “known to mankind”, but while we know something about Ring -2 CPU, the code for the UEFI kernel and SMM half kernel are not always known, and in the case of Ring -3 kernels which include the Management Engine, Integrated Sensor Hub (ISH), and Innovation Engine (IE) we know very little about the hardware and software, despite them having the highest privilege.

We do know the Management Engine Ring -3 OS provides the following features.

Full Network manageability ICC Over Clocking
Regular Network manageability Protected Audio Video Path (PAVP)
Manageability IPV6
Small business technology KVM Remote Control (KVM)
Level III manageability Outbreak Containment Heuristic (OCH)
IntelR Anti-Theft (AT) Virtual LAN (VLAN)
IntelR Capability Licensing TLS
Service (CLS) Wireless LAN (WLAN)
IntelR Power Sharing Technology (MPC)

If you have no idea what some of the feature do, that’s OK, as even Richard is unclear. The important part is that the firmware has a full network stack, and web servers are running for remote management, which has recently become a serious problem as Intel found a vulnerability in “Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology” that can allow “an unprivileged attacker to gain control of the manageability features”.  It requires a firmware update, but considering this affect Intel’s first to seven generation, the bug is at least 9 years old, and most systems won’t be updated. Read this PDF for a detailed (71 pages) security evaluation of Intel’s ME

Beside the Management Engine, the presentation also goes through Ring -2 OS (UEFI), an extremely complex kernel (millions of lines of code) running on the main CPU, and whose security model is… obscurity. UEFI exploits also exist, and can be made permanent since UEFI can rewrite itself. The firmware also always runs, and exploits are undetectable by kernels and programs.

The solution proposed to address the privacy and security issues related to ME and UEFI is called NERF (Non-Extensible Reduce Firmware).

It’s only a partial solution because the system cannot fully boot without ME, but they’ve managed to reduce the size from 5MB to 300KB, removing the web server and IP stack in the process on Minnowboard MAX board thanks to me_cleaner. The SMM Ring -2 semi kernel can be disabled however.

UEFI stands for Unified Extensible Firmware Interface, so to simplify the code and make it less vulnerable to exploits they’ve made their implementation NON-extensible, and as a result it’s much simpler, as illustrated in the diagram below.

UEFI vs NERF

UEFI DXE stage is replaced with a single Linux kernel (tied to the BIOS vendor), and a 5.9MB firmware-based root file system written in Go (u-root.tk). If you are interesting in the details watching the 38 minutes ELCE 2017 presentation.

You may also be interested in the slides.

Arm’s Platform Security Architecture Aims to Secure the Internet of Things (IoT)

October 25th, 2017 No comments

News are published nearly everyday about a security breach or flaw in IoT devices, and last year, Softbank CEO, and new Arm owner, Masayoshi Son explained that to reach his goal of one trillion IoT devices and singularity, security had to be addressed, as everything was currently too easily hackable, including cars equipped with lots of electronics but very weak security.

As Arm Techcon 2017  is underway, the company has been working on improving IoT security and announced the Platform Security Architecture (PSA) designed for low cost IoT devices.

PSA components – Click to Enlarge

PSA has three major components:

  • Threat Models and Security Analyses derived from a range of typical IoT use cases.
  • Architecture specifications for firmware and hardware.
  • An open source project, similar to Arm Trusted Firmware for mobile clients.

PSA is designed for low cost IoT devices, which would have not the resources (processing power, memory, battery power…) to run a full Trusted Execution Environment (TEE) , aims at protecting assets such keys, credential or firmware by separating them from application and hardware, and defines a Secure Processing Environment (SPE) for the codes that manages those assets and its trusted hardware resources.

Example of PSA compliant IoT device

While the architecture is agnostic, Arm and their partners will initially focus on Cortex-M based devices, specifically Arm v8-m ones such as Cortex M33. PSA defines hardware, firmware and process requirements and interfaces, but most people can’t see anything of it yet, as the first draft specification and reference firmware implementation (Trusted Firmware-M) will be made available in Q1 2018. Arm will also provide tools for evaluation and compliance, including a validation suite for the functional hardware requirements, potentially a validation suite for the firmware specifications, as well as ways to evaluate robustness compliance by working with partners part of the secure chain from silicon vendors to IoT cloud companies.

While on the subject of security, Arm also announced two new secure IP components with Arm TrustZone CryptoIsland family of smartcard-level security subsystems – starting with CryptoIsland-300 – targeting general purpose MCUs, LPWA connectivity, storage, automotive and more, as well as Arm CoreSight SDC-600 Secure Debug Channel enablingfull debug capabilities without compromising system security.

A few more details about PSA can be found on the product page, where you can also download an 18-page whitepaper entitled “Arm Platform Security Architecture Overview”.

Samsung IoT Security News – ARTIK Secure IoT Modules, SmartThings Cloud, and Secure Element

October 19th, 2017 No comments

Samsung has made several announcements with IoT, especially IoT security. First, Samsung ARTIK 053, ARTIK 530 and ARTIK 710 modules are getting an “s” version, which stands for “robust security”, as well as a new ARTIK 055s module, and all ARTIK modules can now work with SmartThings Cloud uniting the company’s existing services – ARTIK Cloud and Samsung Connect Cloud – into a single IoT platform.

Separately, the company announced their Secure Element solution which combines eFlash memory and new security software.

Samsung ARTIK “s” modules & ARTIK 055s

The company explains in their blog that ARTIK 053s, 530s, 710s, and the all new 055s will feature “advanced protection, integrated cloud services, and hosted security services with “enhanced ARTIK end-to-end security by providing greater protection for IoT data as well as prevention against hacking”.

The press release is a little more specific:

ARTIK secure IoT modules provide a strong root of trust from device-to-cloud with a factory-injected unique ID and keys stored in tamper-resistant hardware. Samsung’s public key infrastructure (PKI) enables mutual authentication to the cloud to identify each device on the network and support whitelisting. Customers can use the new Secure Boot feature and code signing portal to validate software authenticity on start-up. In addition, the secure IoT modules provide a hardware-protected Trusted Execution Environment (TEE) with a secure operating system and security library to process, store, and manage sensitive resources, including keys and tokens on devices. Information is protected using FIPS 140-2 data encryption and secure data storage.

The product briefs somewhat help us better understand what has changed with the “s” version.

Click to Enlarge

So it appears the modules were previously secured with a “Secure Element”, and now the company has added KMS and secure boot support to the “s” version, as well as TEE to the more powerful ARTIK 530s and 710s modules. The company claims there will no increase in price for the (more) secure modules.

Samsung ARTIK 055s Smart IoT module (pictured above) is similar to ARTIK 053(s), but is quite smaller, and works at 3.3VDC, instead of the 5-12VDC. ARTIK 055s specifications with highlights in bold showing differences with ARTIK 053:

  • MCU – 32-bit ARM Cortex R4 @ 320MHz with 1280 KB RAM for general use, 128 KB RAM for global IPC data
  • Storage – 8 MB flash
  • Connectivity – 802.11 b/g/n WiFi @ 2.4 GHz
  • Expansion – 29 dedicated GPIO ports, 2x SPI, 4x UART (2-pin), 4x ADC, 1x JTAG, 2x I2C
  • Security – AES/DES/TDES, SHA-1/SHA-2, PKA (Public Key Accelerator), PRNG/DTRNG (Random Number Generators), Secure key storage, Physical Unclonable Function (PUF)
  • Power Supply – 3.3 VDC input voltage
  • Dimensions – 26 x 15 x 3 mm
  • Temperature Range – -20 to 85°C
  • Certifications – FCC (U.S), IC (Canada), CE (EU), KC (Korea), SRRC (China)

The documentation does not list any hardware differences with regards to security, but Tizen RT OS adds secure firmware and JTAG protection for 055s and 053s.

Samsung Tizen RT OS – Click to Enlarge

In other news, Samsung ARTIK 530(s), ARTIK 710(s), and future Linux based ARTIK modules will now default to Ubuntu 16.04, instead of Fedora used so far.

Samsung Secure Element

We’ve just seen older ARTIK modules included a “Secure Element”, but Samsung has just added to confusion by introducing an “integrated Secure Element (SE) solution for Internet of Things (IoT) applications that offers a turn-key service for both hardware and software needs”.

The SE includes an embedded flash (eFlash) and will stop and reset itself whenever it detects abnormal activity. The solution also comes with security software that supports personal verification, security key storage, encoding and decoding, and secure data transfer between devices servers and clouds.

The SE and developer board are showcased at the Samsung Developer Conference, but that’s all the information I have so far, as I could not find any info about Secure Element or W1650 chip on Samsung website.

Geolocation on ESP8266 without GPS Module, only WiFi

October 3rd, 2017 8 comments

When I think about geolocation in I normally think about global navigation satellite systems such as GPS, GLONASS, Galileo, or Beidou, as well as IP geolocation, but the latter is highly inaccurate, and often only good for find out about the country, region, or city.

But if you’ve ever been into your phone location settings, you’d know GPS is only one option, as it can also leverage cellular base stations and WiFi SSIDs, where the former working where there’s coverage, and the later in area with a high enough density of access points. Somehow, I had never thought about using such technology to find location with WiFi modules until Espressif Systems released an application note entitled “Geolocating with ESP8266“.

This document describes how the ESP8266 module may be used to scan for nearby Wi-Fi access points and, then, use their SSID, RSSI and MAC address to obtain a potential fix on the device’s geolocation, using Google geolocation API.

That’s basically a two step process with an AT command returning the list of available APs, SSID, RSSI, and MAC Address:

and after setting up a secure SSL connection, you can then feed that data to Google Geolocation API to get the location with a command that looks like (wifiAccessPoint data not filled here):

Further research led me to m0xpd experimentation with Geolocation on ESP8266 last year, using both IP geolocation (found to be very inaccurate), and Google or Mozilla APIs, and posted his Arduino source code on Github. The Google API found his actual home in Manchester with just the information retrieved from the list of access points.

That also means that unsecured devices on the public Internet can easily be located, as an hacker logins to a router or IoT device, he just needs to run a command to find out the information required by his preferred geolocation API.

Secure96 is a 96Boards Mezzanine Expansion Board To Experiment with Hardware Based Security

September 28th, 2017 6 comments

With the Internet of things booming and taking a more important role in our lives, security will become more and more critical. So far, it has often been an afterthought with modems & routers frequently shipping with default username and password, and getting security right is really hard, as shown by the recent CLKSCREW attack that somehow leverages DVFS to break ARM TrustZone security, and that “is not a software bug, nor a hardware bug, it’s a fundamental part of the energy management design”, so most ARM platforms are vulnerable. Optimal security normally combines software and hardware, so having a platform to experiment with different HW security solutions would be useful, and that’s what Secure96 Mezzanine board for 96Boards aims for.

Secure96 expansion board specifications:

  • Security ICs
    • Microchip Atmel ATSHA204A SHA-based CryptoAuthentication crypto element device
    • Microchip Atmel ATECC508A crypto device with ECDH (Elliptic Curve Diffie–Hellman) key agreement
    • Infineon SLB 9670 TPM 1.2/2.0
  • Storage – EEPROM
  • USB – micro USB port connected to FTDI chip
  • Expansion – 4-pin for I2C, 40-pin header to connect to 96Boards

Launched in 2011, ATSHA204A is used for symmetric authentication with a random number generator, a unique 72-bit serial number, I2C/SWI host interface, 88 bytes used for configuration, 512 bytes used for data, and 64 bytes of OTP storage. It can be used for accessory (battery, cartridge, …)  authentication, secure boot, data integrity verification, and session key exchange. Joakim Bech, Tech Lead for Security Working Group at Linaro, has already published some code to leverage that chip, currently (& temporarily) posted on his own Github, but will be moved to Linaro repo later on.

Click to Enlarge

ATECC508A shares many of the feature of the first chip, but adds asymmetric key pairs. Sadly it requires an NDA to get the datasheet and TRM, It’s supported by the Atmel CryptoAuthLib, so it might be possible to study the code to better understand it. He has not done work on the software part yet for this part. Note that I previously reported about a demo for secure IoT connectivity using ESP8266 + ATECC508A.

Infineon SLB9670 TPM has just been tested with Intel TSS TPM 2.0 resource manager, and the tpm2.0 tools, but again, no software has been implemented for this chip on Secure96 board yet.

Going forward the rough plans are to:

  • Finalize the ATSHA204A implementation
  • Create a library for the ATSHA204A implementation
  • Offline implementation to mimic device behavior (in a Trusted Application in a TEE)
  • Use IC(s) for secure boot on a 96Boards IoT device
  • Get the specification and implement support for ATECC508A
  • TPM chip – Try it out using IMA in Linux & use it to store SSH credentials

You may want to flick through the Linaro Connect presentation slides for more details.

The video has also been uploaded, but the audio is not that clear. Since there’s still quite a lot more work to do, Secure96 mezzanine is not for sale yet, but eventually it should be via 96Boards Mezzanine products page.

Linaro Connect SF 2017 Welcome Keynote – New Members, Achievements, the Future of Open Source, and More…

September 26th, 2017 No comments

Linaro Connect San Francisco 2017 is now taking place until September 29, and it all started yesterday with the Welcome Keynote by George Grey, Linaro CEO discussing the various achievements since the last Linaro Connect in Budapest, and providing an insight to the future work to be done by the organization.

The video is available on YouTube (embedded below), and since I watched it, I’ll provide a summary of what was discussed:

  • Welcoming New Members – Kylin (China developed FreeBSD operating systems) joined LEG (Enterprise Group), NXP added LHG (Home Group) membership, and Xilinx joined LITE (IoT and Embedded).
  • Achievements
    • OPTEE open portable trusted environment execution more commonly integrated into products. Details at optee.org.
    • LEG 17.08 ERP release based on Linux 4.12, Debian 8.9 with UEFI, ACPI, DPDK, Bigtop, Hadoop, etc…
    • LITE group has been involved in Zephyr 1.9 release, notably contributing to LwM2M stack
    • More projects to be found on download page.
  • Open source future with many fields involved including artificial intelligence, security, automotive, automation, etc.
    • Security requires software/hardware combination, and with a single global standard such as OPTEE desirable
    • Artificial Intelligence / Machine Learning
      • Trend is to move out of the CPU to off-load tasks to GPU, FPGA, or NNA (Neural Network Accelerators)
      • Not single API, for example TensorFlow supports CPU and NVIVIA CUDA, using other platforms require heavy customization
      • Linaro to work abstraction layer/ common API for machine learning
      • A.I will bring many benefits, but also potential dangers/issues: privacy, military use, etc… Development in the open is better.
    • Automotive
      • Currently Intel and NVIDIA provides ADAS / autonomous driving platform, both closed sources
      • More open platform needed, maybe a 96Boards Automotive platform with 6x cameras, GPS, touch screen display, processing power good enough for ADAS and IVI (In Vehicle-Entertainment)
      • Linux now mostly handles non-safety critical code, will change in the future. Containers will help.
      • Currently working on proof-of-concept with StreetDrone One autonomous driving development platform, DragonBoard 410c and Gumstix AeroCore 2 mezzanine. More details, maybe demo, at next Linaro Connect
  • 96Boards
    • Recently (and soon to be) announced – Hikey 960, Orange Pi i96, Uranus (WiFi board based on TI CC3220, to run Zephyr OS)
    • Mezzanine boards – NeonKey with sensors and LEDs, Secure96 with crypto chips & TPM (used to play with OPTEE)
  • ARM Platforms for developers – Three types:
  • Microplatforms
    • Definition – open source, minimal, secure, OTA upgradeable distributions
    • Cortex M platforms will use Zephyr OS, Cortex A support will be based on OpenEmbedded with a unified multi-SoC kernel
    • Currently tested on Hikey, DragonBoard 410c, and Raspberry Pi 3, more platforms to be supported in the future
    • Demos with 6x Carbon + Nitrogen board with BLE running Zephyr OS, Raspberry Pi 3 IoT gateway:
      • 1. Use Linaro Developer Cloud (running LED Enterprise Reference Platform) + Hawkbit dash to monitor temperature sensors on the board
      • 2. Switch Raspberry Pi 3 gateway to use Softbank cloud using Alibaba infrastructure on-the-fly, and control lights from Japan severs.
      • The two demos above shows how a multi-standard automation gateway could be implemented solving the problem of incompatibility of devices from different manufacturers
      • BLE mesh demo with six board controlling lights
      • Source code for demos can be found on Github
    • Going forwards downstream microplatforms will be developed by a separate entity: Open Source Foundries, unrelated to Linaro which will keep on focusing on upstream work
  • Linaro also launched the Associate Program for OEMs, ODMs, service providers, startups, and university who want to join Linaro. No details were provided, only an email address [email protected]

You’ll also find the presentation slides on Slideshare.

Wanscam HW0026 720p IP Camera Goes for $9.99 (Promo)

September 18th, 2017 18 comments

Wanscam HW0026 is a 720p IP camera with night vision, motion detection, and ONVIF 2.1 support that was launched in 2015, although they seem to have updated the model since then. GearBest now has a promotion for the US version of the camera for just $9.99 shipped. The version with the EU plug is sold for $15 shipped without any deep discount.


Wanscam HW0026 IP camera features and specifications:

  • Camera
    • 720P HD resolution, 1.0MP 1/4 inch CMOS sensor, 1 – 25fps adjustable frame rate
    • 90 degree wide angle FOV, 3.6mm lens
    • Supports 10 LEDs for night vision with infrared distance up to 10m
    • Motion detection up to 10 – 15m
    • Video – H.264 codec, AVI container, NTSC or PAL standard.
  • Storage – micro SD card up to 64 GB
  • Connectivity
    • 802.11 b/g/n WiFi
    • Protocols – DDNS, DHCP, FTP, LAN, P2P, RTSP, TCP, UPNP
  • Audio – Built-in mic and speaker, supports two-way intercom
  • Power Supply – 5V / 1A
  • Dimensions – 11.70 cm x 8 cm x 8 cm
  • Weight – 104 grams

The camera can be controlled from web browsers in desktop OS like Mac OS, Windows, or Linux, as well as Android or iOS smartphones using E-view 7 app. It ships with an English user manual, an accessories kit and a power adapter. I could not find custom open source firmware, or specific hacks for the camera, but since it’s compliant with ONVIF 2.1, it should be compatible with third party programs like Xenoma, and NAS with support for surveillance cameras. The old model was based on Hisilicon Hi3518E processor, but the new version appears to be based on Ingenic T10 MIPS processor.

Thanks to Ivo for the tip