[Ovmsdev] Moving to a production cycle

Michael Balzer dexter at expeedo.de
Sat Feb 24 17:21:50 HKT 2018


Greg, Mark,

I'm a bit concerned about an initially open Wifi access.

I know we're not targeting a mass market, but security is always important, especially for a system that can potentially control a car.

We need to be -and stay- aware this may introduce a way to hack & hijack the system. You would for example scan for new OVMS wifi networks, do an automatic
passkey change to get access, then get the module to install a trojan firmware that mimicks the original behaviour (root kit style) and voila, you've got
another bitcoin miner. A normal user will never recognize something's fishy.

With our current OTA function that's an unlikely attack vector, you would need to either control the GSM cell / DNS to redirect the download to your trojan site
or have hacked the openvehicles.com server to deliver your trojan firmware. But things will evolve.

Some users may also not care about the Wifi access (i.e. using just Bluetooth / USB / GSM) and then not be aware it's actually active & open.

Is it too expensive to print the Wifi MAC or serial no. onto some label or document for the user?

If so we should at least make this very clear in the user documentation.

Btw, the same password could be used as the default module password, or we could use the module password for both purposes.

Regards,
Michael


Am 22.02.2018 um 05:52 schrieb Mark Webb-Johnson:
>> There probably isn't a
>> need for a custom SSID based on MAC or other serialization; that would
>> only be necessary if configuring multiple modules at the same time in
>> the same place.  Use case?
>
> Yep. My thoughts exactly.
>
>>  it might be
>> a good idea to have a required step of the configuration procedure be to
>> force a passkey change and re-connect on the part of the user.
>
> Yep. If we ask them to specify the AP name, and new password, then that resolves both problems.
>

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26





More information about the OvmsDev mailing list