Quick security audit

[DavidBruant]

Blargh, putting in prod tomorrow. Let's take a quick look at various security features of the project.

First off, let's do some threat modeling in 2 categories:

• What value can an attacker obtain from attacking pheromon? How?
• What value do we loose if pheromon is being attacked? How?

Most important question: What is pheromon's mucus surface? How can people harm pheromon and/or Ants from abusing this surface?

Then... dunno, let's see what we'll find and figure things out.

[DavidBruant]

What value can an attacker obtain from attacking pheromon? How?

Sensors long/lat are public infos, no value. Might take control of a sensor to do something else (botnet, etc.). This can happen via the opentunnel command and providing some IP address. Might be solved via removing the argument (or allowing a whitelist only). Create another issue on this topic.

What value do we lose if pheromon is being attacked? How?

Data loss. Via malicious sensor deletion (CASCADE DELETE). Service unavailable (DoS) => citizen.ants.builders useless. Take control of sensors (and we have to go to every recycling center to replace/reboot them) People can create fake sensors (Token with sensors is shared in full text currently) People cannot simulate fake sensors measurements (need the token)

Mucus surface

• HTTP API (web). Some parts with token, some others open "open data" style Websocket for real time (web). For Admin, some commands (forward AT commands to sensor, create sensors) use web socket. Can this be used from any malicious web server?
• MQTT (sensors)

[DavidBruant]

Mucus surface in the code

https://github.com/anthill/pheromon/blob/master/api/api.js => web (html, css, js, etc.) routes.

https://github.com/anthill/pheromon/blob/master/api/routes.js => web/data routes. Lots of POST and DELETE to be carefully reviewed. Add a test for each route which should fail if a token is missing to make sure we're not letting things slip though by mistake.

https://github.com/anthill/pheromon/blob/master/broker/makeMqttServer.js => MQTT events (are there others?). I'm too unfamiliar with MQTT to assess it. Who can access what? who can send which message to whom?

[DavidBruant]

The discussion of whether a sensor can access the server has come up several times. The answer seems to be no, but the fact we're asking the question often means this means to be carefully documented. Maybe with a picture (sequence diagram).

[vallettea]

I tried to address some of this in https://github.com/anthill/pheromon/pull/61 about the api part. The mqtt part is ok from what I think. @DavidBruant could you have a look ?

[4rzael]

I'm not sure, but as we can see here, it looks like everyone could open a websocket to pheromon and send commands every sensors, which would be a pretty big security issue.

[bleucitron]

What's the state of this issue today ?