Insecure system defaults

[drwetter]

Hi,

just got my new piece of hardware which I upgraded to openatv 6.3.

Just for fun (I do information security by day and often afterwards too) I scanned the machine on my network, and I was scared by the utterly relaxed configuration in the network:

Moreover an attacker can own (=take over) the machine from the local network. ssh root@<IPADDRESS> or telnet` asroot`` gives one complete access. Malware which is in the network (e.g. owned windows PC, IoT device) etc.

Forgive my full disclosure but I guess this is obvious for people involved into the project.

Not sure whether this is the right place to speak up?

Cheers, Dirk

[arn354]

It is known - so it is no disclosure. In the past people using enigma2 and connecting the box to network knew how to harden the box as far as possible (1st flash a clean image, 2nd set a root password, 3rd disable stuff you personally don't need or configure it the way you like it, 4th enable vpn and/or restrict ports using iptables (if kernel of manufacturer provides the necessary support),...

I don't believe that setting a default root passwd on image creation would help a lot. What are your suggestions? Some security aspects (e.g. running enigma2 as root) are unfortunatly not easily changeable. We already tried to improve it a bit - preventing access from external networks per default to openwebif etc. e.g.

[drwetter]

Thanks for your forward looking reply.

I don't believe that setting a default root passwd on image creation would help a lot.

That was one complaint of mine and I believe it would help. I stopped looking further but besides the per default open ports this is one of the most obvious things setting a password.

I see openatv as a great piece of technology, looking at what it can do and how it operates (tip of my hat!). However the catch is that you have to take into account that people with zero system knowledge use the box. So starting with insecure defaults is not a good idea as they will never be changed.

What are your suggestions?

That's a good question. I am pretty familiar with Linux but I am a rookie wrt the openatv system.

In any case I would start a with a preset password and an initial installation using the(/an) installer to have the user to provide a different password. Then ask whether ftp, telnet, ssh and friends are needed and thus need to be opened. Which insinuates, all service defaults should be rather closed than open.

In general I would recommend to do it as modern Linux distributions do it. I.e. provide a menu configured setup which can't be exited or if it can, it is secure by default.

From the usability standpoint it would be great to provide a means to reset the password, like booting from a ramdisk (rescue installation), so that even when a user does a mistake providing a password, he doesn't brick his device -- maybe this is possible already.

Some security aspects (e.g. running enigma2 as root) are unfortunatly not easily changeable. We already tried to improve it a bit - preventing access from external networks per default to openwebif etc. e.g.

That's what I saw too (root), But from the security standpoint the risk seems lower to me. Which only means that in the priority I would see the other issue more important.

I am sure there are even openatv systems exposed in the big bad internet. Also if not, there are probably enough trojaned windows machines in the same network who could possibly exploit openatv boxes with a fingersnip.

[Schimmelreiter]

Actually this is the wrong place to discuss this ... ... most of the ports you observe to be open come from the core ... https://github.com/oe-alliance/oe-alliance-core

• telnet
• vsftpd
• NFS
• Samba/llmnrd/wsdd
• dropbear (ssh)
• avahai all come from the oe-a core.

OpenWebif comes from E2OpenPlugins.

The only port E2 itself opens is 8001 for streaming (plus 8002 on some boxes, also for streaming).

About your considerations: It's common sense that an E2 box should never be connected to the internet directly (i.e. to a cable or DSL modem) but only to a LAN. In so far, it should be compared to a Windows (or Linux) machine that is being set up for inside LAN use.

To cope with the carelessness of Joe Average, for the worst components (security-wise), the ports are less open that it might seem at a first glance:

• Telnet always only accepts connections from non-routable addresses (IPv4 & IPv6) or the same subnet (IPv6).
• OpenWebif by default only accepts connections from the same subnet (IPv4 & IPv6) and as long a no password is used, this can only be losened to "any other unroutable IPv4 addresses too". Routable IPv4 addresses or IPv6 addresses from different subnets can only connect to OWIF if a password is set.

Users are still able to configure E2 in a very insecure way and/or open insecure ports to the outside world, but they can as well do that in Debian, Redhat, Fedora or whatever.

Any attempt to make the defaults any less insecure was or would be boycotted by either less security interested teams (As happened in the past) or by the users.

OpenATV is the most secure E2 image you can get for your box and it's comparably easy to configure it even more securely. If we would harden it any more in the wrong places, people would just switch to less secure images, resulting in even more insecure E2 devices on the internet.

[drwetter]

Thanks for the answer, @Schimmelreiter . I really didn't know first how to answer this, my jaw was dropped while reading.

You should ask yourself maybe two things: would you like to have a smartphone or work on a computer which has such a default setup?

Secondly: Since when has "a user" always common sense in terms of security?

For the mitigations: ACK. But I could reproduce it via telnet IPv4 only. IPv6 returns a TCP reset. (both different subnets, fixed & routed IPs). You didn't mention it but vsftp and dropbear sshd have no protection for both IP protocols

[Schimmelreiter]

You are barking up the wrong tree.

E.g. https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/commit/92c1cb30eacc07b3aa848666f230e1c0e1886ce1

vs.

https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/commit/e26ccde4a5bf9b89446c10e1b83062598cec5740

vs.

https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/commit/f6c2accaaa1fc4d8d81738aa19d36b59e0d38901

[Schimmelreiter]

Also see https://www.opena.tv/octagon-sf8008-4k-uhd/42924-status-treiber-und-features-stand-2-4-2019-a-post406537.html#post406537 vs https://www.opena.tv/octagon-sf8008-4k-uhd/42924-status-treiber-und-features-stand-2-4-2019-a-post406538.html#post406538

[Schimmelreiter]

The difference between E2 boxes and smartphones:

Smartphone users are either regular end users, which will just leave the comparably safe defaults, or nerds, which might root their smartphone, but if they are able to root, they are usually also able to deal with the gained privileges.

E2 has a huge amount of users that can't handle IT technology for toffee but believe they are rocket and IT scientists at the same time and thus insist on being able to misconfigure it in every possible place (See link to forum post).

Yes, we could make OpenATV more secure. But if we did, people would just switch to less secure distros, so in the end the amount of zombies on the net wouldn't change at all. And if you want it to be more secure, you can do it yourself.

I gave up fighting against windmills: I listed up all your points years ago on OpenPLi forum and since then they haven't moved an inch. For the most insane security holes I made or initiated the necessary changes, mainly in OpenATV. I've also added the tools to fix or reduce the others, but had to leave it to the users to use them.

As long as different distros can not agree on a more decent security level, no distro can afford to be the one with the most security but no users.

BTW: A good starting point would be the app creators. They are the ones that dictate the level of insecurity by not implementing proper means of operation inside their apps. DreamDroid for example can only sync picons using FTP although it could easily be done using HTTPS or even ssh.

[drwetter]

My picture with smartphones or computers was more to compare the crazy insecure stuff which nobody would use probably if the doors would be that wide open.

As I said I am a rookie wrt to OpenATV/E2 and surrounding technologies as well as people and companies involved, so I can't tell how I would get them on board to move things into the right direction.

For the technical part one sooner or has to break things if people rely on insecure standards. That includes also apps.

For the OpenATV/E2 ecosystem I am really surprised that the UI and everything else looks so great and has so much nice technical features on board but OTOH security sucks that much.

I don't hope but am afraid that "rocket and IT scientists" would learn rather sooner than later that the setup is not secure. Also the industry selling those systems won't be happy if their systems are hacked repeatedly. Mining is maybe the least severe thing which could happen, but https://en.wikipedia.org/wiki/Mirai_(malware) doesn't sound good and also it's not a big deal for criminals which anyway have trojaned windows machines in the LAN to hack and abuse an openatv device in the same network. I can think of more but I rather stop here for obvious reasons.

As long as different distros can not agree on a more decent security level, no distro can afford to be the one with the most security but no users.

As said I would use an installer which guides through the installation and starts with reasonable defaults. It should explains pitfalls from the view of a user but also security advantages. If people change settings, it's their problem and not one of the distribution.

And if you want it to be more secure, you can do it yourself.

To me this is no problem. But I really doubt that Joe Average ora self entitled "rocket and IT scientists" is able to do that.

You want me to close this?

[atvcaptain]

i like security too , but we need more guys to help make all better

[atvcaptain]

we start rework first parts

https://github.com/oe-alliance/oe-alliance-core/commit/0d4e89c871d1107581a565f5b5a38d1045c63b80

https://github.com/oe-alliance/oe-alliance-core/commit/c71bc69edb555bee085f24ffc4042378dec24120

https://github.com/oe-alliance/oe-alliance-core/commit/f736820929f5ceca2dfbbf86df2ecf7b4fca7a1f

https://github.com/oe-alliance/oe-alliance-core/commit/5b4f04ee035f3bb7e7aab59a24bb488d315274e9

https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/commit/bcbb8836c86f58805050cb7564c1af74c5e19cfb