Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quick security audit #60

Open
DavidBruant opened this issue Oct 21, 2015 · 6 comments
Open

Quick security audit #60

DavidBruant opened this issue Oct 21, 2015 · 6 comments
Labels
security

Comments

@DavidBruant
Copy link
Contributor

Blargh, putting in prod tomorrow. Let's take a quick look at various security features of the project.

First off, let's do some threat modeling in 2 categories:

  • What value can an attacker obtain from attacking pheromon? How?
  • What value do we loose if pheromon is being attacked? How?

Most important question:
What is pheromon's mucus surface? How can people harm pheromon and/or Ants from abusing this surface?

Then... dunno, let's see what we'll find and figure things out.
@DavidBruant
Copy link
Contributor Author

What value can an attacker obtain from attacking pheromon? How?

Sensors long/lat are public infos, no value.
Might take control of a sensor to do something else (botnet, etc.). This can happen via the opentunnel command and providing some IP address. Might be solved via removing the argument (or allowing a whitelist only). Create another issue on this topic.

What value do we lose if pheromon is being attacked? How?

Data loss. Via malicious sensor deletion (CASCADE DELETE).
Service unavailable (DoS) => citizen.ants.builders useless.
Take control of sensors (and we have to go to every recycling center to replace/reboot them)
People can create fake sensors (Token with sensors is shared in full text currently)
People cannot simulate fake sensors measurements (need the token)

Mucus surface

  • HTTP API (web). Some parts with token, some others open "open data" style
    Websocket for real time (web). For Admin, some commands (forward AT commands to sensor, create sensors) use web socket. Can this be used from any malicious web server?
  • MQTT (sensors)

@DavidBruant
Copy link
Contributor Author

Mucus surface in the code

https://github.com/anthill/pheromon/blob/master/api/api.js
=> web (html, css, js, etc.) routes.

https://github.com/anthill/pheromon/blob/master/api/routes.js
=> web/data routes. Lots of POST and DELETE to be carefully reviewed.
Add a test for each route which should fail if a token is missing to make sure we're not letting things slip though by mistake.

https://github.com/anthill/pheromon/blob/master/broker/makeMqttServer.js
=> MQTT events (are there others?). I'm too unfamiliar with MQTT to assess it. Who can access what? who can send which message to whom?

@DavidBruant
Copy link
Contributor Author

The discussion of whether a sensor can access the server has come up several times. The answer seems to be no, but the fact we're asking the question often means this means to be carefully documented. Maybe with a picture (sequence diagram).

@vallettea
Copy link
Contributor

I tried to address some of this in #61 about the api part.
The mqtt part is ok from what I think.
@DavidBruant could you have a look ?

@4rzael
Copy link
Contributor

4rzael commented Nov 23, 2015

I'm not sure, but as we can see here, it looks like everyone could open a websocket to pheromon and send commands every sensors, which would be a pretty big security issue.

@bleucitron
Copy link
Contributor

What's the state of this issue today ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DavidBruant @vallettea @bleucitron @4rzael