IoT & Hardware
Reader small image

You're reading from  Arduino IoT Cloud for Developers

Product typeBook
Published inNov 2023
PublisherPackt
ISBN-139781837637171
Edition1st Edition
Concepts
IoT Development
Right arrow
Author (1)
Muhammad Afzal
Muhammad Afzal
author image
Muhammad Afzal

Muhammad Afzal is a senior software engineer, with more than 14 years of experience working on web-based and IoT systems in multinational organizations. He always enjoys working and solving real-world business problems with technology. He provides freelance services to IoT-based product companies to write technical reviews and projects, and he also provides consultancy to organizations. In his free time, Muhammad creates videos and courses for YouTube and Udemy. He also runs a maker movement in his region for young students to boost their interest in adopting the latest technologies.
Read more about Muhammad Afzal

Right arrow

Security aspects and device provisioning

In many applications, IoT devices collect and transmit sensitive data, such as personal information or financial data, which can be at risk of theft or unauthorized access if the data is not properly secured. Security must be a top priority in the design and implementation of any IoT application to ensure the safety and privacy of the data transmitted through the system.

The weakest link in the chain of IoT architecture in terms of security is the IoT node and the interface between the IoT device and the cloud.

I know that we said that there is always a gateway between the IoT node and the cloud. The fact is that the gateway implements all the communication layers for a reliable end-to-end communication channel between devices and the cloud. The node and the cloud are at the ends of this channel and, mainly at this layer, the data can be vulnerable to hacking, tampering, or unauthorized access, potentially compromising its security and privacy.

Hardware security

Attackers can exploit security vulnerabilities due to outdated or unpatched software, and this is even more probable when nodes are based on microcomputers running common operating systems. The probability decreases significantly when the node features a microcontroller that runs on bare metal as firmware, like in the case of the Arduino ecosystem. This is because the software running on the device is reduced to the minimum strictly necessary to run the device.

The adoption of strong data encryption algorithms on nodes protects the data transmitted over the network, making it less vulnerable to eavesdropping or tampering. In this case, too, the Arduino ecosystem demonstrates that it is a good choice for the implementation of an IoT application: Arduino devices for IoT embed secure elements, called crypto-chips, able to generate and manage security keys at the hardware level, without the need to include a password in the source code of the node application. We’ll see what this means and how it works toward the end of this section, but it’s now necessary to talk about another security risk related to IoT nodes.

That is inadequate access controls: some IoT devices with inadequate access controls may allow unauthorized individuals to access or control the device, potentially compromising the security of the system as a whole.

The access can be remote or even direct to the device to extract the original firmware from the device and overwrite it with a different version programmed by hackers. The extraction of the firmware could also be used just for replicating the functionalities of an original device on compatible but cloned hardware, threatening the results of an IoT business.

Arduino has engineered a safe version of their traditional bootloader to prevent these risks. A bootloader is the first software that is executed on the device and is responsible for loading the firmware and initializing the device’s hardware.

The Arduino Safe Bootloader adds a secure environment to the traditional bootloader by implementing mechanisms for firmware fail-safe authentication and secure updates. These prevent unauthorized access to the device’s firmware and ensure that only authorized firmware can be executed on the device.

An authenticity check of the firmware is based on digital signatures and guarantees security: the bootloader checks the digital signature of the firmware before loading it into the device’s memory and doesn’t proceed in the case of unauthorized or wrongly signed firmware, preventing the device from booting. In the same way, the safe bootloader protects against tampering, data corruption, and reverse engineering: it validates a new version of the firmware before overwriting the old one and can be configured to prevent the reading of the actual firmware from the device.

The programmer of the IoT node generates and manages their digital signatures, maintaining full control of the device, but excluding others at the same time.

I recommend the adoption of the secure bootloader in any IoT project because the minimal effort required to implement it is repaid immediately in terms of the security and integrity of the device and data.

Microcontroller-based nodes, with strong hardware encryption capabilities and secure boot mechanisms, address most of the security concerns on the node. Regular security audits ensure that the data exchanged between IoT devices and the backend systems is protected, while the providers of cloud platforms and cloud applications are responsible for securing the backend systems on the cloud that process and store the data by implementing secure data storage practices and regular backups, as well as regularly monitoring the systems to detect and respond promptly to potential security incidents.

Encryption for secure communication

Arduino considers the security of its IoT cloud and Arduino-based IoT nodes a top priority. The Arduino IoT Cloud requires connections with SSL/TLS encryption, and devices not implementing it cannot be provisioned to the cloud. The Arduino IoT Cloud regularly updates its security measures to address new threats and vulnerabilities and runs on the Amazon AWS platform, which has data centers and a network architecture built to meet the requirements of the most security-sensitive organizations.

The provisioning of IoT nodes refers to the process of configuring and setting up a device for operation and connecting it to a network or platform so that it can exchange data with it and interact with other devices. During this process, the device shall be configured with the information to establish a secure connection to the cloud and the cloud shall be configured to accept connections from the registered, well-known device and to manage the data exchanged with it.

Once the device is provisioned, it can connect to the cloud when required and exchange data in a secure way.

The SSL/TLS security protocols are the most adopted for secure communications on the Internet and use a combination of both symmetric and asymmetric encryption:

  • Asymmetric encryption: Public-key cryptography, also referred to as asymmetric encryption, employs a set of public and private keys to perform encryption and decryption processes on data. In this method, the public key is utilized for encrypting the data, whereas the private key is employed for decrypting the data.
  • Symmetric encryption, on the other hand, uses a single shared secret key to encrypt and decrypt data. It is faster and more efficient than asymmetric encryption but requires a secure method of exchanging the secret key between the client and the server.

In SSL/TLS, the initial handshake between the client and the server is performed using asymmetric encryption. The client and the server agree on a shared secret key, which is then used for symmetric encryption of the data transmitted between them. This approach provides both security and performance, making it a suitable encryption protocol for securing communications in IoT environments.

In the end, the device needs to know the public key for the SSL/TLS handshake and the cloud needs to know a unique device key or device identity to recognize the connection from a legitimate device. This data shall be configured during the provisioning phase for each IoT device that we want to deploy for our application.

The provisioning for a limited number of devices is usually manual or semi-automatic and is performed during the programming of each single device. In this phase, the programmer defines the unique identifier of their device and registers it on the cloud, then generates the security key on the cloud, and copies it to the device. It’s not a difficult process, but it may become complicated because different clouds have different architectures and ways to do this.

Bulk device provisioning

IoT solutions that require a medium or mass deployment of nodes usually adopt a fully automatic process that starts from the production of the electronics. The owner of the IoT solution provides a list of unique device identifiers and a security certificate to the manufacturer of the devices. The manufacturer assigns a device identifier from the list to each device, stores the certificate, and eventually flashes the application firmware on it, making each node ready to run out of the factory.

The Arduino IoT Cloud mainly provides semi-automatic provisioning, as we’ll see in detail in the next chapter. The user connects the device to a USB port of the programming PC and a web wizard is responsible for the rest of the job. The wizard recognizes the Arduino board model and flashes firmware on it responsible for the generation and storage of the security key on the crypto-chip. Finally, it completes the registration of the device on the Arduino IoT Cloud.

Even though the wizard does everything, I still consider this process semi-automatic; in fact, if you have multiple devices, you need to connect them to the USB one at a time. Actually, you may implement more automatic provisioning of Arduino boards on the Arduino IoT Cloud by programming a good script for Arduino CLI and using a smart USB hub that flexibly switches host connectivity between ports, but the topic is beyond this book.

Arduino PRO for commercial use cases

Arduino PRO can support businesses in their mass deployment by pre-provisioning devices during their production when several hundreds or thousands of devices are involved. You may contact the Arduino PRO team on the Arduino website and discuss your project with them.

We have already mentioned the crypto-chip a few times, so we’ll end this section by talking about this component. The crypto-chip, also known as a Secure Element or Trusted Platform Module (TPM), is a hardware component used to securely store and manage cryptographic keys and perform cryptographic operations. Having its own secure processor and memory, it provides a root of trust, meaning it acts as a foundation for secure operations on the device.

Storing the device’s unique identity, or a security certificate, in a secure element, as well as any other cryptographic keys used to encrypt and decrypt data, is much safer than writing them in the firmware or software code of the device. This is because the crypto-chip performs the cryptographic operations at the hardware level and the keys would not store on the hardware. Even reverse engineering activity wouldn’t be able to reveal sensitive information contained on the device.

In this section, we have talked about security aspects and device provisioning in detail. To address security issues, Arduino devices for the IoT embed secure elements, called crypto-chips. It is recommended to adopt a secure bootloader in any IoT project for better security. Use SSL/TLS for device-to-cloud communication, which will provide safe passage for your devices’ data for in/out operations. Next, we’ll discuss open source as we proceed with this chapter.

Previous Page
Chapter 3 of 21, Page 7
Next Page
You have been reading a chapter from
Arduino IoT Cloud for Developers
Published in: Nov 2023Publisher: PacktISBN-13: 9781837637171
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Muhammad Afzal

Muhammad Afzal is a senior software engineer, with more than 14 years of experience working on web-based and IoT systems in multinational organizations. He always enjoys working and solving real-world business problems with technology. He provides freelance services to IoT-based product companies to write technical reviews and projects, and he also provides consultancy to organizations. In his free time, Muhammad creates videos and courses for YouTube and Udemy. He also runs a maker movement in his region for young students to boost their interest in adopting the latest technologies.
Read more about Muhammad Afzal

Personalised recommendations for you

Based on your interests and search pattern

Architectural Patterns and Techniques for Developing IoT Solutions

Architectural Patterns and Techniques for Developing IoT Solutions

This book covers all the patterns and considerations that give you both the power and flexibility to build scalable, secure, and performant IoT solutions by combining various patterns in interesting ways. It also lists the benefits of combining IoT with technologies like blockchain, 3D-printing, 5G, Generative AI, quantum computing, and LLMs.

BookSep 2023304 pages
Arduino Data Communications

Arduino Data Communications

Arduino Data Communication focuses on IoT’s Internet aspect, guiding you in setting up your own infrastructure for storing and managing the data collected from sensors. This book goes beyond microcontroller basics, equipping you with the knowledge essential for building real-world projects.

BookNov 2023286 pages5
Arduino IoT Cloud for Developers

Arduino IoT Cloud for Developers

From fundamental principles to advanced techniques, this comprehensive book equips you with the knowledge and skills needed to design and deploy IoT applications seamlessly. Explore cloud integration, best practices, and real-world projects to harness the full potential of IoT application development with the Arduino IoT Cloud.

BookNov 2023402 pages
The Azure IoT Handbook

The Azure IoT Handbook

Building IoT Systems with Azure IoT is a comprehensive introduction for those who are new to the Internet of Things and looking to get up to speed in no time. This book will teach you how to create and develop IoT solutions with intelligent edge-to-cloud technologies in the Azure cloud.

BookDec 2023248 pages