Security aspects and device provisioning

In many applications, IoT devices collect and transmit sensitive data, such as personal information or financial data, which can be at risk of theft or unauthorized access if the data is not properly secured. Security must be a top priority in the design and implementation of any IoT application to ensure the safety and privacy of the data transmitted through the system.

The weakest link in the chain of IoT architecture in terms of security is the IoT node and the interface between the IoT device and the cloud.

I know that we said that there is always a gateway between the IoT node and the cloud. The fact is that the gateway implements all the communication layers for a reliable end-to-end communication channel between devices and the cloud. The node and the cloud are at the ends of this channel and, mainly at this layer, the data can be vulnerable to hacking, tampering, or unauthorized access, potentially compromising its security and privacy.

Hardware security

Attackers can exploit security vulnerabilities due to outdated or unpatched software, and this is even more probable when nodes are based on microcomputers running common operating systems. The probability decreases significantly when the node features a microcontroller that runs on bare metal as firmware, like in the case of the Arduino ecosystem. This is because the software running on the device is reduced to the minimum strictly necessary to run the device.

The adoption of strong data encryption algorithms on nodes protects the data transmitted over the network, making it less vulnerable to eavesdropping or tampering. In this case, too, the Arduino ecosystem demonstrates that it is a good choice for the implementation of an IoT application: Arduino devices for IoT embed secure elements, called crypto-chips, able to generate and manage security keys at the hardware level, without the need to include a password in the source code of the node application. We’ll see what this means and how it works toward the end of this section, but it’s now necessary to talk about another security risk related to IoT nodes.

That is inadequate access controls: some IoT devices with inadequate access controls may allow unauthorized individuals to access or control the device, potentially compromising the security of the system as a whole.

The access can be remote or even direct to the device to extract the original firmware from the device and overwrite it with a different version programmed by hackers. The extraction of the firmware could also be used just for replicating the functionalities of an original device on compatible but cloned hardware, threatening the results of an IoT business.

Arduino has engineered a safe version of their traditional bootloader to prevent these risks. A bootloader is the first software that is executed on the device and is responsible for loading the firmware and initializing the device’s hardware.

The Arduino Safe Bootloader adds a secure environment to the traditional bootloader by implementing mechanisms for firmware fail-safe authentication and secure updates. These prevent unauthorized access to the device’s firmware and ensure that only authorized firmware can be executed on the device.

An authenticity check of the firmware is based on digital signatures and guarantees security: the bootloader checks the digital signature of the firmware before loading it into the device’s memory and doesn’t proceed in the case of unauthorized or wrongly signed firmware, preventing the device from booting. In the same way, the safe bootloader protects against tampering, data corruption, and reverse engineering: it validates a new version of the firmware before overwriting the old one and can be configured to prevent the reading of the actual firmware from the device.

The programmer of the IoT node generates and manages their digital signatures, maintaining full control of the device, but excluding others at the same time.

I recommend the adoption of the secure bootloader in any IoT project because the minimal effort required to implement it is repaid immediately in terms of the security and integrity of the device and data.

Microcontroller-based nodes, with strong hardware encryption capabilities and secure boot mechanisms, address most of the security concerns on the node. Regular security audits ensure that the data exchanged between IoT devices and the backend systems is protected, while the providers of cloud platforms and cloud applications are responsible for securing the backend systems on the cloud that process and store the data by implementing secure data storage practices and regular backups, as well as regularly monitoring the systems to detect and respond promptly to potential security incidents.

Encryption for secure communication

Arduino considers the security of its IoT cloud and Arduino-based IoT nodes a top priority. The Arduino IoT Cloud requires connections with SSL/TLS encryption, and devices not implementing it cannot be provisioned to the cloud. The Arduino IoT Cloud regularly updates its security measures to address new threats and vulnerabilities and runs on the Amazon AWS platform, which has data centers and a network architecture built to meet the requirements of the most security-sensitive organizations.

The provisioning of IoT nodes refers to the process of configuring and setting up a device for operation and connecting it to a network or platform so that it can exchange data with it and interact with other devices. During this process, the device shall be configured with the information to establish a secure connection to the cloud and the cloud shall be configured to accept connections from the registered, well-known device and to manage the data exchanged with it.

Once the device is provisioned, it can connect to the cloud when required and exchange data in a secure way.

The SSL/TLS security protocols are the most adopted for secure communications on the Internet and use a combination of both symmetric and asymmetric encryption:

• Asymmetric encryption: Public-key cryptography, also referred to as asymmetric encryption, employs a set of public and private keys to perform encryption and decryption processes on data. In this method, the public key is utilized for encrypting the data, whereas the private key is employed for decrypting the data.
• Symmetric encryption, on the other hand, uses a single shared secret key to encrypt and decrypt data. It is faster and more efficient than asymmetric encryption but requires a secure method of exchanging the secret key between the client and the server.

In SSL/TLS, the initial handshake between the client and the server is performed using asymmetric encryption. The client and the server agree on a shared secret key, which is then used for symmetric encryption of the data transmitted between them. This approach provides both security and performance, making it a suitable encryption protocol for securing communications in IoT environments.

In the end, the device needs to know the public key for the SSL/TLS handshake and the cloud needs to know a unique device key or device identity to recognize the connection from a legitimate device. This data shall be configured during the provisioning phase for each IoT device that we want to deploy for our application.

The provisioning for a limited number of devices is usually manual or semi-automatic and is performed during the programming of each single device. In this phase, the programmer defines the unique identifier of their device and registers it on the cloud, then generates the security key on the cloud, and copies it to the device. It’s not a difficult process, but it may become complicated because different clouds have different architectures and ways to do this.

Bulk device provisioning

IoT solutions that require a medium or mass deployment of nodes usually adopt a fully automatic process that starts from the production of the electronics. The owner of the IoT solution provides a list of unique device identifiers and a security certificate to the manufacturer of the devices. The manufacturer assigns a device identifier from the list to each device, stores the certificate, and eventually flashes the application firmware on it, making each node ready to run out of the factory.

The Arduino IoT Cloud mainly provides semi-automatic provisioning, as we’ll see in detail in the next chapter. The user connects the device to a USB port of the programming PC and a web wizard is responsible for the rest of the job. The wizard recognizes the Arduino board model and flashes firmware on it responsible for the generation and storage of the security key on the crypto-chip. Finally, it completes the registration of the device on the Arduino IoT Cloud.

Even though the wizard does everything, I still consider this process semi-automatic; in fact, if you have multiple devices, you need to connect them to the USB one at a time. Actually, you may implement more automatic provisioning of Arduino boards on the Arduino IoT Cloud by programming a good script for Arduino CLI and using a smart USB hub that flexibly switches host connectivity between ports, but the topic is beyond this book.

Arduino PRO for commercial use cases

Arduino PRO can support businesses in their mass deployment by pre-provisioning devices during their production when several hundreds or thousands of devices are involved. You may contact the Arduino PRO team on the Arduino website and discuss your project with them.

We have already mentioned the crypto-chip a few times, so we’ll end this section by talking about this component. The crypto-chip, also known as a Secure Element or Trusted Platform Module (TPM), is a hardware component used to securely store and manage cryptographic keys and perform cryptographic operations. Having its own secure processor and memory, it provides a root of trust, meaning it acts as a foundation for secure operations on the device.

Storing the device’s unique identity, or a security certificate, in a secure element, as well as any other cryptographic keys used to encrypt and decrypt data, is much safer than writing them in the firmware or software code of the device. This is because the crypto-chip performs the cryptographic operations at the hardware level and the keys would not store on the hardware. Even reverse engineering activity wouldn’t be able to reveal sensitive information contained on the device.

In this section, we have talked about security aspects and device provisioning in detail. To address security issues, Arduino devices for the IoT embed secure elements, called crypto-chips. It is recommended to adopt a secure bootloader in any IoT project for better security. Use SSL/TLS for device-to-cloud communication, which will provide safe passage for your devices’ data for in/out operations. Next, we’ll discuss open source as we proceed with this chapter.