Defensive Coding Tip: Applying Control Request Filters to Particle Devices

As a physical security measure, or simply to reduce the risk of accidentally altering the wrong device, you may wish to limit the functionality of your device’s onboard USB port and BLE interface.

In Device OS 3.3.0 and later, this is possible using a feature known as the Control Request Filter. Think of it as a sort of firewall for your USB port and BLE interface. Importantly, the same control request filter also applies to both interfaces.

How it works

Adding the following to your firmware will disable all data commands sent to the device over USB/BLE →

System.setControlRequestFilter(SystemControlRequestAclAction::DENY);

If you try and run a command such as ‘particle usb dfu’ against a device running this code, the Particle CLI will return a ‘Not Allowed’ message.

You can also elect to deny specific actions, such as putting the device into DFU mode or resetting it. Here’s how that would look in code:

System.setControlRequestFilter(SystemControlRequestAclAction::ALLOW, {
  {CTRL_REQUEST_DFU_MODE, SystemControlRequestAclAction::DENY},
  {CTRL_REQUEST_RESET, SystemControlRequestAclAction::DENY}
});

The first line sets a default ‘allow’ action, and the two following lines override that to deny the specific DFU and RESET functions.

For a full list of functions that can be included in the control request filter, check out the Device OS system control code.

Important caveats:

  • These filters do not prevent the device from entering DFU mode or otherwise completely. They simply prevent this from happening over USB/BLE.
  • The filters do not apply when a device is in safe mode.

Happy filtering!

6 Likes