IoT security vs hobbyists' boards

March 3, 2018

So, you bought your brand new Arduino/Genuino Uno and some nice-but-useless sensor (such as a temperature sensor for your bedroom), and you feel ready to enter the Internet Of Things world. You want to build up a little "cloud" by yourself (by using Apache+PHP in some hosting, or perhaps an MQTT server like RabbitMQ), or maybe use some cloud-ready service.

Bad Things Happens

Even if you heard a lot of news about IoT-security, you'll ask yourself: "Why me? There is no reason to hack my devices. I'm not working for CIA/NSA/FBI, there is no value in hacking me. Hackers won't loose their time on me". Then, you're wrong. Very wrong.

Why? For two main reasons: first, many hacks are performed by automatic tools, not humans; and computers do not sleep, do not need to rest, so they have a lot of time to hack you. Second, they want to hack you because you always have some valuable things (at least): internet connection and local resources (such as disk space, computational power, etc.).

Let's make some examples for the latter motivation: even if your device is a SoC (system-on-chip) with a CPU of 600 MHz and some MBs of RAM, if you sum up all the computational power of all IoT devices, this is something like an huge supercomputer, at zero cost. And if that won't scare you, this example will: what if an hacker needs to hack into a bank to seize some money? What if they need to hack a military facility? They will use your device as a gateway (and then they wipe out all traces), so you will be identified as responsible (eg. by checking the IP address).

So, security is very important, even in IoT devices.

IoT platforms and security: overview

In IoT-enabled projects, two devices are common: microcontrollers (such as Arduino/Genuino) and System-On-Chip (such as Raspberry PI).

The former category (microcontrollers) is dominated by two processors: Atmel (expecially AVRs): pratically none of Atmel processors that you can find in hobbyist boards can support TLS v1.2 (two main reasons for that: first, the computational power is too low; second, the storage for certificates and memory for operations are insufficient); the other big is Expressif (that produces ESP8266, mounted over widely-known NodeMCU boards): these boards have limited capabilities in terms of memory, but they have sufficient computational power to handle TLS connection.

The System-on-Chip category, instead, is widely distributed (Intel, ARM, NVidia processors): pratically every boards is capable of doing TLS.

So, even if Arduino/Genuino is an Italian product (and I'm proud of it), I advise to choose Expressif microcontrollers or, better, SoC devices for Internet of Things. And, of course, I advise to use TLS.

In some future post I'll describe into details the weakness (or strongness) of widely used devices and code.