3

I've recently created a relatively simple smart Christmas tree which is a Raspberry PI Zero W powered LED strip.

In order to control it via IFTTT webhooks, I've started a lightweight flask server on the Raspberry Pi - on a specific port with several endpoints for different animations/patterns. Then, on the home router, I've configured port-forwarding to the flask server started on the Raspberry Pi.

Currently, the flask API is completely open, - though, one, in order to use it, would need to know the IP address and the port values.

The risks in terms of security in this particular case are, of course, minimal, but what are the general ways to improve the security of this home automation setup? Should I go for a full-fledged web server like Apache?

I was thinking to at least require a "secret" key in a cookie, which the IFTTT recipes and the flask server would only know. Since the resources of the device are limited, I guess, performance & security need to be carefully balanced.

alecxe
  • 1,515
  • 5
  • 19
  • 34
  • 1
    At least disable the Flask development server. In the past, there was no PIN login for the Werkzeug debugger and anyone could run arbitrary Python from the website. Even with the PIN, it should still be disabled. – multithr3at3d Dec 23 '17 at 20:05

1 Answers1

6

The problem is less the open access to a server with some unimportant task. The problem is more that this server is probably located in the same network as more important systems (unless your home router provides network separation, most don't). Thus if an attacker manages to hack into this unimportant server he gets access to your whole important network.

There are several ways to make this harder:

  • If your home router provides network separation put this server into a network separate from the rest of your system. There are many information online about this.
  • Limit access to the server by requiring some kind of authentication. This could be plain text authentication with username and password, some secret authentication token or client certificates if HTTPS is used. What you use here depends a lot on how do you need to access the server (web browser from any system, web browser from specific system, mobile app...). In case of IFTTT see here for the possibilities you have.
  • Make sure that nobody can sniff the traffic and thus capture any plain text authentication or modify the traffic by using HTTPS.
  • Even if the attacker gets authenticated access to the API make sure he cannot exploit it further by using good programming practices and hardening the setup as described in the following.
  • No direct invocation of shell commands with arbitrary user controlled parameters, i.e. limit the parameters to specific values in the server (don't trust the client) or sanitize parameters if arbitrary values should be possible.
  • Don't run the server as root but run it as a user with low privileges. If you need to have root permissions to control the hardware write a separate local service with a small and secured API and let it communicate with your externally reachable web service (see privilege separation).
  • Ideally add some additional sandboxing, i.e. use containers, chroot, seccomp etc to make it hard to break out of the server. For example containers can also be used to limit network access, so that the attacker cannot access the internal network even when successfully breaking into the web service.
  • Harden you OS by having only minimal software installed and by keeping this software and kernel up-to-date. Privilege escalation attacks are unfortunately still common in Linux so once the attacker has low-privilege access by breaking into the web service he might be able to get root. Keeping the system up-to-date makes this much harder.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424