Device Security - Keys


#1

Hi,

Are all keys stored on a device unique? Even the local SSH keys to the host OS?
If a device gets compromised, will other devices within an application become vulnerable somehow?

What should I expect if someone maliciously copies a SD card (from a already deployed device) and attaches it to another device? Will this prompt another device registration?

Regards.


#3

Hi,

The secret keys on the devices are unique for every device.

If a device gets compromised the secret API key grants access to the following:

  • changing the device metadata
  • reading metadata of the application associated with the device
  • reading environment variables associated with the device
  • reading environment variables for the application that is associated with the device
  • reading build logs of the application associated with the device

But all secret keys on the device can be revoked by deleting the device in the dashboard.

If someone copies the SD card of a device and attaches it to another device, there will be no prompt for another device registration because the provisioning key is not available anymore on the device.

If you are interested this process is also explained in our docs in the security section: https://docs.resin.io/security/#device-access

Hope this answers your questions.

Cheers,
Andreas


#4

The only issue I can foresee here are the application build logs.

That contains the whole procedure for building the docker image, which is not something that should be easily compromised.
Can you consider opening an issue requesting access to the build logs to be restricted? I cannot think of a reason this access is actually needed. Of course, I might be wrong.

I believe the device key should only allow access to the minimum amount of information that is actually required. The developer has no control upon it after the hardware ships, so it should be considered compromised from the get-go.

Thank you.