2015-11-30

Security? What security?

Since I'm often messing around with electronics near my workstation, which is 2-3 meters away from the equipment rack, I've started looking into making a remote control for my lab power supply. The thing is has LXI support, which means I can hook it up to the network and send commands to it -- both to query state and to change the state.  Setting voltage and current limit, turning outputs on and off etc.

The idea was to use an ESP8266, hook up a display to it and a couple of buttons and rotary encoders, and then write some firmware for it which allows you to talk to the power supply -- setting voltage and current for the outputs, plus add support for a few other things.  Perhaps not terribly useful for anyone but me, but a fun project.

While reading the documentation for the SCPI commands of the lab supply it struck me that this stuff has no security whatsoever.  None.  Zero.  No username, no password, no standard keying scheme. You just connect and you send commands and the machine does stuff.  There may be some lab equipment that has security features, but none of the stuff I have has any protection whatsoever.

Which means that in just a few lines of code, you can build a network scanner that will look for LXI-enabled devices, figure out what they are and then manipulate them.  Actually, one of the open source tools for talking to LXI/SCPI enabled devices has a scanning feature for finding devices -- so figuring out how to do this is trivial.

This means that if you connect to a lab network with LXI-enabled devices, you could query a power supply to find out how much juice it can deliver on each channel and then crank up the voltage and current limits to the maximum value on every output.   If you are building electronics that operate at 3.3 or 5.0 volts and have them hooked up, that would probably fry them.  Perhaps you could even start a fire that way.

Or you could be more subtle and introduce small intermittent problems.  Like monitoring the current draw of a device and then reduce the current limit on an output to deliver slightly less current in order to provoke erratic behavior in electronics.

I started looking for security information on LXI on the web.  Not a big research project, but just a few google searches to get some feel for what's going on here.

I stumbled across a talk by a representative of some instrument manufacturer talking about this.  His take was that "well, you'll have to deal with this in routers...create VLANs and deal with whitelists and packet filters etc".

Well, sure, this is lab equipment, but really?  This fellow lives in la-la-land.  If he thinks that this works in real life he is mistaken.  If you need to get some lab equipment up quickly and perhaps log some data or remote control some gear, you'll do whatever you can to get it working and then leave it at that.  You will not be having meetings with the IT department to have your network configured every time you get a new piece of gear.  And if you do have a messy network setup with all manner of access control, it is going to be slow and time-consuming to make any changes.  You'll be screwing over your engineers or your production staff.

I'm not so sure I want to implement a remote for my power supply now.  I wouldn't want to be sitting with my nose hovering over some piece of electronics and then suddenly have stuff blow up in my face because someone decided to write malware that targets LXI enabled devices.  I know myself well enough to know that I'm not going to bother setting up a separate network for my lab equipment.

13 comments:

  1. A gullsmed1 way to do this would be to diamond ring that she wears on a regular basis and bring it towards the gullsmed1 jewelry expert to have it calculated on the profe method. But when that is not possible, you might want to recruit certainly one of the woman's close friends or even family members whom you may trust to be discreet to drag this information from your fiancée for you personally.

    ReplyDelete
  2. Have your security organization put in your agreement how they lead medicate screening and historical verifications, and ask where and how they enlist.Fast Guard Service LLC

    ReplyDelete
  3. Reading something so delightful has a recuperating power for the spirit.
    paypal hack

    ReplyDelete
  4. A large number of the issues that I say beneath can be ascribed to crafted by a security protect and they are likewise in-accordance with the issues of a security organization proprietor and customer.veriato360 employee monitoring software

    ReplyDelete
  5. Equal surveillance cameras would bring sticker prices of over $100 greenbacks yet these cameras as of now have climate confirmation housings, infrared LEDs and remote transmitters. Cassandrah Stevens

    ReplyDelete
  6. Home surveillance cameras are just the same old thing new in extensive homes and chateaus. Actually, it's nearly expected with the consistently expanding size of homes.Best Security Place

    ReplyDelete
  7. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. security camera installation

    ReplyDelete
  8. In light of your inclinations and spending you could choose whether to go with either genuine or sham cameras for verifying your home or property.
    Robert

    ReplyDelete
  9. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. Melbourne CCTV Systems

    ReplyDelete
  10. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. Hikvision CCTV

    ReplyDelete
  11. Gunung berapi yang meletus setiap 30 menit di depan Mirage. Keluarga dapat menontonnya dan memiliki banyak foto bersamanya
    asikqq
    dewaqq
    sumoqq
    interqq
    hobiqq
    rajawaliqq
    http://192.254.236.33/daftar/asikqq/
    paito vegas morning
    paito warna oregon 03
    paito warna oregon 12

    ReplyDelete
  12. Great article Lot's of information to Read...Great Man Keep Posting and update to People..Thanks Hikvision

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete