SAUCS is a Search Engine for Security Vulnerabilities (CVE Database)

SAUCS MDM9206 CVE

Every so often we hear about critical security vulnerabilities in the news, but new ones are actually discovered daily, so it would be nice to have some sort of search engine to find out which known security vulnerabilities a given product or processor may have before purchasing it, or even more importantly starting a project. SAUCS does just that by having robots checking out the CVE update list, parsing the XML feed and formatting it. You can search for products or process, or subscribe to the vendors and products you want, and receive an email as soon as new changes as detected. I found out about SAUCS thanks to a comment from Thomas who pointed out the Qualcomm MDM9607 processor found in Quectel EC25 LTE module had a fairly long list of CVE (Common Vulnerabilities and Exposures) entries while using the default? firmware as shown in the screenshot above. Each CVE entry is ranked by its CVSS (Common Vulnerability Scoring …

Embedded Linux Conference & Open Source Summit 2019 Schedule

Embedded Linux Conference 2019 Schedule

In the last few years, I covered the Embedded Linux Conference and IoT Summit schedules since both were happening at the same time and in the same location. But the Linux Foundation have recently announced the Embedded Linux Conference will combine with the Open Source Summit, so the IoT Summit appears to have been phased out. The full schedule for the events taking place on August 21 – 23, 2019 at the Hilton San Diego Bayfront, USA, has also been released, so I’ll create a virtual schedule with some of the sessions most relevant to this blog. Wednesday August 21, 2019 11:30 – 12:05 – What’s New with U-Boot? by Simon Glass, Google LLC U-Boot is a widely used bootloader in embedded systems. Many users are unaware of the wide feature-set of U-Boot, particularly features added in the last few years. This talk aims to bring users (and prospective users) up to speed on the state of the art in …

More Intel Processor HW Security Flaws. Meet Microarchitectural Data Sampling (MDS)

Intel MDS Zombieload, RIDL, Fallout

2018 did not start so well for processor vendors, especially Intel, but also AMD, Arm and others as some of their processors leveraging speculative execution were impacted by Spectre and/or Meltdown hardware security bugs. The workarounds to improve security had a downside as they affected performance in some specific use case. Panic ensued as the bug was revealed to the public a bit too early, so companies were not fully ready with their mitigations / workarounds. Then in summer of 2018, another hardware security flaw known as Foreshadow or L1 Terminal Fault came to light. The new flaw potentially enabled the attacker to access data stored in L1 cache.  Provided you have updated your operating systems to the latest version, your computers and devices should be protected against those vulnerabilities, and you can even check with a script working in Linux or FreeBSD. But this now looks like a never ending game, as security researchers have found yet other hardware …

MORPHEUS Claims to be an Unhackable RISC-V Processor Architecture

MORPHEUS Unhackable RISC-V Processor

Code gets continuously written and updated for new features, optimizations and so on. Those extra lines of code sometimes come at a cost: a security bug gets inadvertently introduced into the code base. The bug eventually gets discovered, a report is filled, and a software fix is committed to solve the issue, before the new software or firmware to push to the end user. This cycle repeats ever and ever, and this means virtually no software or device can be considered totally secure. The University of Michigan has developed a new processor architecture called MORPHEUS, and that blocks potential attacks by encrypting and randomly reshuffling key bits of its own code and data several times per second through a “Churn Unit”. The new RISC-V based processor architecture does not aim to solve all security issues, but focuses specifically on control-flow attacks made possible for example by buffer overflows: Attacks often succeed by abusing the gap between program and machine-level semantics– …

Enabling Two-Factor Authentication for SSH Access in Armbian

Armbian Two Factor Authentication SSH

Until today, I only knew of two authentication methods for SSH: the traditional username/password and key-based login with private/public keys with the latter being more secure and not requiring any password. But I’ve just found out it’s also possible to login to SSH using two-factor authentication relying on your smartphone to get an OTP code like you would to access some banking services as it can easily be enabled in Armbian. First you’ll want to enable key-based login with private/public keys, or you won’t be able to access your board anymore after enabling 2FA except via the serial console. Now simply start armbian-config, and go to System Settings->Reconfigure SSH daemon to enable PhoneAuthentication “mobile phone one-time passcode”. We’re not done yet, so don’t close Armbian-config You’d then need an Android or iOS phone running Google Authenticator app to receive the OTP (one-time password). After enabling PhoneAuthenticator in armbian-config, you’ll see a new option to generate token select it, and it …

Pioneer Edition FreedomBox Home Server Launched with Olimex A20-OLinuXino-LIME2 Board

Pioneer Edition FreedomBox Home Server

Olimex works on open source hardware boards, while the FreedomBox Foundation has been developing FreedomBox, a free and open source private server system, since 2010 with the goal of empowering regular people to host their own internet services, like a VPN, a personal website, file sharing, encrypted messengers, a VoIP server, a metasearch engine, and more. When you mix open source hardware, open source software, and a bit of Internet freedom it gives birth to a product called “Pioneer Edition FreedomBox Home Server” based on Olimex A20-OLinuXino-LIME2 board and running FreedomBox software. Pioneer Edition FreedomBox Home Server specifications: SoC – Allwinner A20 dual-core ARM Cortex-A7 CPU @ 1.0 GHz  with dual-core Mali 400 GPU System Memory – 1GB DDR3 Storage – microSD slot fitted with 32GB class 10 card loaded with FreedomBox, SATA data and power connectors, 2KB EEPROM for MAC address and custom data Connectivity – Gigabit Ethernet Video Output – HDMI up to 1080p60 USB – 2x USB …

Eclipse IoT Survey Report Reveals Arm & Linux Dominate, Security Concerns

Constrained devices Arm IoT

The Eclipse IoT Working Group has just released a report asking the global IoT developer community to share their perceptions, requirements, and priorities. And with over 1,700 individuals taking the survey between February and March 2019, the key findings are interesting: IoT drives real-world, commercial outcomes today. 65% of respondents are currently working on IoT projects professionally or will be in the next 18 months. IoT developers mostly use C, C++, Java, JavaScript, and Python AWS, Azure, and GCP are the leading IoT cloud platforms Top three industry focus areas remain the same as last year: IoT Platforms, Home Automation, and Industrial Automation / IIoT. MQTT remains the dominant IoT communication protocol leveraged by developers The Eclipse Desktop IDE is the leading IDE for building IoT applications The last point may be slightly biased because the survey was done by the Eclipse IoT Working Group, so most respondents were already familiar with the Eclipse IDE. Security concerns dropped slightly compared …

Avnet Azure Sphere MT3620 Starter Kit Features Two mikroBUS Sockets

Avnet Azure Sphere MT3620 Starter Kit

Microsoft and MediaTek worked together to design MediaTek MT3620 Arm Cortex-A7 processor with Microsoft Pluton security sub-system required for Microsoft Azure Sphere IoT ecosystem. We’ve already covered boards from Seeed Studio including the just announced low cost MT3620 mini dev board. But Microsoft also cooperated with Avnet which has recently introduced Azure Sphere MT3620 Starter Kit equipped with two mikroBUS sockets enabling the platform to leverage one of the 633 “click boards” available from MikroElektronika. Just like the latest Seeed Studio board, Avnet Azure Sphere MT3620 Starter Kit is comprised as a baseboard with a soldered-on CPU module that can later be used for mass-production is a custom designed board. Specifications: Azure Sphere MT3620 CPU Module Mediatek MT3620AN single core Arm Cortex-A7 processor @ 500 MHz with 4MB SRAM, dual core Arm Cortex-M4F real-time core @ 200 MHz with 64KB RAM, Microsoft Pluton security sub-system, and WiFi. Storage – TBD Connectivity –  Dual band 802.11 a/b/g/n WiFi with chip antenna …