Question about security in Webconf

I don’t see that as particularly beneficial.

I’m totally with you. Zynthian is a musical instrument and it’s musical possibilities should always come first.
But from an attacker point of view it in fact is also a generic networked computer running linux which could be exploited as hop for further attacks, used to eavesdrop on a Zynth user by utilising possibly attached micros, starting to play funny soundfiles in the middle of a live session, steal Pianoteq serials and so on. The possibilities are endless if you change the focus from the intended use to an attacker view.

And while we talk that it should only be used as a musical instrument someone may not understand, that he’s currently hacking a musical instrument.

I understand, that this will cost ressources and I really don’t ask to stop musical dev for security, but we also shouldn’t ignore infosec. It might come back on Zynthian when we least need it, and having to fix things with the pressure of bad media attention after a possibly zynthian related incident might be worse.

This is nothing we need tomorrow at 12:00 UTC. But we should have an eye on it.

Based on experience it won’t be enough to say users “Don’t use networking interfaces in an insecure environment.” Especially those who are not aware of cyber security will do it anyway… :wink:
And just imagine a bored script kiddie in the neighbourhood hacking your home wifi finding a debian host whose password he could read in clear text from http and after login he’s directly root.

BTW: In the last years I’ve seen more and more tools start to refuse usage as root.

Let’s keep it on the radar, discuss proactively pros and contras and find solutions for security challenges as long as it doesn’t hinder our musical fun with the Zynth!

Sorry for the bad vibes, I really don’t want to piss someone off, my intention is to help make zynthian better. I really appreciate what you all have achieved over the years. And I’m just a newbie with a faible for cyber security besides music and linux…

Concerning the simple recipe:
Edit systemd service files

  • /etc/systemd/system/novnc0.service
  • /etc/systemd/system/novnc1.service

and append to ExecStart:

" --cert /zynthian/zynthian-webconf/cert/cert.pem --key /zynthian/zynthian-webconf/cert/key.pem"

This should at least encrypt the noVNC web frontends with the already existing pem-files for webconf. (And please also adapt the links in webconf/Interface.)

Happy hacking!

1 Like

A proposal for encrypted webconf:

  • Let’s have http access to webconf enabled per default to ease first access to webconf (as now)
  • add a config option (under Security/Access and/or directly after first login?) to disable http and redirect to https including some information how to cope with possible warnings.

→ it will still be accessible and configurable but more people will use https.
I must admit while having an affinity for security even I sometimes just hacked in zynthian.local without explicit https://…
And I found out about the https possibility just by chance.

1 Like

Done! Oram & vangelis.

4 Likes

Well, as you explained before, the easiest way of hacking a zynthian device and cause trouble is sending simple OSC commands while it’s being used on stage.

Perhaps we could have a “secure mode” that setup a firewall with everything closed except what could be considered safe. This should be accessible from UI’s admin menu.

Regards,

2 Likes

The reason I want is to work is because I want to use it to discover other zynthians on the LAN (for AoIP, etc.) We could start with a simple “insecure mode” switch which removes some InfoSec constraints. This could become a rather involved subject., including ssh, OSC, etc.

After having triggered everyone here in the thread, I’m not sure if a firewall may potentially cost to much load.

Starting from the “insecure mode” idea:

  • On initial setup we let people reach webconf via http.
  • All other external connections not needed for initial local usage are disabled by default and can be enabled via webconf.

→ This way, we could deliver an initially secure system with the option to enable more features with potential security costs, but at the decision of the user.

Do you mean https?

We often need to perform diagnostics for non-working systems, e.g. bad hardware config for custom builds. Having some form of console access, e.g. ssh is advantageous.

Maybe first webconf access can offer user to change password to at least give the option to avoid using default, well known password.

[Edit] I don’t like the idea of a firewall. It feels like too much effort for what we are trying to protect.

No, explicitly http on initial first connect to prevent confusion with browser warnings due to self signed certs. It is about a very short time window with a commonly known default password.

During initial setup process we should then ask for a new password (enforce?) and for https enablement but can provide information about what to expect and what to do.
Afterwards the individual password will be encrypted in transport.
Same for more settings like vnc, osc etc.
SSH should be the least problem security wise. At least with a changed password. :wink:

While it’s true that an embedded system doesn’t need as much security as a server needs, Zynthian devices are in fact networked general purpose computers that do receive updates over the Internet. They can be treated as embedded systems, but as long as people update the software, they’re not really being treated by users as embedded systems until users stop running updates and permanently disconnect them from the network. They do need basic security precautions to avoid getting remotely hijacked or else they will be putting other devices on users home networks at risk.

Additionally, some users might want the option to remote control the Zynthian over the network for production purposes and in such cases, they’re very very not embedded systems.

(later edit) wait, I take some of this back. I forgot that if the entire network is physically isolated, (like no Internet, no or very secure wifi, only authorized Ethernet cables) then the network as a whole could be an embedded system. On such a secure network, the Zynthian could be part of an embedded system and still have networking but I don’t know if anyone’s going to really do that.

1 Like