SSH access during manufacturing

Question

What are security pros and cons if we have to enable SSH access during the manufacturing of the device (i.e. Fire Alarm Control Panel)? It is a manufacturer requirement.

SSH access will be disabled before shipping the product, but technically it will have the option to re-enable, if it is needed.

Answer 1

It's is perfectly normal for manufactured devices to be "rooted" or placed in a state that allows for escalated privileges.

Phone manufactures years ago used COM ports via Bluetooth to assist with installation. While some either forgot to disable or simply chose not to, this increased the attack surface, and allowed for BlueSnarfing/Bluejacking among other attacks.

The key part is the risk assessment:

• What happens if a product leaves the factory with SSH still enabled?
• Is it "Mission Critical" or "Life Critical", would someone die due to device tampering?
• Is there a way to verify SSH is disabled/removed before shipping the product?
• What are costs imposed in verifying that SSH access is removed?
• Are you legally/morally/ethically required to check/disable/uninstall SSH access?
• Would such a feature be useful in the field to technicians?
• If you chose to keep it enabled, how do you ensure reasonable authentication/authorization?

Most building fire equipment is legally regulated, as it's deemed in many countries to be a "necessity to preserve life". Tampering with such devices is against the law, and depending on the legal requirements, you could also be held liable for negligence. You may wish to view any state/provincial/regional laws and federal mandates regarding automated fire equipment.

It is without a doubt an intelligent enough attacker could exploit the SSH access to tamper with the equipment. Depending on what is accessible from the remote SSH session, this could be quite serious.