The network stack matches TCP/IP packets to sessions using the 5-tuple of source and destination IP and port number plus the protocol number. It doesn't (and can't) care how such a packet actually gets to the receiver.
So by spoofing the source address, it's trivial to send packets to your target host. However, to have them actually accepted, the sequence numbers need to be right (or right enough) to slot that packet into the ongoing stream.
But ... packets with bad sequence numbers don't break a connection, they're just assumed to be retransmissions of something that already arrived (if the number is low) or an indication that a bunch of packets were lost (if high). This is a little complicated by the fact that the session is bi-directional, but not too much.
So, especially if you're able to monitor the packets of the session, it's fairly simple to hijack it by sending sequence numbers a bit ahead of the legitimate sender, causing its packets to be discarded as duplicates, and yours to be accepted.
How micro is your micro? There are embedded TLS stacks such as wolfSSL[1]. If you carefully select the cipher suite and certificate requirements, and perhaps limit TLS payload sizes, you may be able to fit on a lot more systems than you initially suspect. x.509 is expensive in code space though, if that's the constraint, you may do better with an application specific certificate replacement of some sort.
pcdoodle|3 years ago
2. They exchange some secret sauce to make sure they're sure of each other (I have no room for TLS on micro computer).
3. The connection is never severed.
How does this get attacked over WAN? IP Spoofing or something? Let's assume the LAN of the client is secure.
__d|3 years ago
So by spoofing the source address, it's trivial to send packets to your target host. However, to have them actually accepted, the sequence numbers need to be right (or right enough) to slot that packet into the ongoing stream.
But ... packets with bad sequence numbers don't break a connection, they're just assumed to be retransmissions of something that already arrived (if the number is low) or an indication that a bunch of packets were lost (if high). This is a little complicated by the fact that the session is bi-directional, but not too much.
So, especially if you're able to monitor the packets of the session, it's fairly simple to hijack it by sending sequence numbers a bit ahead of the legitimate sender, causing its packets to be discarded as duplicates, and yours to be accepted.
toast0|3 years ago
How micro is your micro? There are embedded TLS stacks such as wolfSSL[1]. If you carefully select the cipher suite and certificate requirements, and perhaps limit TLS payload sizes, you may be able to fit on a lot more systems than you initially suspect. x.509 is expensive in code space though, if that's the constraint, you may do better with an application specific certificate replacement of some sort.
[1] https://www.wolfssl.com/
bombcar|3 years ago
Now imagine that router does things to your packets.
If they’re not encrypted how do you know?