Arduino HTTP Security

Projects General Guidance
1

Assuming I make the HTTP server on my Arduino publically available, are there any suggestions for protecting it from unauthorized access? My only two three ideas thus far are:

  1. Check the IP of the connected client against a whitelist of allowed clients. This would be the most secure, but not very practical.

  2. Have a password form. Not very secure against MitM attacks or brute force password guessing attacks.

  3. Require a hash of the request page name, any parameters, the time, and a password with every request. This might be the best from a security perspective, but seems the most difficult to implement.

I'm looking forward to any other suggestions, comments on the above ideas, or info on any existing projects related to this.

2

What does the server needs to protect?

Does the server serve only read-only pages or can the client take over some control and set/start home appliances or some fishfeeding device ...?

In short, what is the pain if the server is taken over?

3

I'm building an alarm system (though it will not be publically accessable, so this does not apply to it) which got me thinking about this.

For this hypothetical setup, I would say "the pain" is enough that it needs some sort of protection, but not so much that someone would be willing to invest in anyhting more than an Arduino. :slight_smile:

4

OK, I would go for a challenge response system.

The Arduino provides a 10 digit code
You answer it with 10 digits according to a certain algorithm.

e.g. The formula could be

Place the (day+month) hour minutes backwards on place 012345
add the 10 digits, and place it in the answer at position 6 and 7.
add these 8 digits and subtract from 99 and place that number on pos 8 and 9

e.g 1234567890
sum = 45
response = 2412064575

the formula could also any kind of function that you can do from the head.
e.g. the first 2 digits indicate the length of the response string.

Another security system I saw once was that you needed to "scramble" the headline of some newssite e.g. cnn.com. That headline formed the challenge,
So the challenge generator was not part of the local system. Think of adding the last 2 digits of the S&P index.

5

There are properly secure ways to do this, although program size is an issue when starting to add in cryptographic libraries. You need to assess what the threat model is and then choose something that addresses this. Its quite likely that all you need is authentication (ie a MAC as someone has sort of described already), but you might want to add replay-prevention (so that if someone uses the same URL again the second time it is ignored).

6

If the project is something that is important, then don't skimp using $50 worth of hobby parts. Get a computer and run a secure server on it.

7

Yes, something like a $35 RasberryPi will handle serious encryption and https for you. It'll use about 3.5 watts.

8

Thanks for the replies. I agree that anyhtign that needs high security probably shouldn't run off an Arduino, but again,

for this hypothetical setup, I would say "the pain" is enough that it needs some sort of protection, but not so much that someone would be willing to invest in anyhting more than an Arduino.

9

In that case I'd go for a challenge/response type of authentication, with a private key embedded in the sketch.

10

So how do you make the challenge different each time you access the sketch immediately after the Arduino has been reset? Don't you need a source of randomness?

11

Time is a source of randomness.

If your attacker is able to control the Arduino reset and synchronize their request to microsecond accuracy, you're probably in trouble anyway.