Basic Security: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
This is a basic guideline for securing TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe.
This is a basic guideline for securing TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and has used Linux command line interface before.


== Account Management ==
== Account Management ==
Line 38: Line 38:
<br />
<br />
gws.exe can be used to change passwords by pressing “Change Password” at “SSH Settings” dialog.
gws.exe can be used to change passwords by pressing “Change Password” at “SSH Settings” dialog.
<br />
In order to change password for root first change the password for regual user. Then log in again and chage the root password with command passwd.
=== Adding  New Users and Removing Old Accounts ===
New user can be created with command adduser. For instance:
<pre>
root@Telem-GWM ~ $ adduser myco
Changing password for myco
New password:
Retype password:
Password for myco changed by root
root@Telem-GWM
</pre>
creates new user myco. If new user needs the ability to configure the device it needs to be in the group gws. This can be done with command adduser. For instance:
<pre>
root@Telem-GWM ~ $ adduser -G gws myco2
Changing password for myco2
New password:
Retype password:
Password for myco2 changed by root
root@Telem-GWM ~ $
</pre>
creates new user myco2 and adds it to group gws so that myco2 can change configuration.
Now user martem can be deleted with command deluser. For instance:
<pre>
root@Telem-GWM ~ $ deluser martem
root@Telem-GWM ~ $ rm -r /home/martem/
root@Telem-GWM ~ $
</pre>
deletes user martem and it's home directory.
=== Restoring Default Accounts ===
Default accounts with their passwords are kept in default setup which can be restore with DIP switch.
=== Plain Text Passwords and Keys in Configuration ===
Passwords for SIM card, http and https are kept in plain text in different configuration files.
<br />
<br />
SIM card unlock pin is kept in sim1_chat or in sim2_chat.
<br />
<br />
Passwords for web access is kept in gwSetup.bin. gwSetup.bin is a configuration file for telem-gw, which is main application that runs on Telem-GWM. Setup in XML format is available from web as well. If this is not desirable then this can be disabled from Webservers configuration by un checking the “Enable configuration(gw6config.xml)” selection.
<br />
<br />
SSL, OpenVPN and IPsec private and public keys are kept in plain text inside the TELEM-GWM filesystem.
<br />
=== Setup History ===
TELEM-GWM backups automatically old setups.  Old and current setup is kept in /usr/local/etc/telem.
<pre>
myco2@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 104
drwxrws--T    3 root    gws          1680 Dec 14 14:29 .
drwxr-xr-x    3 root    root          224 Dec 10 13:13 ..
-rw-rw----    1 root    gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root    gws          4095 Dec 14 14:29 config.xml
lrwxrwxrwx    1 root    gws            27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root    gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root    gws          1936 Dec 14 14:29 gwSetup.bin
-rw-rw----    1 root    gws            292 Nov  7 11:21 gwSetup.bin.0.old
-rw-rw----    1 root    gws          5594 Nov  7 11:14 gwSetup.bin.1.old
-rw-rw----    1 root    gws            292 Dec 14 13:23 gwSetup.bin.new
-rw-rw----    1 root    gws            878 Dec 14 14:29 hw-run.xml
-rw-rw----    1 root    gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root    gws          2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws          5480 Dec 14 14:28 setup.tar.xz
-rw-rw----    1 root    gws          5260 Dec 14 13:23 setup.tar.xz.0
-rw-rw----    1 1001    gws          7396 Dec 10 09:56 setup.tar.xz.1
-rw-rw----    1 1001    gws          6160 Dec  7 06:50 setup.tar.xz.2
-rw-rw----    1 1001    gws          6092 Dec  6 07:19 setup.tar.xz.3
-rw-rw----    1 1001    gws          5744 Dec  6 07:16 setup.tar.xz.4
-rw-rw----    1 root    gws            21 Dec 13 13:34 version
-rw-rw----    1 root    gws            54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root    gws            61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root    gws            62 Dec 13 13:34 version-buildroot
myco2@Telem-GWM ~ $
</pre>
Old setups can be deleted with command rm.
<pre>
root@Telem-GWM ~ $ rm /usr/local/etc/telem/setup.tar.xz.*
root@Telem-GWM ~ $ rm /usr/local/etc/telem/gwSetup.bin.*
root@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 48
drwxrws--T    3 root    gws          1088 Dec 14 15:09 .
drwxr-xr-x    3 root    root          224 Dec 10 13:13 ..
-rw-rw----    1 root    gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root    gws          4095 Dec 14 14:29 config.xml
lrwxrwxrwx    1 root    gws            27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root    gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root    gws          1936 Dec 14 14:29 gwSetup.bin
-rw-rw----    1 root    gws            878 Dec 14 15:08 hw-run.xml
-rw-rw----    1 root    gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root    gws          2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws          5480 Dec 14 14:28 setup.tar.xz
-rw-rw----    1 root    gws            21 Dec 13 13:34 version
-rw-rw----    1 root    gws            54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root    gws            61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root    gws            62 Dec 13 13:34 version-buildroot
root@Telem-GWM ~ $ sync
</pre>
After updating the configuration the /usr/local/etc/telem folder looks something like so:
<pre>
root@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 60
drwxrws--T    3 root    gws          1160 Dec 14 15:12 .
drwxr-xr-x    3 root    root          224 Dec 10 13:13 ..
-rw-rw----    1 root    gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root    gws          4111 Dec 14 15:12 config.xml
lrwxrwxrwx    1 root    gws            27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root    gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root    gws          1938 Dec 14 15:12 gwSetup.bin
-rw-rw----    1 root    gws            878 Dec 14 15:12 hw-run.xml
-rw-rw----    1 root    gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root    gws          2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws          5484 Dec 14 15:11 setup.tar.xz
-rw-rw----    1 myco2    gws          5480 Dec 14 14:28 setup.tar.xz.0
-rw-rw----    1 root    gws            21 Dec 13 13:34 version
-rw-rw----    1 root    gws            54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root    gws            61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root    gws            62 Dec 13 13:34 version-buildroot
root@Telem-GWM ~ $
</pre>
=== Secure the Setup and Logs ===
As setup contains sensitive information it is best to keep it in a safe place. Use special PC or a virtual machine for configuration purposes. Keep the setups in encrypted volume or drive. Don't send setups to third parties. Don't send your setup to Martem. If you must send it to Martem for trouble shooting or any other purposes PLEASE remove the VPN certificates and keys or replace them with empty ones.
<br />
<br />
All most the same applies to logs as well. Just send  relevant part from logs.
=== What If ===
Lets assume that regular group gws account got compromised.
<br />
How easy it would be to install rough firmware?
<br />
Firmware is packed with 7Zip. Lets create a empty file and send it as firmware. After upload it appears that it got rejected, here is the output from err.txt:
<pre>
martem@telem-gw6e ~ $ ls -la gwupd/
total 16
drwx--S---    2 martem  martem        616 Jun 12 10:28 .
drwxr-sr-x    4 martem  martem        360 Jun 12 10:30 ..
-rw-------    1 martem  martem          52 Jun 12 10:28 PACKED
-rw-------    1 martem  martem          0 Jun 12 10:28 Telem-GWM
-rw-------    1 martem  martem          59 Jun 12 10:28 VERSION
-rw-------    1 martem  martem          0 Jun 12 10:28 VMX53
-rw-r--r--    1 root    martem          34 Jun 12 10:28 err.txt
-rw-------    1 martem  martem          42 Jun 12 10:28 md5sums
-rw-------    1 martem  martem          0 Jun 12 10:28 upd.tar
martem@telem-gw6e ~ $ cat gwupd/err.txt
Checksum is BAD, aborting update!
martem@telem-gw6e ~ $
</pre>
"Checksum is BAD", so we need to calculate something. I'll leave it as an exercie to figure out what to calculate(HINT: unpack the actual firmware and go from there), but after we know, we get this:
<pre>
martem@telem-gw6e ~ $ ls -la gwupd/
total 16
drwx--S---    2 martem  martem        616 Jun 12 10:31 .
drwxr-sr-x    4 martem  martem        360 Jun 12 10:31 ..
-rw-------    1 martem  martem          52 Jun 12 10:31 PACKED
-rw-------    1 martem  martem          0 Jun 12 10:31 Telem-GWM
-rw-------    1 martem  martem          59 Jun 12 10:31 VERSION
-rw-------    1 martem  martem          0 Jun 12 10:31 VMX53
-rw-------    1 martem  martem          42 Jun 12 10:31 md5sums
-rw-r--r--    1 root    martem          60 Jun 12 10:31 res.txt
-rw-------    1 martem  martem          0 Jun 12 10:31 upd.tar
martem@telem-gw6e ~ $ cat gwupd/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
martem@telem-gw6e ~ $ cat gwupd/V
VERSION  VMX53
martem@telem-gw6e ~ $ cat gwupd/VERSION
Telem-GWM VMX53 2013.05.13-next-01-6d1c73d-bluelabel-dirty
martem@telem-gw6e ~ $ cat /VERSION
Telem-GW6e VMX53 2013.06.12-next-01-6bae75c-bluelabel-dirty
martem@telem-gw6e ~ $
</pre>
Success! Not yet as there is no done file. Another try:
<pre>
martem@telem-gw6e ~ $ ls -la
total 8
drwxr-sr-x    4 martem  martem        432 Jun 12 10:35 .
drwxrwxr-x    3 root    root          224 Jun 11 13:18 ..
-rw-------    1 martem  martem        156 Jun 12 10:36 .ash_history
drwxr-sr-x    2 martem  martem        160 Jun 11 13:18 .ssh
-rw-r--r--    1 root    martem        129 Jun 12 10:35 done
drwx--S---    2 martem  martem        704 Jun 12 10:35 gwupd_done
martem@telem-gw6e ~ $ cat done
bd139d18d87dbb65420219ae69b06eaccde2d0f89b143c022dba59ea7367552ebfbf53c6c281e4fc29f860def85e42bc0dce97e9e145361063482e30d3d2e305
martem@telem-gw6e ~ $ ls -la gwupd_done/
total 20
drwx--S---    2 martem  martem        704 Jun 12 10:35 .
drwxr-sr-x    4 martem  martem        432 Jun 12 10:35 ..
-rw-r--r--    1 martem  martem          0 Jun 12 10:34 2013.05.15-hacked-stable
-rw-r--r--    1 martem  martem          48 Jun 12 10:34 PACKED
-rw-r--r--    1 martem  martem          0 Jun 12 10:34 Telem-GWM
-rw-r--r--    1 martem  martem          41 Jun 12 10:34 VERSION
-rw-r--r--    1 martem  martem          0 Jun 12 10:34 VMX25
-rw-r--r--    1 root    martem          34 Jun 12 10:35 err.txt
-rw-r--r--    1 martem  martem          42 Jun 12 10:34 md5sums
-rw-r--r--    1 root    martem        908 Jun 12 10:35 res.txt
martem@telem-gw6e ~ $ cat gwupd_done/err.txt
Wed Jun 12 10:35:11 EEST 2013 - 1
martem@telem-gw6e ~ $ cat gwupd_done/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
Starting update script: /tmp/gwupd/upd.sh
Log continues in file: /home/martem/gwupd/res.txt
Wed Jun 12 10:35:11 EEST 2013 - Checking if update is applied.
Wed Jun 12 10:35:11 EEST 2013 - Starting update to Telem-GWM VMX25 2013.05.15-hacked-stable, Packed at Mon May 15 15:57:00 EEST 2013 on win7
Wed Jun 12 10:35:11 EEST 2013 - Starting UpdateSystem.sh
Wed Jun 12 10:35:11 EEST 2013 - Starting update from version 2
Wed Jun 12 10:35:11 EEST 2013 - Hardware        : Voipac Technologies VMX53 Board
Wed Jun 12 10:35:11 EEST 2013 - Product name mismatch ('Telem-GW6e' != 'Telem-GWM'), stopping update!
Wed Jun 12 10:35:11 EEST 2013 - Writing done 'bd139d18d87dbb65420219ae69b06eaccde2d0f89b143c022dba59ea7367552ebfbf53c6c281e4fc29f860def85e42bc0dce97e9e145361063482e30d3d2e305' to '/home/martem/done'
Wed Jun 12 10:35:11 EEST 2013 - Update script finished.
martem@telem-gw6e ~ $
</pre>
Better, but there is hardware versioning. Ok another try:
<pre>
martem@telem-gwm ~ $ ls -la
total 8
drwxr-sr-x    4 martem  martem        432 Jun 12 10:56 .
drwxrwxr-x    3 root    root          224 Jun 11 13:21 ..
-rw-------    1 martem  martem        1067 Jun 12 10:57 .ash_history
drwxr-sr-x    2 martem  martem        232 Jun 11 13:21 .ssh
-rw-r--r--    1 root    martem        129 Jun 12 10:55 done
drwx--S---    2 martem  martem        704 Jun 12 10:55 gwupd_done
martem@telem-gwm ~ $ cat done
91df6dd2d663428b3af2f2539e961783792623c29904b307b41a06fadfeb09ada3227090b82992ee687a72ae8c2694266bbb1aa1eded018478ea871d7761d536
martem@telem-gwm ~ $ ls -la gwupd_done/
total 20
drwx--S---    2 martem  martem        704 Jun 12 10:55 .
drwxr-sr-x    4 martem  martem        432 Jun 12 10:56 ..
-rw-r--r--    1 martem  martem          0 Jun 12 10:54 2013.05.15-hacked-stable
-rw-r--r--    1 martem  martem          48 Jun 12 10:54 PACKED
-rw-r--r--    1 martem  martem          0 Jun 12 10:54 Telem-GWM
-rw-r--r--    1 martem  martem          41 Jun 12 10:54 VERSION
-rw-r--r--    1 martem  martem          0 Jun 12 10:54 VMX25
-rw-r--r--    1 root    martem          34 Jun 12 10:55 err.txt
-rw-r--r--    1 martem  martem          42 Jun 12 10:54 md5sums
-rw-r--r--    1 root    martem        932 Jun 12 10:55 res.txt
martem@telem-gwm ~ $ cat gwupd_done/err.txt
Wed Jun 12 10:55:18 EEST 2013 - 1
martem@telem-gwm ~ $ cat gwupd_done/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
Starting update script: /tmp/gwupd/upd.sh
Log continues in file: /home/martem/gwupd/res.txt
Wed Jun 12 10:55:18 EEST 2013 - Checking if update is applied.
Wed Jun 12 10:55:18 EEST 2013 - Starting update to Telem-GWM VMX25 2013.05.15-hacked-stable, Packed at Mon May 15 15:57:00 EEST 2013 on win7
Wed Jun 12 10:55:18 EEST 2013 - Starting UpdateSystem.sh
Wed Jun 12 10:55:18 EEST 2013 - Starting update from version 2
Wed Jun 12 10:55:18 EEST 2013 - Hardware        : Voipac Technologies VMX53 Board
Wed Jun 12 10:55:18 EEST 2013 - CPU type mismatch ('Hardware    : Voipac Technologies VMX53 Board' != 'VMX25'), stopping update.
Wed Jun 12 10:55:18 EEST 2013 - Writing done '91df6dd2d663428b3af2f2539e961783792623c29904b307b41a06fadfeb09ada3227090b82992ee687a72ae8c2694266bbb1aa1eded018478ea871d7761d536' to '/home/martem/done'
Wed Jun 12 10:55:18 EEST 2013 - Update script finished.
martem@telem-gwm ~ $
</pre>
Success at last! No. There is board versions as well. And some minutes later:
<pre>
martem@telem-gwm ~ $ ls -la
total 8
drwxrwxrwx    4 root    root          520 Jun 12 11:14 .
drwxrwxrwx    4 root    root          288 May 15 15:56 ..
-rw-------    1 martem  martem        1300 Jun 12 11:16 .ash_history
drwxr-sr-x    2 martem  martem        232 Jun  4 13:26 .ssh
-rw-r--r--    1 root    root          129 Jun 12 11:14 done
drwx--S---    2 martem  martem        640 Jun 12 11:14 gwupd_done
-rwxrwxrwx    1 root    root            0 May 15 15:27 you-have-been-hacked.txt
martem@telem-gwm ~ $ cat you-have-been-hacked.txt
martem@telem-gwm ~ $ ls -la gwupd_done/
total 16
drwx--S---    2 martem  martem        640 Jun 12 11:14 .
drwxrwxrwx    4 root    root          520 Jun 12 11:14 ..
-rw-r--r--    1 martem  martem          0 Jun 12 11:13 2013.05.15-hacked-stable
-rw-r--r--    1 martem  martem          48 Jun 12 11:13 PACKED
-rw-r--r--    1 martem  martem          0 Jun 12 11:13 Telem-GWM
-rw-r--r--    1 martem  martem          41 Jun 12 11:13 VERSION
-rw-r--r--    1 martem  martem          0 Jun 12 11:13 VMX25
-rw-r--r--    1 martem  martem          42 Jun 12 11:13 md5sums
-rw-r--r--    1 root    martem        863 Jun 12 11:14 res.txt
martem@telem-gwm ~ $ cat gwupd_done/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
Starting update script: /tmp/gwupd/upd.sh
Log continues in file: /home/martem/gwupd/res.txt
Wed Jun 12 11:14:11 EEST 2013 - Checking if update is applied.
Wed Jun 12 11:14:11 EEST 2013 - Starting update to Telem-GWM VMX25 2013.05.15-hacked-stable, Packed at Mon May 15 15:57:00 EEST 2013 on win7
Wed Jun 12 11:14:11 EEST 2013 - Starting UpdateSystem.sh
Wed Jun 12 11:14:11 EEST 2013 - Starting update from version 2
Wed Jun 12 11:14:11 EEST 2013 - Hardware        : Voipac VMX25 module (Freescale i.MX25)
Wed Jun 12 11:14:11 EEST 2013 - Update filesystem
Wed Jun 12 11:14:12 EEST 2013 - Writing done '2a66559728f4e6dd443114a1760e1abe4f171ab52c28e4bfe69b14460117b085a87879cebf71a0b6d3d22017c7831205596b1924711e5984a2bb54155c195d32' to '/home/martem/done'
Wed Jun 12 11:14:12 EEST 2013 - Update script finished.
martem@telem-gwm ~ $ cat gwupd_done/VERSION
Telem-GWM VMX25 2013.05.15-hacked-stable
martem@telem-gwm ~ $ cat /VERSION
Telem-GWM VMX25 2013.06.05-next-06-b982885-bluelabel-dirty
martem@telem-gwm ~ $ cat /PACKED
Packed at Mon May 15 15:57:00 EEST 2013 on win7
martem@telem-gwm ~ $ cat gwupd_done/PACKED
Packed at Mon May 15 15:57:00 EEST 2013 on win7
martem@telem-gwm ~ $
</pre>
Yes! Success!

Latest revision as of 05:59, 13 August 2013

This is a basic guideline for securing TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and has used Linux command line interface before.

Account Management

As the configuration of the TELEM-GWM is done over SSH it is important to change the default accounts passwords. As a minimum change the passwords for users martem and root.

Changing the Default Account Credentials

TELEM-GWM chips with default accounts and known passwords. By default two accounts have passwords set. Only user martem can be used for changing the configuration of the device as root is not permit by SSH daemon configuration.
Here is the default /etc/shadow files content: 

root@Telem-GWM ~ $ cat /etc/shadow
root:$1$Urv3LxYa$hf.UwazXZLYQmhZ2KWfdk1:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
default:*:10933:0:99999:7:::
martem:$1$9Z9vTc0h$eWWGwJgXC6H2o65V1p0Tl1:14477:0:99999:7:::
root@Telem-GWM ~ $


From command prompt issue command passwd to change current users password. For instance: 

root@Telem-GWM ~ $ passwd
Changing password for root
New password: 
Retype password: 
Password for root changed by root
root@Telem-GWM ~ $

changes password for root. Similarly password for user martem can be changed.
gws.exe can be used to change passwords by pressing “Change Password” at “SSH Settings” dialog.
In order to change password for root first change the password for regual user. Then log in again and chage the root password with command passwd.

Adding New Users and Removing Old Accounts

New user can be created with command adduser. For instance: 

root@Telem-GWM ~ $ adduser myco
Changing password for myco
New password: 
Retype password: 
Password for myco changed by root
root@Telem-GWM

creates new user myco. If new user needs the ability to configure the device it needs to be in the group gws. This can be done with command adduser. For instance: 

root@Telem-GWM ~ $ adduser -G gws myco2
Changing password for myco2
New password: 
Retype password: 
Password for myco2 changed by root
root@Telem-GWM ~ $

creates new user myco2 and adds it to group gws so that myco2 can change configuration.

Now user martem can be deleted with command deluser. For instance: 

root@Telem-GWM ~ $ deluser martem
root@Telem-GWM ~ $ rm -r /home/martem/
root@Telem-GWM ~ $

deletes user martem and it's home directory.

Restoring Default Accounts

Default accounts with their passwords are kept in default setup which can be restore with DIP switch.

Plain Text Passwords and Keys in Configuration

Passwords for SIM card, http and https are kept in plain text in different configuration files.

SIM card unlock pin is kept in sim1_chat or in sim2_chat.

Passwords for web access is kept in gwSetup.bin. gwSetup.bin is a configuration file for telem-gw, which is main application that runs on Telem-GWM. Setup in XML format is available from web as well. If this is not desirable then this can be disabled from Webservers configuration by un checking the “Enable configuration(gw6config.xml)” selection.

SSL, OpenVPN and IPsec private and public keys are kept in plain text inside the TELEM-GWM filesystem.

Setup History

TELEM-GWM backups automatically old setups. Old and current setup is kept in /usr/local/etc/telem. 

myco2@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 104
drwxrws--T    3 root     gws           1680 Dec 14 14:29 .
drwxr-xr-x    3 root     root           224 Dec 10 13:13 ..
-rw-rw----    1 root     gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root     gws           4095 Dec 14 14:29 config.xml
lrwxrwxrwx    1 root     gws             27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root     gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root     gws           1936 Dec 14 14:29 gwSetup.bin
-rw-rw----    1 root     gws            292 Nov  7 11:21 gwSetup.bin.0.old
-rw-rw----    1 root     gws           5594 Nov  7 11:14 gwSetup.bin.1.old
-rw-rw----    1 root     gws            292 Dec 14 13:23 gwSetup.bin.new
-rw-rw----    1 root     gws            878 Dec 14 14:29 hw-run.xml
-rw-rw----    1 root     gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root     gws           2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws           5480 Dec 14 14:28 setup.tar.xz
-rw-rw----    1 root     gws           5260 Dec 14 13:23 setup.tar.xz.0
-rw-rw----    1 1001     gws           7396 Dec 10 09:56 setup.tar.xz.1
-rw-rw----    1 1001     gws           6160 Dec  7 06:50 setup.tar.xz.2
-rw-rw----    1 1001     gws           6092 Dec  6 07:19 setup.tar.xz.3
-rw-rw----    1 1001     gws           5744 Dec  6 07:16 setup.tar.xz.4
-rw-rw----    1 root     gws             21 Dec 13 13:34 version
-rw-rw----    1 root     gws             54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root     gws             61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root     gws             62 Dec 13 13:34 version-buildroot
myco2@Telem-GWM ~ $

Old setups can be deleted with command rm. 

root@Telem-GWM ~ $ rm /usr/local/etc/telem/setup.tar.xz.*
root@Telem-GWM ~ $ rm /usr/local/etc/telem/gwSetup.bin.*
root@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 48
drwxrws--T    3 root     gws           1088 Dec 14 15:09 .
drwxr-xr-x    3 root     root           224 Dec 10 13:13 ..
-rw-rw----    1 root     gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root     gws           4095 Dec 14 14:29 config.xml
lrwxrwxrwx    1 root     gws             27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root     gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root     gws           1936 Dec 14 14:29 gwSetup.bin
-rw-rw----    1 root     gws            878 Dec 14 15:08 hw-run.xml
-rw-rw----    1 root     gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root     gws           2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws           5480 Dec 14 14:28 setup.tar.xz
-rw-rw----    1 root     gws             21 Dec 13 13:34 version
-rw-rw----    1 root     gws             54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root     gws             61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root     gws             62 Dec 13 13:34 version-buildroot
root@Telem-GWM ~ $ sync

After updating the configuration the /usr/local/etc/telem folder looks something like so: 

root@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 60
drwxrws--T    3 root     gws           1160 Dec 14 15:12 .
drwxr-xr-x    3 root     root           224 Dec 10 13:13 ..
-rw-rw----    1 root     gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root     gws           4111 Dec 14 15:12 config.xml
lrwxrwxrwx    1 root     gws             27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root     gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root     gws           1938 Dec 14 15:12 gwSetup.bin
-rw-rw----    1 root     gws            878 Dec 14 15:12 hw-run.xml
-rw-rw----    1 root     gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root     gws           2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws           5484 Dec 14 15:11 setup.tar.xz
-rw-rw----    1 myco2    gws           5480 Dec 14 14:28 setup.tar.xz.0
-rw-rw----    1 root     gws             21 Dec 13 13:34 version
-rw-rw----    1 root     gws             54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root     gws             61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root     gws             62 Dec 13 13:34 version-buildroot
root@Telem-GWM ~ $

Secure the Setup and Logs

As setup contains sensitive information it is best to keep it in a safe place. Use special PC or a virtual machine for configuration purposes. Keep the setups in encrypted volume or drive. Don't send setups to third parties. Don't send your setup to Martem. If you must send it to Martem for trouble shooting or any other purposes PLEASE remove the VPN certificates and keys or replace them with empty ones.

All most the same applies to logs as well. Just send relevant part from logs.

What If

Lets assume that regular group gws account got compromised.
How easy it would be to install rough firmware?
Firmware is packed with 7Zip. Lets create a empty file and send it as firmware. After upload it appears that it got rejected, here is the output from err.txt: 

martem@telem-gw6e ~ $ ls -la gwupd/
total 16
drwx--S---    2 martem   martem         616 Jun 12 10:28 .
drwxr-sr-x    4 martem   martem         360 Jun 12 10:30 ..
-rw-------    1 martem   martem          52 Jun 12 10:28 PACKED
-rw-------    1 martem   martem           0 Jun 12 10:28 Telem-GWM
-rw-------    1 martem   martem          59 Jun 12 10:28 VERSION
-rw-------    1 martem   martem           0 Jun 12 10:28 VMX53
-rw-r--r--    1 root     martem          34 Jun 12 10:28 err.txt
-rw-------    1 martem   martem          42 Jun 12 10:28 md5sums
-rw-------    1 martem   martem           0 Jun 12 10:28 upd.tar
martem@telem-gw6e ~ $ cat gwupd/err.txt
Checksum is BAD, aborting update!
martem@telem-gw6e ~ $

"Checksum is BAD", so we need to calculate something. I'll leave it as an exercie to figure out what to calculate(HINT: unpack the actual firmware and go from there), but after we know, we get this: 

martem@telem-gw6e ~ $ ls -la gwupd/
total 16
drwx--S---    2 martem   martem         616 Jun 12 10:31 .
drwxr-sr-x    4 martem   martem         360 Jun 12 10:31 ..
-rw-------    1 martem   martem          52 Jun 12 10:31 PACKED
-rw-------    1 martem   martem           0 Jun 12 10:31 Telem-GWM
-rw-------    1 martem   martem          59 Jun 12 10:31 VERSION
-rw-------    1 martem   martem           0 Jun 12 10:31 VMX53
-rw-------    1 martem   martem          42 Jun 12 10:31 md5sums
-rw-r--r--    1 root     martem          60 Jun 12 10:31 res.txt
-rw-------    1 martem   martem           0 Jun 12 10:31 upd.tar
martem@telem-gw6e ~ $ cat gwupd/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
martem@telem-gw6e ~ $ cat gwupd/V
VERSION  VMX53
martem@telem-gw6e ~ $ cat gwupd/VERSION
Telem-GWM VMX53 2013.05.13-next-01-6d1c73d-bluelabel-dirty
martem@telem-gw6e ~ $ cat /VERSION
Telem-GW6e VMX53 2013.06.12-next-01-6bae75c-bluelabel-dirty
martem@telem-gw6e ~ $

Success! Not yet as there is no done file. Another try: 

martem@telem-gw6e ~ $ ls -la
total 8
drwxr-sr-x    4 martem   martem         432 Jun 12 10:35 .
drwxrwxr-x    3 root     root           224 Jun 11 13:18 ..
-rw-------    1 martem   martem         156 Jun 12 10:36 .ash_history
drwxr-sr-x    2 martem   martem         160 Jun 11 13:18 .ssh
-rw-r--r--    1 root     martem         129 Jun 12 10:35 done
drwx--S---    2 martem   martem         704 Jun 12 10:35 gwupd_done
martem@telem-gw6e ~ $ cat done
bd139d18d87dbb65420219ae69b06eaccde2d0f89b143c022dba59ea7367552ebfbf53c6c281e4fc29f860def85e42bc0dce97e9e145361063482e30d3d2e305
martem@telem-gw6e ~ $ ls -la gwupd_done/
total 20
drwx--S---    2 martem   martem         704 Jun 12 10:35 .
drwxr-sr-x    4 martem   martem         432 Jun 12 10:35 ..
-rw-r--r--    1 martem   martem           0 Jun 12 10:34 2013.05.15-hacked-stable
-rw-r--r--    1 martem   martem          48 Jun 12 10:34 PACKED
-rw-r--r--    1 martem   martem           0 Jun 12 10:34 Telem-GWM
-rw-r--r--    1 martem   martem          41 Jun 12 10:34 VERSION
-rw-r--r--    1 martem   martem           0 Jun 12 10:34 VMX25
-rw-r--r--    1 root     martem          34 Jun 12 10:35 err.txt
-rw-r--r--    1 martem   martem          42 Jun 12 10:34 md5sums
-rw-r--r--    1 root     martem         908 Jun 12 10:35 res.txt
martem@telem-gw6e ~ $ cat gwupd_done/err.txt
Wed Jun 12 10:35:11 EEST 2013 - 1
martem@telem-gw6e ~ $ cat gwupd_done/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
Starting update script: /tmp/gwupd/upd.sh
Log continues in file: /home/martem/gwupd/res.txt
Wed Jun 12 10:35:11 EEST 2013 - Checking if update is applied.
Wed Jun 12 10:35:11 EEST 2013 - Starting update to Telem-GWM VMX25 2013.05.15-hacked-stable, Packed at Mon May 15 15:57:00 EEST 2013 on win7
Wed Jun 12 10:35:11 EEST 2013 - Starting UpdateSystem.sh
Wed Jun 12 10:35:11 EEST 2013 - Starting update from version 2
Wed Jun 12 10:35:11 EEST 2013 - Hardware        : Voipac Technologies VMX53 Board
Wed Jun 12 10:35:11 EEST 2013 - Product name mismatch ('Telem-GW6e' != 'Telem-GWM'), stopping update!
Wed Jun 12 10:35:11 EEST 2013 - Writing done 'bd139d18d87dbb65420219ae69b06eaccde2d0f89b143c022dba59ea7367552ebfbf53c6c281e4fc29f860def85e42bc0dce97e9e145361063482e30d3d2e305' to '/home/martem/done'
Wed Jun 12 10:35:11 EEST 2013 - Update script finished.
martem@telem-gw6e ~ $

Better, but there is hardware versioning. Ok another try: 

martem@telem-gwm ~ $ ls -la
total 8
drwxr-sr-x    4 martem   martem         432 Jun 12 10:56 .
drwxrwxr-x    3 root     root           224 Jun 11 13:21 ..
-rw-------    1 martem   martem        1067 Jun 12 10:57 .ash_history
drwxr-sr-x    2 martem   martem         232 Jun 11 13:21 .ssh
-rw-r--r--    1 root     martem         129 Jun 12 10:55 done
drwx--S---    2 martem   martem         704 Jun 12 10:55 gwupd_done
martem@telem-gwm ~ $ cat done
91df6dd2d663428b3af2f2539e961783792623c29904b307b41a06fadfeb09ada3227090b82992ee687a72ae8c2694266bbb1aa1eded018478ea871d7761d536
martem@telem-gwm ~ $ ls -la gwupd_done/
total 20
drwx--S---    2 martem   martem         704 Jun 12 10:55 .
drwxr-sr-x    4 martem   martem         432 Jun 12 10:56 ..
-rw-r--r--    1 martem   martem           0 Jun 12 10:54 2013.05.15-hacked-stable
-rw-r--r--    1 martem   martem          48 Jun 12 10:54 PACKED
-rw-r--r--    1 martem   martem           0 Jun 12 10:54 Telem-GWM
-rw-r--r--    1 martem   martem          41 Jun 12 10:54 VERSION
-rw-r--r--    1 martem   martem           0 Jun 12 10:54 VMX25
-rw-r--r--    1 root     martem          34 Jun 12 10:55 err.txt
-rw-r--r--    1 martem   martem          42 Jun 12 10:54 md5sums
-rw-r--r--    1 root     martem         932 Jun 12 10:55 res.txt
martem@telem-gwm ~ $ cat gwupd_done/err.txt
Wed Jun 12 10:55:18 EEST 2013 - 1
martem@telem-gwm ~ $ cat gwupd_done/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
Starting update script: /tmp/gwupd/upd.sh
Log continues in file: /home/martem/gwupd/res.txt
Wed Jun 12 10:55:18 EEST 2013 - Checking if update is applied.
Wed Jun 12 10:55:18 EEST 2013 - Starting update to Telem-GWM VMX25 2013.05.15-hacked-stable, Packed at Mon May 15 15:57:00 EEST 2013 on win7
Wed Jun 12 10:55:18 EEST 2013 - Starting UpdateSystem.sh
Wed Jun 12 10:55:18 EEST 2013 - Starting update from version 2
Wed Jun 12 10:55:18 EEST 2013 - Hardware        : Voipac Technologies VMX53 Board
Wed Jun 12 10:55:18 EEST 2013 - CPU type mismatch ('Hardware    : Voipac Technologies VMX53 Board' != 'VMX25'), stopping update.
Wed Jun 12 10:55:18 EEST 2013 - Writing done '91df6dd2d663428b3af2f2539e961783792623c29904b307b41a06fadfeb09ada3227090b82992ee687a72ae8c2694266bbb1aa1eded018478ea871d7761d536' to '/home/martem/done'
Wed Jun 12 10:55:18 EEST 2013 - Update script finished.
martem@telem-gwm ~ $

Success at last! No. There is board versions as well. And some minutes later: 

martem@telem-gwm ~ $ ls -la
total 8
drwxrwxrwx    4 root     root           520 Jun 12 11:14 .
drwxrwxrwx    4 root     root           288 May 15 15:56 ..
-rw-------    1 martem   martem        1300 Jun 12 11:16 .ash_history
drwxr-sr-x    2 martem   martem         232 Jun  4 13:26 .ssh
-rw-r--r--    1 root     root           129 Jun 12 11:14 done
drwx--S---    2 martem   martem         640 Jun 12 11:14 gwupd_done
-rwxrwxrwx    1 root     root             0 May 15 15:27 you-have-been-hacked.txt
martem@telem-gwm ~ $ cat you-have-been-hacked.txt
martem@telem-gwm ~ $ ls -la gwupd_done/
total 16
drwx--S---    2 martem   martem         640 Jun 12 11:14 .
drwxrwxrwx    4 root     root           520 Jun 12 11:14 ..
-rw-r--r--    1 martem   martem           0 Jun 12 11:13 2013.05.15-hacked-stable
-rw-r--r--    1 martem   martem          48 Jun 12 11:13 PACKED
-rw-r--r--    1 martem   martem           0 Jun 12 11:13 Telem-GWM
-rw-r--r--    1 martem   martem          41 Jun 12 11:13 VERSION
-rw-r--r--    1 martem   martem           0 Jun 12 11:13 VMX25
-rw-r--r--    1 martem   martem          42 Jun 12 11:13 md5sums
-rw-r--r--    1 root     martem         863 Jun 12 11:14 res.txt
martem@telem-gwm ~ $ cat gwupd_done/res.txt
Checksum is OK
Entering temporary folder
Extracting tarball
Starting update script: /tmp/gwupd/upd.sh
Log continues in file: /home/martem/gwupd/res.txt
Wed Jun 12 11:14:11 EEST 2013 - Checking if update is applied.
Wed Jun 12 11:14:11 EEST 2013 - Starting update to Telem-GWM VMX25 2013.05.15-hacked-stable, Packed at Mon May 15 15:57:00 EEST 2013 on win7
Wed Jun 12 11:14:11 EEST 2013 - Starting UpdateSystem.sh
Wed Jun 12 11:14:11 EEST 2013 - Starting update from version 2
Wed Jun 12 11:14:11 EEST 2013 - Hardware        : Voipac VMX25 module (Freescale i.MX25)
Wed Jun 12 11:14:11 EEST 2013 - Update filesystem
Wed Jun 12 11:14:12 EEST 2013 - Writing done '2a66559728f4e6dd443114a1760e1abe4f171ab52c28e4bfe69b14460117b085a87879cebf71a0b6d3d22017c7831205596b1924711e5984a2bb54155c195d32' to '/home/martem/done'
Wed Jun 12 11:14:12 EEST 2013 - Update script finished.
martem@telem-gwm ~ $ cat gwupd_done/VERSION
Telem-GWM VMX25 2013.05.15-hacked-stable
martem@telem-gwm ~ $ cat /VERSION
Telem-GWM VMX25 2013.06.05-next-06-b982885-bluelabel-dirty
martem@telem-gwm ~ $ cat /PACKED
Packed at Mon May 15 15:57:00 EEST 2013 on win7
martem@telem-gwm ~ $ cat gwupd_done/PACKED
Packed at Mon May 15 15:57:00 EEST 2013 on win7
martem@telem-gwm ~ $

Yes! Success!

Retrieved from "https://phobos.martem.ee/w/index.php?title=Basic_Security&oldid=1441"