Abstract
This talk describes the process of designing and building a secure remote access device which can be plugged into servers and other devices, using off the shelf hobby hardware.
We will cover:
- Why use an external device rather than known software like VNC.
What is the risk/benefit from a security point of view?
- Emulating a keyboard and mouse with a Raspberry pi.
(This may be of interest to Red Teamers!)
- Capturing realtime hdmi graphics cheaply.
- Novel access control using a self signed PKI and Trust on first use (we will cover both initial pairing and subsequent lend/borrow transactions)
- Secure access to the device from a browser via webRTC (We will discuss the trade offs in using a browser as an access method vs a dedicated app/protocol)
We will describe the limited network exposure of the device (How we keep no open ports, how we can ignore unauthorised traffic)
We will discuss the design and implementation of the software and the steps taken to improve its security such as programming language choice, risky idioms we avoided and supply chain dependency risk minimisation.
The talk will have some thing for everyone, red teamers, blue teamers, network security folks and software developers can all learn from our experience in building this device because security had to be considered in every layer of the process.
