1

I have an Arduino (with environmental sensors doing measurements) connected to the Internet via ethernet. Can it be hacked? Can someone access it via Internet and upload his own C/C++ code? If, yes how can I prevent this?

Update (03/03/2023): One final thought: Supposing that I have secured USB plug and nobody can access it. However, I am using the Serial interface of the Arduino MEGA 2560. So, Serial_1 is continuously reading. Can someone with physical access to the Arduino inject malicious code via the Serial_1 so that can alter the code inside my Arduino and have access to information?

asked Mar 2, 2023 at 14:25
3
  • 1
    does it have Ethernet bootloader or ArduinoOTA library? Commented Mar 2, 2023 at 14:35
  • I am using the Arduino MEGA 2560 R3 + original Arduino Ethernet Shield 2....if that helps... Commented Mar 2, 2023 at 14:51
  • Depending on the architecture of your solution, the risk could be exposing your home network to the internet. If your Arduino system is designed to accept incoming traffic from the internet, say it runs a web server, and you configure port forwarding on your router to support this, then you expose your network to such a risk. Commented Mar 3, 2023 at 8:21

1 Answer 1

1

This depends on what you consider "hacked".

Do you care about someone reading the data, or changing it on its way to the target? Or do you provide endpoints to trigger something in your project from the internet, that only you should be able to do? Then you need to think about authentication and encryption. Though I guess that this data will be published either way, so that is not a big problem. But you should write down every endpoint, that you expose to the internet, and every request you are making. Then decide what level of security you need them to have individually. Exposed endpoints can easily be found and you have to decide yourself, if it is OK for others to use them.

If you mean getting into the device and executing malicious code from there: IOT devices are often vulnerable because of two reasons. They often have an OS (like a small linux OS), that is badly secured (often using standard password). And they often get updates via the internet. If someone can hijack the update process, malicious code might be delivered. An Arduino doesn't have an OS, so that isn't a problem. And hijacking the update process won't be possible, if you don't provide the possibility to update through the network. This makes updating your code a bit more complicated (since you need to connect the Arduino via USB or similar to program it), but more secure. That way no one (not even you) can inject malicious code into your project without physical access to the Arduino. To take up Jurajs comment: Updating through network is normally done by the Ethernet bootloader or the ArduinoOTA library (Over The Air updates). If you are not using those or similar projects, then you will be safe in that regard.

With strangers having physical access to the device it is a different story. To reprogram the Arduino one would need access to Serial (RX0 and TX0) and a possibility to reset the Arduino (either Reset pin or a way for power cycling it), or access to the ISP pins and the reset pin.

If you can secure the Arduino itself from physical access and only expose the Serial1 interface and ground/5V, then you will be safe, since the bootloader is only listening on Serial (RX0 and TX0). But keep in mind, that someone might still break into your project with brute force - depending on how you secured it physically. At that point nothing can stop them from overwriting your code. Only you can assess how big the chance for that is and how bad it would be.

Another point: If someone manages to break into your project, he can read out the program and push it through a deassembler. That doesn't give them the C++ code - they are not seeing C++ code, only assembler, and no meaningful variable names - but if they are determined enough they can read out credentials, that you might have hard coded or saved in EEPROM. Though especially for environmental sensors I would say the chance is very low, that someone would go to such lengths. If you think the danger to be big enough for some inconvenience, you can have a look at code protection (protecting the program memory from being read), though that still doesn't completely block reprogramming.

All in all: Preventing physical access is a big step in security. You yourself need to assess how much security you really need for your project.

answered Mar 2, 2023 at 15:51
2
  • I have updated my question...please read it again!! Everyone many thanks for your help... Commented Mar 3, 2023 at 13:25
  • 1
    @just_learning I added some paragraphs about that in my answer Commented Mar 3, 2023 at 21:27

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.