Jump to content

As of July 17, 2015, the LabJack forums here at forums.labjack.com are shut down. New registrations, topics, and replies are disabled. All forums are in a read-only state for archive purposes.

Please visit our current forums at labjack.com/forums to view and make new posts. To post on the current forums, use your labjack.com login account. Your old LabJack forums login credentials have been retired. There are no longer separate logins for labjack.com and LabJack forums.


Photo

UE9 security


  • Please log in to reply
10 replies to this topic

#1 mwanafunzi

mwanafunzi
  • Members
  • 34 posts

Posted 21 March 2013 - 12:16 AM

We have multiple UE9's scattered around our institute monitoring critical applications. All are only accesible from behind the institute firewall, but that leaves many 100s of people who can randomly stumble upon them or set out to break into them, all they need to know is the ip address. They could not cause any physical damage, but they could break the system - just resetting a device's ip address would cause serious problems. Is there any way to secure ethernet connected labjacks against unauthorised access ? Thanks

#2 LabJack Support

LabJack Support
  • Admin
  • 8677 posts

Posted 21 March 2013 - 04:08 PM

We have multiple UE9's scattered around our institute monitoring critical applications. All are only accesible from behind the institute firewall, but that leaves many 100s of people who can randomly stumble upon them or set out to break into them, all they need to know is the ip address. They could not cause any physical damage, but they could break the system - just resetting a device's ip address would cause serious problems.

Is there any way to secure ethernet connected labjacks against unauthorised access ?


Thanks


This is something we are currently working on. Right at least the packet structures the LabJacks use is pretty specific & requires various checks, so it is unlikely that someone could mess up a device by accident. However, someone running LabJack software that can communicate with the device could as you say cause harm. If you changed the port to something non-default it would help ensure that only people wanting to access that specific device & knew the IP/Port were able to.

We aren't sure about where we will go with this on the UE9, but have a few different ways we might implement it for the T7, which we are currently finishing up. One idea is to have a user generated 'key' of sorts that needs to be written to the device when a new TCP connection is established in order to authorize that connection. We could also have the user provide a list of IPs that are allowed to open connections.

Generally we feel this type of thing would only apply to Ethernet, since with USB you would typically have physical access to the device, and if you have physical access to it, there isn't much we can do.

Do any of these solutions (or others) sound most desirable to you?

#3 mwanafunzi

mwanafunzi
  • Members
  • 34 posts

Posted 21 March 2013 - 10:16 PM

Yes either of those would be nice. Right now, all it needs is someone else, unknown to us, to innocently plug in a labjack, run the labjack software and randomly poke around with what they see there. As you say, it is not an issue with USB, in fact for our most sensitive devices I suppose we could use the usb interface plus something like a networked raspberry pi. We can then write security into the script that talks to the labjack. But that of course totally defeats the purpose of an ethernet-enabled labjack and makes everything much more complex and clumsy to manage. For ethernet, limiting access to some ip's would look like the simplest minimal solution, it would be nice if that could be made available as a firmware update for the ue9?? I can see that some kind of passkey would be more complex to implement but much more secure.

#4 LabJack Support

LabJack Support
  • Admin
  • 8677 posts

Posted 22 March 2013 - 06:54 AM

Do you talk to your UE9s using Modbus or the normal low-level protocol? Do you talk to them through the UD driver for Windows?

#5 mwanafunzi

mwanafunzi
  • Members
  • 34 posts

Posted 22 March 2013 - 07:01 AM

Do you talk to your UE9s using Modbus or the normal low-level protocol? Do you talk to them through the UD driver for Windows?


We mostly use Modbus. We use the labjack python library under linux.

#6 LabJack Support

LabJack Support
  • Admin
  • 8677 posts

Posted 22 March 2013 - 04:15 PM

After looking at things it looks like adding an IP list to the UE9 (say for 5 IPs) is something we can do via a firmware update. We aren't sure if we will use modbus or our other packet format to be able to set those IPs, but either way can provide a Python application that works VIA usb to configure it. Once we get something working we can send it to you for testing if you would like. Is there a timeline that you are working with for when this feature would be good to have?

#7 mwanafunzi

mwanafunzi
  • Members
  • 34 posts

Posted 22 March 2013 - 04:36 PM

That would be great, thanks. There is no particular time line, now would be nice!

#8 LabJack Support

LabJack Support
  • Admin
  • 8677 posts

Posted 04 April 2013 - 04:18 PM

That would be great, thanks.

There is no particular time line, now would be nice!


Just an update, we have added a new function to the UE9 Comm firmware to handle this. It is documented here: http://labjack.com/s...ers-guide/5.2.4

We are going to throw together a quick python app that will provide a quick interface to that function so the IPs can be set. Hopefully that will be done sometime tomorrow. Once that is complete we will post it along with the new firmware.

#9 mwanafunzi

mwanafunzi
  • Members
  • 34 posts

Posted 04 April 2013 - 09:02 PM

That would be great, thanks.

There is no particular time line, now would be nice!


Just an update, we have added a new function to the UE9 Comm firmware to handle this. It is documented here: http://labjack.com/s...ers-guide/5.2.4

We are going to throw together a quick python app that will provide a quick interface to that function so the IPs can be set. Hopefully that will be done sometime tomorrow. Once that is complete we will post it along with the new firmware.


That's great, thanks very much for your responsiveness. That will allow us to 'mainstream' the use of ue9's without anxiety over possible future surprises.

#10 LabJack Support

LabJack Support
  • Admin
  • 8677 posts

Posted 05 April 2013 - 04:51 PM

Instead of an app I updated LabJackPython to support the new function. Update to the latest LabJackPython:

https://github.com/l...k/LabJackPython

The UE9 class now has an ipAddressFilter method that lets you set the IP addresses to filter. Python documentation can be found in the ue9.py source or using Python help on the method (help(ue9.UE9.ipAddressFilter)). Also, there is a ue9IPAddressFilter.py example in the Examples directory of the LabJacPython download. It demonstrates how to set IP addresses to filter, turn IP address filtering off and read the currently set IP addresses.

The new beta firmware you'll need is Comm version 1.56:

http://labjack.com/s...rmware/ue9/beta

#11 mwanafunzi

mwanafunzi
  • Members
  • 34 posts

Posted 07 April 2013 - 11:43 PM

Instead of an app I updated LabJackPython to support the new function. Update to the latest LabJackPython:

https://github.com/l...k/LabJackPython

The UE9 class now has an ipAddressFilter method that lets you set the IP addresses to filter. Python documentation can be found in the ue9.py source or using Python help on the method (help(ue9.UE9.ipAddressFilter)). Also, there is a ue9IPAddressFilter.py example in the Examples directory of the LabJacPython download. It demonstrates how to set IP addresses to filter, turn IP address filtering off and read the currently set IP addresses.

The new beta firmware you'll need is Comm version 1.56:

http://labjack.com/s...rmware/ue9/beta




Thanks, we will have a play this week and report back.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users