Go Down

Topic: Authorised access for home network devices (Read 476 times) previous topic - next topic

boylesg

Jan 08, 2018, 05:34 pm Last Edit: Jan 08, 2018, 05:44 pm by boylesg
What sort of options are available for securing access to a home network device if you allow external access via port forwarding.

A password is one obvious option but how exactly would you implement that?

A password field on every web page the device uploads to clients might be a bit of a nuisance.

Passwords are fine for web interfaces that have php and 'sessions' behind them, but these are not available with an arduino.

Are there any other methods that folks use to accomplish this?

PaulS

Quote
Passwords are fine for web interfaces that have php and 'sessions' behind them, but these are not available with an arduino.
Do you know how PHP manages sessions? Effectively, the "authorized" token is passed as part of every request. The server decides which clients are authorized (typically based on the user having an ID and knowing the proper password), and gives the client an "authorized" token, which the client than passes as part of every GET request.

There is no reason that the Arduino can't generate an "authorized" token, and can't check for an "authorized" token as part of each GET request.
The art of getting good answers lies in asking good questions.

boylesg

Do you know how PHP manages sessions? Effectively, the "authorized" token is passed as part of every request. The server decides which clients are authorized (typically based on the user having an ID and knowing the proper password), and gives the client an "authorized" token, which the client than passes as part of every GET request.

There is no reason that the Arduino can't generate an "authorized" token, and can't check for an "authorized" token as part of each GET request.
I am trying to picture how this would work on an arduino.

So the first page the arduino would serve up, regardless of the exact contents of the GET request, would be the password page - no need for a user id since 'customisation of an irrigation controller to individual users is not relevant.

My sketch then checks the validity of the password and sends off the default web page with an authorised token embedded in a hidden field.

But then what? How would I know when the authorised user is done with the irrigation controller and 5 minutes later a hacker has just decided to have a crack at the network.

boylesg

I suppose I could have an explicit 'logout' button.

But that requires the user to never be lazy or forgetful.

So that is probably an unreliable way to terminate a session.

Could start an arduino session timer but then the tension is making the session long enough without providing a window of opportunity for hackers and making the session too short and a pain in the arse for users.

boylesg

Unless I just stick a password field at the top of each page and let the user's web browser keep it filled via autofill after they enter the password the first time.

That would be simple at the arduino end.

Perhaps only show and use that field when the requests come from an IP address that is not on the local network?

PaulS

Quote
I suppose I could have an explicit 'logout' button.

But that requires the user to never be lazy or forgetful.
How important is it that only authorized user(s) can access the system? If the answer is anything more than "Well, it's a nuisance if my neighbors water my tomatoes too often", then require that the users not be lazy or forgetful.

Quote
Could start an arduino session timer but then the tension is making the session long enough without providing a window of opportunity for hackers and making the session too short and a pain in the arse for users.
How long does it take to log in, make the needed changes, and log out? The only page(s) that should be password protected are those that allow the client to make changes on the server. Who cares if a neighbor accesses your server to see how long, or when, you water your pot plants?
The art of getting good answers lies in asking good questions.

boylesg

Paul I agree with you that an irrigation controller is a small target for hackers.

But still, as unlikely as it might be, a malicious hacker could cause quite a bit of inconvenience  by causing the stations to turn on for 1/2 hour every day for example.

Surely it would be bad practice to sell such a product without some minimal security?

mauried

Are you trying to make some kind of commercial product here?
If so you will have to overcome the need to port forward your router in order to make the device work.
Most people have no idea how to port forward.

Go Up