Question re: security and physical access



  • A few months ago, I had to send my box to netgate as it would not boot. The board was replaced and the bios reflashed by them, and a functional unit was sent back to me. I was able to restore a backup config and I was off to the races. As I thought about this later, I wondered whether anyone at Netgate (or really anyone with unsupervised physical access to the device) could have copied important files from the device while it was in their possession (e.g. private key/certs, passwords, etc), and if so, if they could then use this information to connect to my device remotely and get into my network. Please note that I am not accusing anyone at Netgate of having done this! This question is posed on a theoretical basis about what someone is able to do when they have physical access to the device (and console access). I should point out that the admin password was not the default password and would not be readily guessable (it is a long random string).

    Any insights into this would be appreciated.


  • Rebel Alliance Global Moderator

    Physical access security is out the window.

    They could of also installed a backdoor while they had the device no matter what you setup in the config ;)

    The password is is stored as bcrypt hash.. But your talking about the makers of the software and hardware, have to assume this is something they prob could work reverse..

    Do you make it a habit of leaving your web gui and or other remote access into your firewall open, where they could log in if they knew the username and password?

    Since they have the config, they would have the certs for your vpn.. So if your tinfoil hat is really that tight you change your CA and vpn certs for your users.

    Keep in mind - going down this road you have might as well just believe that they are working with the NSA and have backdoor's installed on all their appliances when first shipped to you.

    If physical security has been compromised then you have to make the assumption that sure everything that was stored on that device could be compromised..

    In this discussion your scenario has someone working in their "repair" dept that would be doing this - but this person has no access to new devices being shipped? ;)



  • Reading your reply makes me think that I am not being paranoid enough!!!!

    I had taken some precautions to protect the device, such as not having the web gui accessible over the wan or even on my vlans (except for the admin vlan). There is no remote access other than via openVPN, using both certificates and passwords. But as you pointed out, the VPN certs/passwords are also stored in the config, so this would allow remote access to the hypothetical attacker by connecting via VPN (although they would still have to crack the admin password to gain access to the wb gui). But changing the CA and certs probably makes sense in this scenario (since I have VPN access only for admin access, I am the only user of the VPN connection, so it is not that difficult for me to change that). Would deleting the old certs/users from the webgui (after I create new ones) be sufficient to stop them from connecting? Or are there other steps I need to take?

    I have never checked, but it is possible to copy the config via the console without entering the admin password?


  • Rebel Alliance Global Moderator

    Doesn't matter console access or not - they had physical access to the device and for that matter are the "makers" of the device in question.. Do you not think it possible to pull the info off storage even if you had put superglue into the console port ;)

    Loss of physical security means in "theory" all data stored "could" be compromised... This is really a basic tenet of security 101.

    The only protection against loss of physical access is at rest encryption. The xml is not encrypted, there is no FDE setup - you do not see this sort of encryption on firewalls/routers - because for starters means that its not possible to boot the device without human interaction to put in the password to the FDE, etc.

    If you feel at risk - then by all means create a new CA, and new certs.. But its also possible your tinfoil hat is just a bit tight.. But sure ok - its possible the postal service grabbed the info off the device before they delivered it ;) They too could of installed a backdoor as well.. Those sneaky bastards! ;)

    I wish they posted exact timestamps on when posts where made - thinking maybe yours is a bit after 420 in your timezone ;) Or maybe its a wake and bake scenario - hehehe



  • @johnpoz said in Question re: security and physical access:

    I wish they posted exact timestamps on when posts where made - thinking maybe yours is a bit after 420 in your timezone ;) Or maybe its a wake and bake scenario - hehehe

    LOL.

    I definitely understand that the manufacturer can do anything they see fit and that if I want to use the product, I really have no choice but to trust that there is no back door or other ways in. When I was asking about console access, I meant in my current location, not a netgate employee or NSA - if someone were to plug themselves into the console, is there a way for them to copy the config file without having to supply any admin credentials? (I take it from your response that the answer is yes)

    @johnpoz said in Question re: security and physical access:

    If you feel at risk - then by all means create a new CA, and new certs.. But its also possible your tinfoil hat is just a bit tight.. But sure ok - its possible the postal service grabbed the info off the device before they delivered it ;) They too could of installed a backdoor as well.. Those sneaky bastards! ;)

    I am not that concerned about it, but since the "overhead" of creating new certs and CA in my case is not that high (since I am the only user of these on my system), I suppose it couldn't hurt to do so. Would deleting the old certs/users from the webgui (after I create new ones) be sufficient to stop them from connecting? Or are there other steps I need to take?



  • There is a very old bit of wisdom in the computer field, that johnpoz was referring to: "If you can get to the console/hardware, you own the box".

    To answer your specific question, yes. If you have console access, you are presented with a very powerful set of options without any login. While the options don't include directly exporting the configuration, you can reset the webConfigurator password, then export from there. Or drop into a shell with root privileges and find the local config file(s) or the scripts used to export it.

    I recall there is an option to require a password on the console. But that doesn't prevent your from interrupting the boot and dropping to single user or booting off other media.

    With some platforms you can lock down and password protect your BIOS options to prevent the above. But then there is probably a way to factory reset the BIOS settings.

    I could go on, but the point is security starts with controlling physical access.



  • Points well taken. Since the device is in a locked cabinet in my house, I am actually not that concerned about physical access. But good to know nonetheless.

    Given that I had no choice but to send my device in to Netgate for service, and that because it was non-functional I could not wipe the config prior to doing so, it looks like I will be spending some time to reset the passwords and the certs/CA. The rest is out of my hands, I guess.


  • Rebel Alliance Global Moderator

    And what you going to do about the "possibility" the shipping company put a backdoor on your device hardcoded into the nic bios? ;)

    My point at poking some fun here - is yes there are legitimate security concerns when you loose physical access to your devices. And then there is your tinfoil hat is cutting off blood flow to your brain..

    You know how "in theory" easy it is to compromise say a nest thermostat.. Do you have a maid - or friends that say they need to use the bathroom, and take a few extra minutes longer to return... Is your nest thermostat in the hallway on the way to the bathroom.. Its possible they compromised it - since they would of had physical access ;)

    Do you really think netgate would have compromised or even looked at your certs/passwords on the device you sent them? Or do you think it was the postal service?

    I can understand a company security policy that would to effect require changing of all username/password, revoking certs that were stored on a device when physical security to that device is lost. This is not all that far out there, especially if device is high security area, etc. You know like DOD facility, a military base, something of that nature ;)

    So changing your username and redoing certs is fine from actual security stance.. But do you honestly think that either the postal company or netgate or employee of said companies compromised your stuff? If so dude - maybe need to lay off the MrRobot TV show ;)



  • @johnpoz said in Question re: security and physical access:

    So changing your username and redoing certs is fine from actual security stance.. But do you honestly think that either the postal company or netgate or employee of said companies compromised your stuff? If so dude - maybe need to lay off the MrRobot TV show ;)

    You are literally making me laugh out loud. I love that show!

    And no, I don't honestly think that anyone at Netgate or UPS is messing with my device. Frankly, I can't imagine anything I am doing would be of any interest to them at all.



  • @johnpoz said in Question re: security and physical access:

    So changing your username and redoing certs is fine from actual security stance..

    Completely agree these are good steps. Prudent and low cost risk mitigation. Appropriate for OP's home network.

    But do you honestly think that either the postal company or netgate or employee of said companies compromised your stuff?

    Not the OP's case, but if you deal with "high value" data, that risk has to be considered. However in that case you'd not have returned any non-volatile storage to any vendor to begin with. You eat the costs of those parts when they fail, because it's less expensive than risking your data.

    But all the tradeoffs in risks and security could fill a book, several actually. If interested, recommend looking at an outline for Security+, CISSP, or similar certification, just to see the topics.

    Or go find the scripts and videos of the DNSSEC root key signing key "ceremonies". They not only need to be secure, but completely transparent, got to be twice as stressful. Can't see them shipping those laptops out for repair.