5 Replies Latest reply on Mar 27, 2015 12:47 PM by ninevoltz

    Don't connect your Edison to the Internet!

    Daveman

      After what I just experienced recently, I have some serious reservations about connecting my Edison directly to the Internet.

       

      Power Edison. Run OOBE. Set a Strong™ root password, and configure a local user account with a similarly strong™ but different password. Connect to home internet connection, open port 22.

      After a few hours, I came to find that my entire LAN was being brought down to a grinding halt and that my Edison was to blame, since it had been r00ted (definitely had some malware installed on it; possibly a rootkit, as well).

      I know that Edison is capable of running SELinux, and could likely hardened or locked down, but it certainly seems that out of the box, it's far from securable.

      Granted, perhaps I am in error, because perhaps Edison wasn't intended to be connected directly to the internet and used in this manner, but I see no reason why not. Perhaps I was just unlucky, but I still find it somewhat astonishing (alarming) that it could be 0wn3d so easily.

      Laughably, IoT is inherently insecure right now -- like most things, people create the technology, and then think about how to secure the entire system they've just built, as more of an afterthought.

       

      Has anyone else experienced security compromises with Edison, or are you locking down your devices?

       

      I'd like to hear others' advice on what steps one might take in order to adequately or properly harden Edison in a production/real-world environment where Edison is acting as a gateway or internet node (DMZ).

        • 1. Re: Don't connect your Edison to the Internet!
          faceplant

          First, you should setup sudo for a standard user account and disable the root account.  Having a root account makes it that much easier for a hacker to perform a password hack.

           

          Second, I would check that there are no other accounts that support login on the Edison.

           

          Third, I would move SSH to another port.  That further lessens the chance of someone trying to hack the system.

           

          Since you only opened the SSH port, it had to either be a password hack, or some ssh exploit.  Is it possible that there is some unpatched exploit in the Edison version of ssh?

           

          I'm not sure SELinux would help that much.  It seems like SELinux would maybe help protect the system if an unauthorized user logged into your Edison, but I don't think it helps keep unauthorized users from logging in.

          • 2. Re: Don't connect your Edison to the Internet!
            deium

            I will look into this as well.  I have not had anyone take over my Edison as of yet.  Edison is not hardened out of the box.  I use SSH on 22, and there are considerations that should be set when looking to harden your configuration.

            I am curious what you had running on port 80 before being taken.  ie JavaScript server for edison-config?

            • 3. Re: Don't connect your Edison to the Internet!
              arfoll

              First thing to do when putting linux board on the net. Disable root logins (you dont need sudo, su is perfectly good in these scenarios!) and then switch over to a non default port.

               

              Would be very interesting to see whats on your FS - could I convince you to upload it?

              • 4. Re: Don't connect your Edison to the Internet!
                Daveman

                If you're talking about the owned Edison, sadly, I reimaged it. I debated keeping it around as a research project, etc, but alas... I needed it for a project, and the last place I wanted it was anywhere near my network in its former state.

                Perhaps in the future, I'll keep a backup nand copy around for funsies.

                • 5. Re: Don't connect your Edison to the Internet!
                  ninevoltz

                  Whenever I open port 22 to the world, on any system, I always setup hosts.allow and hosts.deny. Also, configuring iptables would be a good idea too.