[Owasp_embedded_application_security] Discussion

Timo Goosen timo.goosen at owasp.org
Wed Mar 18 10:51:45 UTC 2015

I like the list of best practices that you posted.  Some ideas I'd like to

Big issue affecting embedded devices is:
https://en.wikipedia.org/wiki/Year_2038_problem , the 2038 problem. Which
will affect 32 bit platforms of the Linux kernel.
Without the correct time the data collected is worthless as it cannot be
stored according to the correct time. Cryptographic software will also not
be able to function properly.
Linus Torvalds is not planning on fixing the issue although the issue has
been fixed on most of the BSD platforms if I can remember correctly.

Another best practice perhaps to add to your list is to disable network
related services that are not being used and if something has to run for
example SSH, then it should be locked down as much as possible.


On Wed, Mar 18, 2015 at 12:17 AM, Aaron Guzman <aaron.guzman at owasp.org>

> Hi Everyone,
> Thanks to all who have joined within the last week. I have created a
> google group to collaborate better.
> https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec
> Below is a discussion I have started on the google group. If anyone is
> interested in making additions, please fill free to reply on the google
> group thread.
> We want to start creating a list of best practices and top risks for
> embedded technology. Whether we want to keep it at a list of 10 or more, I
> think it is important that we collaborate and put our embedded experiences
> together for a reference. It is
> I will start with my list of best practices
> 1. Cryptographic Signing of firmware required for firmware updating
> functions
> 2.Verify SSL/TLS Certificates (SSL Pinning) during secure functions to
> embedded devices. I.E. Firmware updates
> 3.Modify Busybox to only libraries and functions that are being used.
> (e.g. take out telnet, perl etc)
> 4.Prevent the use of static passwords such as admin/admin or similar
> variants for service passwords inside the firmware
> 5.Private Keys and passwords should not be stored on the embedded device.
> 6.Protection against memory-corruption vulnerabilities inside firmware
> functions. (do not use dangerous C functions)
> 7.Update kernel and packages on embedded images to prevent known
> vulnerabilities
> Maybe one about testing embedded images for ODM backdoors? up for
> discussion
> Feel free to make additions and discussions around embedded security. I
> would love to have a call in the coming weeks to flesh out and make a best
> practice list mature.
> thanks again!
> --
> Aaron G
> OWASP-LA Board Member
> Twitter: @scriptingxss
> Linkedin: http://lnkd.in/bds3MgN
> _______________________________________________
> Owasp_embedded_application_security mailing list
> Owasp_embedded_application_security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_embedded_application_security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_embedded_application_security/attachments/20150318/ac7b7900/attachment-0001.html>

More information about the Owasp_embedded_application_security mailing list