Actions
Forum Thread Details
  • State Verified Answer
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 512 subscribers
  • Views 808 views
  • Users 0 members are here
Related

How to secure a linux device with physical access?

Former Member

Hi everyone,

I am working on an IoT product, that runs on a small Linux based ARM computer, which  will be running in the customers house/network. Just like most IoT products.

 

I have done everything that I can to secure it against attacks via the network and I am educating myself on what could be done, to protect againsta malicius people with physical access to the hardware.

 

I am mostly follow these tips:

https://wiki.archlinux.org/index.php/Security#Physical_security

 

 

Do you suggest anything else?

 

 

Thanks,

Franklin

  • 0

    Yes, you need secure boot to disallow other programs taking over.

    Clem

  • 0

    Generally it's very difficult to secure a device which the attacker has physical access. Even full disk encryption can't resist cold boot attack. Considering RAM on most ARM based computers are soldered on the board, it's very difficult but not impossible for an attacker to remove and examine the RAM without desolder it with heat.

    Besides PCIE ports mentioned in the wiki, debug ports like JTAG also give attacker chances to breach into your system, so disable them as well.

    There are some techniques which prevent attacker from tampering with your device, such as adding a backup battery and some switches which detect if someone is trying to open the case of your device, and then erase all sensitive data on your device. For example, there is a photodiode in some POS machines. And if someone opens it and inspected in under normal daylight, data like encryption keys will be erased before anyone could notice.

    And last, human weaknesses are most vulnerable to attacks. Do emphasise security in your product manual!

    -Ye

  • 0

    Sorry I am a little late to the party. Security, of any system, depends on a number of factors. The three most important factors are, how important is the data and/or how important is control of the hardware and finally the amount of risk you are willing to live with (aka Residual Risk).

     

    In one of the supplied answers, a cold-boot attempt was mentioned. This is a very sophisticated attack and requires significant skill, training and hardware. Which tends to mean, if someone wished to use it against an IoT device, then that device must have some dynamite data on it or it controls something very important (like a power grid or bank alarm system) or give you access to a high value target.

     

    Since you didn't describe what your project does, I won't be able to understand the full risks the project entails. Your defenses, both software and physical, should be commensurate with the risk the project represents in its environment. Thus, if the home owner is not a high value target, the project does not control the alarm system (say on a safe, or for a home with significant valuables like artwork) or the data disclosure risks aren't anything higher then possible financial fraud (say credit card or run of the mill banking disclosures), then you will not need to worry about cold-boot attacks (or chip manipulation, via something like a bus pirate; or even something more exotic like a Tempest attack using Radio Frequency or other exotic memory based side-channel attacks).

     

    I would ask, right off the bat, what is the probability of a physical attack? Who do you envision seeking to attack the hardware? If its nation state actors or corporate espionage... then you would have to worry about everything thus far mentioned. If its just say, a maid or hired worker tampering with the device then your risk is lower and accordingly a simple armored box with a battery backed up alarm trigger would suffice; preferably something hooked up to a home alarm system through an armored sheath, so that a remote monitoring service can alert the owner or police (and an annoying high decibel audible alarm might be a nice touch).

     

    When it comes right down to it, if a potential attacker is already in the home, you have a much bigger problem then securing the device.

     

    If you require more sophisticated physical defenses, in most cases, the important thing to remember is that the device must be able to detect the attack and have sufficient power long enough to wipe critical data from memory and secondary storage AND both the volatile and non-volatile storage cannot be removed without extreme measures (or physical damage).

     

    It sounds harder then it really is. I built a such a device a few years back out of a Beagle Bone Black with a charger and battery, 2 part steel case glued shut (screws and some seams glued) with a photo resistor to detect changes in light and a electret microphone to detect changes in sound level. The device would notify us if there was any dramatic change in light or sound levels and if the main power was disconnected after such a change it proceeded to wipe itself while on battery power. Technically, security was not the devices primary function, but there was a high theft risk and we didn't want someone walking off with a usable device or with one in which they could extract password hashes from. Call us paranoid...