Home>
About secure firmware update method

Autumn H28 Information Security Specialist Exam 1 pm Question 1
The firmware update is being discussed.

Here, before entering the question, E concludes
"Clarification of security specifications" is stated.

This isn't mentioned in the question, what kind of specification should this be?

Test questions:
https://www.jitec.ipa.go.jp/1_04hanni_sukiru/mondai_kaitou_2016h28_2/2016h28a_sc_pm1_qs.pdf

Question history

I would like to know about secure firmware update using practical SSH.

I would appreciate your reply especially considering the following.

-Should you not be able to log in directly as root (should be PermitRootLogin No?)
→ Do you set a password to become root with su? Will the password be different for each individual?

・ Whether or not to embed the host key in the device at the factory shipment
→ If i embed a different key for each individual, isn't it too difficult to manage pair keys?

-"Use TCP Wrappers to limit the source IP address to the IP address of the monitoring terminal" Is this source IP address a fixed value?
→ How about judging the other party from the IP address only?

If there are other points to be noted, please tell us.
Nice to meet you.

  • Answer # 1

      

    What kind of specification should this be?

    It is not all that is written in the question text and answer examples, and what security specifications are included depends on the system, so it should be like this specification. There are no silver bullets such as OK.
    In the general question, standard countermeasures against man-in-the-middle attacks and lexicographic attacks are written.
    Based on these, I think it is necessary to design security considering the characteristics of each system to be built.

    Here are my thoughts on what was written in the background.

      

    Isn't it possible to log in directly as root?

    Root login should be prohibited at least remotely. Considering the use, sudoer will not be necessary.
    To change the router settings, only prepare a user with dedicated privileges.
    For service maintenance, it would be ant to connect the console directly and log in with administrator privileges.

      

    Whether or not to embed the host key in the device when shipped from the factory

    Since the routers for questions are not sold separately, system construction work will be done with sensors and sets, so it may be better to set them at the time of customer delivery instead of factory shipment.

      

    Is this source IP address a fixed value?

    A fixed value would be desirable. There is no limit to one address.

      

    How about judging whether the other party is legitimate only by IP address?

    As far as IP addresses are concerned, connections can only be made from within a private LAN (also from a monitoring terminal is a VPN), and since it is IPSec, it is difficult to alter packets. You may allow some that start with 192.168 ..
    Also, to determine whether the other party is a legitimate person, authentication with a certificate is performed after this, so we do not think that it is determined only by the IP address.

      

    Other points to consider

    Even if the delivered firmware is authentic, the update process may be interrupted by an unexpected error. I think it would be better if there was a mechanism that could restore the current firmware even if the update to the new firmware failed.

    In addition, I think it would be better if manuals and checklists were enhanced so that customers could operate securely.

  • Answer # 2

    We recommend that you understand the following videos.

    https://youtu.be/XFyuHxC1l6I