While the factory default settings are great for initial development work in the lab, there are some steps that should be taken to harden a mangOH board before it escapes into the wild. After all, you don't want to see your device described in the trade media as 'about as secure as chocolate padlock' 1
Set the root password
This is a no-brainer. Set the root password to be a strong password that is unique to each board. Some tips2 for a secure password are:
- Make the password length reasonably long (8-12 characters)
- Use a mix of uppercase and lowercase letters, numbers and symbols
- Don't use personal/company information or common words
- Try not to use information that could 'leak' from the device (such as MAC or IP addresses) as the whole password
- Keep your passwords secure
- Have a password backup strategy in place
See How to change the root password for instructions on how to do this.
Passwords (and filenames for that matter) on the mangOH are CaSe SeNsItIvE.
FRED are all different passwords.
Consider using ssh keys and keystore instead of passwords
If you have more than a few mangOH boards in your fleet, consider using a ssh key stored in a keystore that has a strong passphrase.
Disable login on serial console
By default, the serial console is enabled on the mangOH board. This means that anyone who has physical access to the device can use a laptop and a serial cable to connect to your mangOH board. By disabling the console login on the serial port, you reduce the attack surface for those who have physical access to the board.
Manage data radio connection
When designing the applications to run on the mangOH/WP8548, take some time to think about how often the application needs to have the data radio turned on.
The less the data radio is turned on, the less time there is for an outside 'bot' to attempt to connect to your device. Of course, as you're building an IoT device, you may need always-on connectivity so limiting the data radio connection may not be appropriate.
And don't think that just because your Telco provides your SIM with a 'non-routable' IP address hidden behind a NAT3 gateway means that your device is hidden from other devices or the internet. Just consider how many other devices are on the same subnet behind the same NAT gateway ... and any one of them could have been compromised and be searching for more targets.
Consider what listening servers are required
Another design-time consideration is to limit the number or type of listening servers that are required on your mangOH.
Do you really need a
telnetd server listening on TCP port 23? Could you use
ssh or some other protocol to remote log-in? Do you really need a remote log-in facility at all? If you require a file transfer service, look at using
sftp rather than the traditional (and insecure)
Look at using iptables (the Linux firewall)
And possibly the ultimate protection for an IoT device is to configure a firewall on the mangOH/WP8548. By design, the Linux distribution that the mangOH uses has
iptables (the Linux firewall) built in by default.
iptables is a very flexible firewall tool that allows fine-grained control of both inbound and outbound connections.
iptables is running, but is configured to 'allow all' connections:
~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ~#
iptables configuration can be complex, there is a wealth of material available on the internet about how to do it. And as
iptables is the standard Linux firewall tool you can also experiment on a desktop Linux installation and then copy the firewall rules to your mangOH board.
The Register article Leaks password, check. Leaks Wi-Fi password, check. Can be spoofed, check. Ding! We have an Internet of S**t winner ↩
See Creating a strong password and Tips for Strong, Secure Passwords for futher recommendations about passwords.↩
Network Address Translation: how to share 1 'real' IP address between many devices.↩