Security for web managed embedded device

[nctnico]

Well then throw your phone, settop box, game console and PC out of the window...

I have given the problem a bit more thought. It is feasible to create a browser plugin which implements a lightweight encryption protocol which could run on 40MHz ARM controllers with 16kB SRAM. That protocol would become the 'Internet of Things' security layer. The amount of data transferred will be relatively small so the encryption can be 256bit or more without a big performance hit.

[ivaylo]

Then I let the device register to a DYN DNS service running on gadget.com that registers the device with a sub domain name like serial.gadget.com

This won't work. Most of your devices will have private IP addresses while your DNS will probably be public.

[HackedFridgeMagnet]

NAT, Port forwarding?

[nctnico]

If you can explain that to you grandmother (just in case: when she was still alive) it is a good solution. You need something plug & play.

[madires]

Personally I would not buy any sort of embedded device that depends on and requires some server not under my control for its operation...

Unfortunately more and more companies are trying to copy Apple's Walled Garden, because that creates a more sustainable revenue and most users don't seem to care about the Walled Garden until they hit that wall hard. And if you say anything it's first "You're just jealous of my iJunk!". And after they hit the wall I'll say "I told you!". 

The problem with that dependency on the vendor's servers is not just control and data collection (privacy issues). If the vendor shuts down the servers your device becomes junk. That happens all the time with online computer games. You pay $60 for a game which only runs if you're online. A year later the servers are shut down for whatever reason and you can't play the game anymore. And the sad thing is, a lot of people are happily buying those games. 

[Kirigozo]

Wow!
EEs are now doing computer security!
Sounds like "script-kiddy heaven" with bonuses. 

Tridentsx, it is time to find a security consultant who specializes in embedded systems because it is obvious that none here know anything about computer security beyond setting you up to be pwned up the whazoo.

It's that or pray the client doesn't order a pen test.

Hey! I heard a rumor that, next week, the plumbers are running a special on open heart surgery. 

[ivaylo]

I still think using readymade Javascript components may be the best bet here. The pages will be structured a bit differently and the device's server has to publish a few additional json interfaces but nothing an EE can't handle. Let me see if I get some free time next few weeks I may throw a prototype together.

[ivaylo]

@tridentsx: How are you going to program the web server on your device? I looked at the TI Sitara em335x thing and during the 3min I spent all I see is C/C++ and this "lwIP, a free, BSD-style license, TCP/IP stack from Swedish Institute of Computer Science". Are you going to compile in a web server somehow (if so which one) or build around this IwIP thing, do some sort of C/C++ CGI or something else?

[tridentsx]

I will run a linux kernel with lighttpd as a web server and a mysql database.

[madires]

I still think using readymade Javascript components may be the best bet here.

Javascript and security, that's called an oxymoron ;-)

[ivaylo]

Err..., encryption is encryption (what the exact question was about). No difference between something encrypted with JS or C++. If a setup is secure is completely another matter (seen systems using heftiest encryption in a stupid way which made them easy to exploit).

Otherwise I am not suggesting security on the web be replaced by encrypted json streams. Just not seeing a better solution for the poster's original question. When I see it I'd go my merry way (been interested in a solution myself though).

[nctnico]

I still think using readymade Javascript components may be the best bet here.

Javascript and security, that's called an oxymoron ;-)

You may laugh about but if you generate a public/private key pair in the embedded device and have the javascript use the public key to encrypt the data you can send encrypted data back to the device. Vice versa is the same. Javascript can produce a public/private key from which it sends the public key to the device. Presto: end to end encryption.
That is the beauty of public/private key encryption: you can have the source code and an encryption key but you still won't be able to decode the messages (quickly).

[amyk]

I still think using readymade Javascript components may be the best bet here.

Javascript and security, that's called an oxymoron ;-)

You may laugh about but if you generate a public/private key pair in the embedded device and have the javascript use the public key to encrypt the data you can send encrypted data back to the device. Vice versa is the same. Javascript can produce a public/private key from which it sends the public key to the device. Presto: end to end encryption.
That is the beauty of public/private key encryption: you can have the source code and an encryption key but you still won't be able to decode the messages (quickly).

JS, on an embedded device, for encryption? Why not just use SSL instead...

[ivaylo]

Why not just use SSL instead...

Did you read the discussion at all?

[rx_tx]

I would go for a self signed cert in this case. An embedded system of this nature should not be connected to an external network anyway, and the people with access should be able to add an exception an approve that cert. Unless there is some routines in place for updating the server software regulary. Linux kernel, lighttpd and mysql releases security patches that need to be applied and if your system cant handle those, ssl or not doesn't matter all that much. And if you have a system in place for handling software updates, updating a certificate should be a walk in the park.


Sent from my iPad using Tapatalk