One question we get asked frequently is security considerations when running a Nebra Hotspot on their network.
We've designed and taken measures to ensure reasonable security where possible, and this documentation goes over some of the steps we've taken to ensure the units are as reasonably secure as possible.
The Nerba Hotspots run a variant of Linux called Balena OS which is based off Yocto, Yocto is a cut down variant of linux designed for embedded devices. Due to it's lightweight nature only necessary packages are included to keep the risk of exploits to a minimum.
Nebra Hotspots once connected to the internet download updates OTA, we're planning on releasing updates on a frequent basis to ensure that the software is kept as up to date as possible.
The software itself that runs on the unit is all distributed in docker containers, these are configured so containers can only access certain parts of the hotspot helping keep the different pieces of software isolated to a reasonable level where possible.
All of the software that runs on the Nebra Hotspots can be found on our github pages:
Repository | Description |
---|---|
https://github.com/nebraltd/helium-miner-software | Software for Nebra Helium Miners |
https://github.com/NebraLtd/hm-diag | Nebra Helium Miner Diagnostics |
https://github.com/NebraLtd/hm-config | Nebra Helium Miner Config Container |
https://github.com/NebraLtd/hm-pktfwd | Nebra Helium Miner Packet Forwarder |
https://github.com/NebraLtd/hm-miner | Nebra Helium Miner Container |
https://github.com/NebraLtd/hm-upnp | UPNP Container for Nebra Hotspots |
https://github.com/NebraLtd/hm-gwmfr | ECC Secure Element Chip Provision Tool |
The Nebra Hotspots use the following ports, however these do not need to be port forwarded.
Port Number | Description |
---|---|
53 | DNS Name Resolution |
123 | NTP Time Synchronization |
443 | Connection to Update Servers. |
Finally the hotspots only have the following services running on the network:
Port Number | Description |
---|---|
80 | Hotspot Diagnostics |
You may require to whitelist the following domains for updates to work.
Domain | Description |
---|---|
*.nebra.com | Nebra Server Communication |
*.balena-cloud.com | Balena OTA Update Server |
*.docker.com | Docker Image Servers |
*.docker.io | Docker Image Servers |