Security Settings

This topic offers suggestions for improving gateway security to align with best practices during operation.

Root password

The THP23-X-D development board uses a one-device-one-key encryption scheme, ensuring that each device has a unique root password. It is recommended to leave this feature unchanged and not modify the root password.

SSH

Enabling SSH can leave the system vulnerable to unauthorized access attempts and cyberattacks, so it is recommended to disable it.

Enable SSH:

root@SmartGateway:~# nvram set enable_ssh false
root@SmartGateway:~# nvram commit

Disable SSH:

root@SmartGateway:~# nvram set enable_ssh true
root@SmartGateway:~# nvram commit

U-Boot

The U-Boot mode provides the highest level of access. To prevent the firmware from being overwritten, it is advisable to disable access to U-Boot mode.

Allow access to U-Boot:

root@SmartGateway:~# nvram set persist.boot.enter on
root@SmartGateway:~# nvram commit

Disallow access to U-Boot:

root@SmartGateway:~# nvram set persist.boot.enter off
root@SmartGateway:~# nvram commit

Other suggestions

• Remove the physical debug interfaces, such as JTAG and SWD.
• Do not expose any sensitive data in logs, such as UUID and Authkey.
• Limit the use of local network ports to only those necessary for the Tuya service.
• Restrict remote network access to only the Tuya service to prevent potential security vulnerabilities.
• All network data exchanges should be restricted to the country or region where the device is located, or as permitted by law.