Questions tagged [embedded-system]

83 questions
28
votes
4 answers

A tiny version of wget (51 bytes?)

On this ISC article on DVR compromise the author talks about the compromise of an embedded system. In particular, the attacker executes a series of echo commands on the remote host, and: This DVR has no "upload" feature. There is no wget nor is…
lorenzog
  • 1,911
  • 11
  • 18
22
votes
6 answers

When connecting an Arduino Uno to the internet (ethernet) what are some attacks it's susceptible to and how can I secure against them?

I am connecting an Arduino Uno to the internet via ethernet (using the ethernet shield v2) and querying NTP time. Making requests to a NTP server is the only internet related thing it does. You can use the ethernet shield as an SD card to host data,…
JohnnyAppleseed
  • 331
  • 2
  • 5
11
votes
1 answer

How do I deal with a compromised network device?

I suspect that a network device (modem, router. switch, access point, etc) is compromised. What should I do?
André Borie
  • 12,706
  • 3
  • 39
  • 76
11
votes
3 answers

How Should WiFi Passwords be securely stored on IOT (embedded) devices?

Some devices need to store and (re)use a password (not the hash) like your mobile phone using home wifi, SmartTV, etc; How should they store the password on their flash storage? So that a person who has physical access to the chip can not retrieve…
MandoMando
  • 211
  • 2
  • 4
10
votes
2 answers

AES encryption on embedded device: Can this be secure?

I plan to create an encryption program for an embedded device with the following characteristics: CPU is Intel 80186 compatible @ ~20 MHz 128 KB RAM, of which I have ~20 KB at my disposal for purposes of encryption application binary size limited…
Moritz Beutel
  • 201
  • 2
  • 4
10
votes
3 answers

Best practices to implement HTTPS in embedded devices

Embedded devices, such as routers, IP cameras, generally provide HTTPS access to the admin interface. These HTTPS implementations generally have a lot of problems (non-unique certificates, self-signed certificates, etc.), which make connections…
ebux
  • 201
  • 2
  • 6
9
votes
1 answer

TLS private key storage for embedded systems. Are there any best practices?

I am looking for best practices regarding TLS private key storage for small single chip embedded systems, such as Cortex-M MCUs, with monolithic firmware stored in internal flash. Most recommendations seem to be very PC-centric, and in most cases…
Timmy Brolin
  • 301
  • 2
  • 5
7
votes
3 answers

Hashing a large file on an embedded system

I'm trying to come up with a way to verify the authenticity of a file that I'm downloading from a server to an embedded system. I'm thinking of using a hash (SHA256 preferably). My main concern is that the file size might be too large to load it…
rorschach
  • 71
  • 3
7
votes
1 answer

Security essentials for a embedded Linux device

We are prototyping a security camera product using Raspberry Pi 3 as the hardware platform. The camera has capability to connect to the cloud over internet as well as offline processing when the internet is disrupted. Currently for security we have…
sob
  • 215
  • 2
  • 10
6
votes
1 answer

How can I properly secure the WiFi setup process of an IoT device?

My company develops a WiFi-connected IoT product. I want to make sure that the process of getting the user's WiFi credentials into the device is as safe as possible. At the moment, the product is in a prototype stage, so we can (and will) make…
Oromis
  • 85
  • 4
6
votes
1 answer

Does CAN bus communication need encryption?

I'm currently researching into CAN security for in-vehicle communication. I would like to know if anyone knows a reason why the CAN payloads of an ECU communication (between CAN nodes) should be encrypted when integrity, authenticity and protection…
enigma
  • 161
  • 1
  • 3
5
votes
0 answers

Is there a good way to store OAuth2 tokens for a native application?

Currently I have a native PC application that builds and uploads a configuration to an embedded Linux device (i.e. the client). This device connects to Google Calendar via their OAuth2 API. The configuration requires: A resource owner to login to…
Mogarrr
  • 151
  • 2
5
votes
1 answer

Minimum set of TLS features for an embedded device

I am reviewing the security of an embedded system, specifically how it uses the TLS or DTLS protocol to communicate securely. The system implements as few features of the protocol as it can get away with. It doesn't deviate from the protocol as…
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
5
votes
1 answer

Example Seed and Key Algorithm

I am attempting to design a seed and key algorithm for an Engine Control Unit. This is used to secure resources such as the ability to reprogram the ECU. The idea is that I request a seed from the ECU, which it gives as a string of bytes. Both…
Bondolin
  • 187
  • 1
  • 1
  • 7
5
votes
2 answers

How to speed up slow TLS handshake on ESP8266 running mbed TLS?

I'm developing a system consisting of a mobile application and an embedded device that talk to each other. I'm using mbed TLS (formerly known as Polar SSL). The problem is that the embedded device performs the TLS handshake in about 7 seconds, which…
podema
  • 71
  • 1
  • 5
1
2 3 4 5 6