Posted on: January 10, 2025
Last modified: January 10, 2025
The “Embedded Security Challenge” is a free challenge for all embedded developers. Advance step-by-step in securing your systems. This is the page of solutions, for the challenges list go to https://ygreky.com/challenge/
Week 1 (January 2-8): Network-enabled services
The challenge was:
What are your product's services (applications, daemons) communicating, or potentially communicating with the Internet? Check all network interfaces. Also, check for both applications sending data and those listening.
Responses correctly mentioned the netstat command to get the list of open connections. Readers proposed various options, all correctly including ‘-l’ to list listening sockets (connections), so the one someone can connect to.
What about which addresses to look for, some readers wrote that ‘0.0.0.0‘ are the ones to look for, as they allow external access. This is true. 0.0.0.0 means ANY address. We should be also looking at addresses using external IP of the device. 127.0.0.1 (the local address) isn’t available from outside.
An example output of netstat -ln (with numerical values) could be:
$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::10022 :::* LISTEN
What we observe here is a service available only on the local system on port 25 (likely smtp) and a global service on port 10022.
We can also obtain the same results with the ss command.
Our readers didn’t mention that the firewall might be blocking some of those services. We can check the firewall configuration from our embedded system and then use a tool like ‘nmap‘ to check open ports from another machine.
Thank you everyone for participation, especially Farshid Monhaseri and Srivishnu Kesavan!
This week we got answers for Linux systems only. You can have the same result on RTOSes too.