Remote access tutorial extremely insecure

Quality Assurance
1

This tutorial:
http://wiki.ros.org/ROS/Tutorials/MultipleRemoteMachines#PortForwarding_.28PF.29

Encourages new comers to support remote ROS access via PortForwarding. This is tremendously insecure and directly exposes ROS systems to simple drive by attacks on the internet. This is highly in-advisable to the point we should probably pull that section entirely. I am of-course hesitant to delete wiki content, but its clear we need to review Tutorials for security implications.

How should we go about improving security documentation?

  • Should we flag/tag potentially insecure guides such as this?
  • Do we need to improve documentation of the security issues around ROS 1.x?
  • Should we advise SROS usage in these types of use cases instead?
    • Is SROS easy enough for new comers that this is viable?
2 Likes
2

For that tutorial in particular I think a boxed security warning at the top should be sufficient.

As to documenting security issues around ROS 1.x, I would suggest asking the security working group to make a recommendation.

As to SROS I not familiar enough with it yet to make a recommendation either way. Perhaps the security WG has more insight.

2 Likes
3

Huh, I’ve never seen that tutorial. Looks like it was added a year ago or so. I agree, it at the very least needs a large warning up there. I’d rather see it rewritten to use smee.io or ngrok or something similarly temporary, but then it moves away from the paper it’s touting. I wouldn’t consider SROS a solution in this case.

3 Likes