-2

Is it safe to use the serial port for sending sensitive information? For instance, bank credentials, passwords, etc...?

We have a hardware-based safe that people can save sensitive information. The hardware is safe because it's totally offline. However, the information is then sent when connected to the computer via UART (a propietary app is used to listen to the serial port).

I am aware that you cannot listen to the serial port at the same time from two devices. So that'd technically make it safe, right? Could a hacker find a vulnerability and listen to the serial while the COM port is opened by some other program?

Luis Cruz
  • 1,488
  • 3
  • 22
  • 50
  • 1
    It is almost never a real issue, UART connections are always short. A couple of meters, tops. If there is something in the middle then you can always see it with the unaided eye. Never take security advice from the Internet, you have to show your customers a formal document that demonstrates that you thought about it and weighed the consequences. A recommendation that they need to provide physical security is expected. – Hans Passant Mar 22 '18 at 12:41
  • Is there anything software-based listener for the UART? Something that you couldn't see with the naked eye. – Luis Cruz Mar 22 '18 at 13:55
  • Serial communications generally are not secure. *"I am aware that you cannot listen to the serial port at the same time from two devices."* -- Wrong, you're conflating proper usage with security. The wires can be tapped. You neglect to mention the full configuration. COM ports have traditionally been connected to modems (that's why they got that name). The phone line is obviously not secure. Nor is any RS-232 link unless it's under your full control. – sawdust Mar 22 '18 at 17:39

1 Answers1

1

Once the device is connected to the computer, if you consider the scenario where that computer could have been compromised, then there are plenty of attack vectors available, specially if you consider root/system access.

If that is the case, you don't worry only about someone sniffing the communication ports. The attacker can access the memory of the process (application) that is accessing the port anywyay, so all of the information that is being read from the offline device is at some point in memory and can be read by the attacker.

palako
  • 3,342
  • 2
  • 23
  • 33