Making use of growing concerns about security of IOT devices some companies are developing business models to identify security holes and offering their consulting services unasked to help fixing those. As Meteobridge also seems to be in focus of those attempts, I would like to share my perspective on Meteobridge in that regard.
As Meteobridge runs on very limited hardware with very low permanent memory (down to 16 MB of flash) und very limited RAM (down to 32 MB) the OS Meteobridge SW is stacked on is not a regular Linux but OPENWRT/LEDE which was initially developed to build Open Source router platforms. In general OPENWRT/LEDE does a very good job in terms of security as it is meant a router platform to be directly connected to the Internet without any firewall etc in front of it. When a new Meteobridge port to a new platform is done, the most recent and stable OPENWRT stack is used and things regarding security are fine for the moment. Unfortunately, security gaps on OPENWRT releases are discovered over time. Typically, these are fixed with the next OPENWRT release but are not backported to older released versions. By that a OPENWRT install gets outdated on the security side over time. To fix it a complete rebuild of the Meteobridge install including a new OS version would be needed. This comes with three major problems.
I would like to offer a different approach to have your Meteobridge installs secured. As we are aware that each Meteobridge install will have some security issues to be discovered in the future or already having been discovered, the way to go is to put Meteobridge within your LAN that is protected by your router's firewall. That way your router will not allow any access from the Internet to your Meteobridge and Meteobridge cannot be attacked in any way, regardless if it is on the most recent security patch level or not. From my contacts with Meteobridge users I know that you all operate Meteobridge in this way. Nobody I know of has decided to put a Meteobridge directly into the wide open of the Internet, which is something I also will not recommend. In times of making SW vendors reliable in the EU for consecutive damage of security flaws I will update the terms of use conditions to prohibit using Meteobridge not being secured by an external firewall inhibiting to connect to Meteobridge from the outside.
Meteobridge SW does offer a remote access option, which is realized as a reverse ssh tunnel via smartbedded's Meteobridge server in the Internet. When you enable this on your Meteobridge you can connect to your Meteobridge from the Internet. This of course can also be used for intrusion attempts via HTTPS calls. In order to launch an attack the specific fingerprint of your Meteobridge is needed, which is in the URL you use to do the remote login. Without knowing that, your Meteobridge is not reachable from the outside. However, if you are still concerned here, please do not enable the remote login feature. When the switch is unmarked, the Meteobridge will not setup the reverse SSH tunnel and there is no way the Meteobridge can be attacked from the outside as long as your firewall does block all incoming traffic, which is default on most firewalls unless you tell otherwise.
To summarize this lengthy text a bit:
Regards,
Boris
As Meteobridge runs on very limited hardware with very low permanent memory (down to 16 MB of flash) und very limited RAM (down to 32 MB) the OS Meteobridge SW is stacked on is not a regular Linux but OPENWRT/LEDE which was initially developed to build Open Source router platforms. In general OPENWRT/LEDE does a very good job in terms of security as it is meant a router platform to be directly connected to the Internet without any firewall etc in front of it. When a new Meteobridge port to a new platform is done, the most recent and stable OPENWRT stack is used and things regarding security are fine for the moment. Unfortunately, security gaps on OPENWRT releases are discovered over time. Typically, these are fixed with the next OPENWRT release but are not backported to older released versions. By that a OPENWRT install gets outdated on the security side over time. To fix it a complete rebuild of the Meteobridge install including a new OS version would be needed. This comes with three major problems.
- Current OPENWRT versions come with larger libs (openssl as example) and larger base programs that will no longer fit into the Flash and RAM available on the most used Meteobridge platforms like MR3020v1 (and other platforms with similar limitations).
- It will need a reflashing of the device, which is a rather complicated and error-prone process for any not so techy Meteobridge user with good chance to loose settings or to brick the device.
- As Meteobridge runs on >10 HW platforms all these platforms will need to be continually rebuilt and maintained, which is something a small company cannot provide economically.
I would like to offer a different approach to have your Meteobridge installs secured. As we are aware that each Meteobridge install will have some security issues to be discovered in the future or already having been discovered, the way to go is to put Meteobridge within your LAN that is protected by your router's firewall. That way your router will not allow any access from the Internet to your Meteobridge and Meteobridge cannot be attacked in any way, regardless if it is on the most recent security patch level or not. From my contacts with Meteobridge users I know that you all operate Meteobridge in this way. Nobody I know of has decided to put a Meteobridge directly into the wide open of the Internet, which is something I also will not recommend. In times of making SW vendors reliable in the EU for consecutive damage of security flaws I will update the terms of use conditions to prohibit using Meteobridge not being secured by an external firewall inhibiting to connect to Meteobridge from the outside.
Meteobridge SW does offer a remote access option, which is realized as a reverse ssh tunnel via smartbedded's Meteobridge server in the Internet. When you enable this on your Meteobridge you can connect to your Meteobridge from the Internet. This of course can also be used for intrusion attempts via HTTPS calls. In order to launch an attack the specific fingerprint of your Meteobridge is needed, which is in the URL you use to do the remote login. Without knowing that, your Meteobridge is not reachable from the outside. However, if you are still concerned here, please do not enable the remote login feature. When the switch is unmarked, the Meteobridge will not setup the reverse SSH tunnel and there is no way the Meteobridge can be attacked from the outside as long as your firewall does block all incoming traffic, which is default on most firewalls unless you tell otherwise.
To summarize this lengthy text a bit:
- There is no practical way for us to keep the OPENWRT base systems of the many Meteobridge platforms out there up to date in terms of security patches.
- But you are safe as long as the Meteobridge is operated behind a firewall that blocks all incoming requests from the Internet to your Meteobridge (which is a router/firewall default).
- Enabling remote access is a convenient feature but when fingerprint of your Meteobridge is publicly known, attackers could send HTTPS requests to your Meteobridge and potentially do harm. You have to decide on your own if you are willing to take this risk.
Regards,
Boris
Statistics: Posted by admin — Mon Apr 28, 2025 12:59 pm