ezhes
commented
5 years ago Have you tried moving the file and symlinking it? It should still work (probably ^^TM )
Open philross88 opened 5 years ago
ezhes
commented
5 years ago Have you tried moving the file and symlinking it? It should still work (probably ^^TM )
philross88
commented
5 years ago Sorry, not following you. How would moving a file or symlinking it would make it secure? From what I have seen, people are using the cameras outside for CCTV usecase with RTSP support. If someone steals the camera, they will get your credentials in clear text from wpa_supplicant.conf. Thee wifi credentials could be abused lated on. Either there should be a way to move the config file to internal storage or the sdcard must be encrypted to defend against such threats.
Encryption would be very difficult because every time the camera boots up the key has to be placed somewhere and since right now, the entire firmware loads from the SDcard, that's not practical.
ezhes
commented
5 years ago You yourself can move the wpa_supplicant.conf to internal storage (so an attacker would need to read the flash) using mv and then symlinking it. A dedicated attacker could still pull credentials regardless, however it's inconvient.
philross88
commented
5 years ago Can this be done via runtime script? or can you actually access the internal storage as well? Can you post the mount point for the internal storage where this can be mv'ed and symlinked to?
plembo
commented
5 years ago Putting a plain-text psk (pre-shared key) in wpa_supplicant.conf hasn't been best practice for a very long time, instead you're supposed to use wpa_passphrase to generate a one-way hash for the configuration. I can't test it because my late model v2 won't work with the openipc firmware, but maybe someone who has an earlier model can try it. See WPA-PSK and WPA2-PSK in the Debian Wiki for details.
ezhes
commented
5 years ago @plembo wpa_passpharse won't help in the attack model we're dealing with right now. The worry we have is that someone could just waltz up to the porch, pop out the SD card, and nab the credentials for the network in about 30 seconds. Having the hash from wpa_passpharse won't help really as it'll only stop them from seeing the raw password (which is useful if you don't want baddies on your system from getting it, but not helpful if you're trying to prevent other people from connecting to your network).
My understanding is that the wifi config stays on the sdcard of the camera. I know most of the folks here are interested to use this camera as outdoor (cheap) security camera, however, this is a serious problem. If some one steal the the camera, they can easily read the wifi config from the sdcard, gain access to your home wifi and play around with your home automation or other devices while staying in the parking lot.
The SDConfig should be moved to internal flash as soon as the firmware is installed. May be something like small jffs2 partition like original firmware to store and handle modifications in the htpasswd and wifi config.