 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : pico W - mmbasic UDP
| Author | Message | ||||
Plasmamac Guru  Joined: 31/01/2019 Location: GermanyPosts: 501 |
HI Matherp, will UDP support ever come for MMBasic? thx Plasma |
||||
| aFox Regular Member  Joined: 28/02/2023 Location: GermanyPosts: 73 |
Hi Why not? TFTP is implemented and based on UDP as transport layer. The security problem arises for both TFTP and UDP. Both should only be activated via an OPTION. And only if it is ensured that there is no access to the Internet. Gregor |
||||
| lizby Guru Joined: 17/05/2016 Location: United StatesPosts: 3013 |
What is the security risk of UDP? PicoMite, Armmite F4, SensorKits, MMBasic Hardware, Games, etc. on fruitoftheshed |
||||
| aFox Regular Member Joined: 28/02/2023 Location: GermanyPosts: 73 |
1. 2. 3. Edited 2023-05-24 05:28 by aFox |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3651 |
2 & 3 are the same URL With a Pico W: I can't say #1 would bother me. 2 & 3 seem irrelevant - wrong URL? John Edited 2023-05-24 07:08 by JohnS |
||||
NPHighview Senior Member  Joined: 02/09/2020 Location: United StatesPosts: 192 |
The main security risk that I'm aware of is that most people setting up a firewall aren't thinking in terms of UDP. In a previous incarnation, I was at a cocktail party where the host was discussing the process controllers at a large industrial concern for which we both worked. I asked him about security of those controllers (this was a few months after 9/11 and everyone was still on edge). He was confident they were secure. I asked if he remembered any of their addresses; he said he did. We downloaded a UDP browser to his home computer, typed in the address, and up came the user interface for one of the process controllers. He said something I won't repeat here, excused himself, quickly drove to work while on the phone to the IT lead, and reappeared an hour later, smiling, but wiping the sweat from his brow. "Firewall fixed," he said. Live in the Future. It's Just Starting Now! |
||||
| lizby Guru Joined: 17/05/2016 Location: United StatesPosts: 3013 |
Ok, so it's a security risk if you expose your control interface through UDP. How about otherwise, e.g., you just have a program listening for a coherent message? PicoMite, Armmite F4, SensorKits, MMBasic Hardware, Games, etc. on fruitoftheshed |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3651 |
Clearly a problem in that case, but a Pico W isn't likely to have such an interface and even if it did it's up to its user(s) to be aware of possible problems - just as they would with a TCP interface or UART one or (etc). I'm not seeing a specific issue of any major worry about UDP. Obviously a hole in the RPi Pico UDP code might be an issue, but so would a hole anywhere else (TCP, MMBASIC, user code). John |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 3651 |
I suppose it's a risk if you foul up your code (not specific to UDP, though). Also, if there's a hole in the RPi Pico UDP code. But that applies to all the other things such as their TCP code, MMBASIC etc. Doesn't look worrying about unless you're in a rather important security-conscious environment in which case I doubt MMBASIC would be allowed at all (no offence to MMBASIC but the kinds of rules imposed in such environments are tough). They'd likely want security-audited Pico code, too, and a bunch of other stuff. Let's not go there! John |
||||
Mixtel90 Guru Joined: 05/10/2019 Location: United KingdomPosts: 5714 |
Of course, it's up to the individual to decide on whether or not to connect a PicoMite to the internet in any form, but it would be *very unwise* to have it on the same network as anything you want to protect. At the very least put it on a different set of internal IP addresses from the rest of your network. Don't trust DMZ in the router, there are too many ways round/through that - if the router is even implementing it properly. Everything you can think of to protect your network has probably been hacked at some point. It's a chilling thought. All that's needed is one weak point (perhaps the device doesn't check for a buffer overflow) and a hacker can worm their way onto the main network. Mick Zilog Inside! nascom.info for Nascom & Gemini Preliminary MMBasic docs & my PCB designs |
||||
| lizby Guru Joined: 17/05/2016 Location: United StatesPosts: 3013 |
Thanks, John. I have no intention of exposing UDP to the internet from any device--I just wondered if there was anything inherently insecure about doing that (assuming as always that you are doing your best to make sure that your method of listening for UDP messages doesn't allow malicious access). My main interest in UDP on the PicoMite would be as a sender (though there is MQTT for that). I have some devices which now send UDP messages on my internal network to an accumulator which records them. PicoMite, Armmite F4, SensorKits, MMBasic Hardware, Games, etc. on fruitoftheshed |
||||
 Print this page |
