November 22, 2017 at 19:01AWS IoT and Security
If we are talking about the security of the Internet of things (IoT), then we should immediately make a reservation about which side of security we are talking about. The fact is that there is no system that cannot be hacked or which is absolutely reliable. The only question is time, money or commonplace accident. It would seem that fiber-optic communication networks are quite reliable due to their physical nature of the connection, but all the same, if there is no data encryption, the attackers can quite get to the flow of information. What can we say about wireless networks and, in fact, the basis of the Internet of things - Wi-Fi technology or, more correctly, to call it - IEEE 802.11? At the same time, do not forget that any systems can break down and not withstand loads. Robots, electronics, various mechanical devices with an Internet connection, however, as with no connection, potentially harmful. By the way, now they have completely forgotten the direction that mechatronics is engaged in, which is ideally suited to the IoT stack description key. In general, security is a multifaceted concept, and in this publication I would like to touch on only a small part of this problem, using the example of solving encryption and data transmission problems for IoT devices.
The 10 Most Vulnerable IoT Security Targets - Internet of Things Institute
The security of data transmission in the open space of Internet communications is the main task that must be taken into account when designing and operating any technology related to the Internet of things. Unlike traditional concepts for building Internet communications, IoT networks are currently only at the starting point of development. In most cases, it may seem that by ensuring sufficient reliability and scaling of server systems, user devices and encrypting data, IoT security can be quite successfully ensured. This is not entirely true, because, for example, it is possible to implement a system where the data from the home assistant’s camera will be encrypted well enough and transmitted to the server, where it will then be unpacked and archived in a reliable storage and, for some reason, open access to this archive via the banal FTP protocol. Here, an attacker can not bother breaking into end devices and servers, but restrict himself to a fairly well-known network file access protocol. Thus, security is a multifaceted concept where you should not forget even about small nuances and trifles. After all, the protection of IoT devices is nullified if it is possible to crack the operating system of the IoT gateway or any other point in the IoT chain of connections, where, for example, data is stored in clear form.
Developers of complex, distributed systems such as IoT should definitely provide a reliable solution for securing the infrastructure of the entire system, i.e. to exclude the possibility of not only hacking the system by attacking devices, but also protect users' personal data or similar information about the owners of IoT end devices, etc. Therefore, when designing a system based on the concept of the Internet of things, you always need to remember that there are two equivalent domains:
- communication of IoT devices;
- ensuring reliable storage, processing and presentation of data.
As it’s not difficult to guess, using a ready-made solution based on modern AWS IoT tools, you can actually get out of the box a solution to the security problem at the level of device interaction. At the same time, data and software solutions can be fully protected through the use of additional services included in the AWS cloud. But we should not forget that for the Internet of things the bottleneck still remains the bandwidth of the communication channels. After all, not everywhere now there is reliable access to Wi-Fi, 3G or LTE.
In industrial and home networks, it is quite possible to get guaranteed access speed, but this will not always be so easy for mobile devices. Therefore, encryption in such systems can be, and vice versa, a relatively negative factor, which only complicates the end devices and increases the size of data packets. For example, you can not think for a long time, answering the question of how complex encryption algorithms can be for implementation on an 8-bit Arduino Uno microcontroller. However, one should not forget about Moore's law and the rapid development of electronics.
Advances in Semi Manufacturing Continue to Make Products Better and More Affordable - Intel Newsroom
If you need to encrypt the data, now it is quite possible to find a solution that is suitable in cost and is able to implement the necessary algorithms based on a microcontroller or microprocessor. Also, data protection can be provided at the hardware level in Ethernet interface chips, Wi-Fi or 3G modules. It should be understood that it is not worth worrying about encrypting data that will already be available in open form, for example, for open temperature monitoring systems, etc. But here a completely different security issue can manifest itself - data compromise. For example, without worrying about authorization and authentication of “your” IoT devices, you can miss the moment when an attacker’s equipment is “disguised” as such a device, giving knowingly false data to the system.
Obviously, as noted earlier, an integrated approach to solving the security problem can now be seen on the example of modern cloud computing. Let's take a closer look at Amazon IoT technologies in this regard. The Amazon Web Services (AWS) cloud is available as a “free tier” test. For example, for AWS IoT, during the first year after registration, 250,000 messages (published or delivered) per month will be available. For many other services, a line of similar limits is available. Unfortunately, Amazon does not allow you to “mindlessly” experiment during trial use. The user of this cloud should always be aware of what triggers or how it generates certain actions. Anything that exceeds the threshold for free use will have to be paid according to current tariffs.
Enrolling in the AWS cloud is fairly straightforward. However, immediately the service will request $ 1 USD from the customer’s card to confirm the possibility of paying bills with this card. Also, for a new user, the service will check the existence of a real phone, and here a small surprise may await it. You can confirm the phone automatically after a service call. But for owners of smartphones, a call may ring out not in the phone application, but in Viber. The amount of entering a confirmation code is limited, if you don’t guess where in Viber you need to enter the cherished numbers, you can simply exhaust the limit and wait about a day before a new attempt. Well, for some reason it happened. In any case, Amazon technical support will always help, even at a free tariff. Having described the problem in the chat, literally in a matter of minutes, it is quite possible to solve a similar question after a live call from the operator. We can assume that all other issues related to working with the service can be very quickly resolved with technical support. And in terms of the use of cloud resources, when unprecedented quality is required, the service provides paid technical support tariffs.
So, starting to work with the cloud, many immediately begin to experiment with virtual machines, file storages, etc. But our task is to consider the AWS IoT service and understand how secure this solution is. Since AWS IoT is only part of the Amazon cloud services, one way or another, this service integrates with many other cloud solutions (AWS Services). To do this, there is a Rules Engine mechanism that allows you to build a set of rules for the interaction of connected devices and other cloud computing resources. For example, you can implement the interaction of AWS IoT and the AWS Lambda code execution service, the Amazon DynamoDB non-relational database, or the Amazon Kinesis Streams streaming and analysis service.
AWS IoT - Amazon Web Services
Central to AWS IoT is the Device Gateway, which enables devices to communicate with the cloud platform. In fact, this is an MQTT broker, which, on the one hand, provides a secure connection of devices using the authentication and authorization mechanism, and on the other hand, allows you to use the full potential of AWS solutions and services. The gateway also supports WebSockets, HTTP 1.1. AWS IoT automatically scales and can support more than a billion devices. Interestingly, in the event of a loss of connection with a remote device from Amazon, there is an interesting solution - these are Device Shadows. “Shadows” are some abstraction or virtual representation of the last state of a device that has become inaccessible. Also for the "shadow" you can set the desired future state.
And most importantly for those who still think that the cloud and the security of the Internet of things is a myth, an excerpt from the AWS IoT documentation: “Each connected device must have credentials to access the message broker or the shadow device service. All traffic to and from AWS IoT must be encrypted through Transport Layer Security (TLS). Device credentials must be kept secure in order to send data securely to the message broker. AWS Cloud Security protects data when moving between AWS IoT and other AWS devices or services. ”
Security and Identity for AWS IoT - AWS Documentation
There is only one problem - the Internet of things requires a huge number of connected devices, however, like many users who can and want to interact with their gadgets and more serious systems. If the cloud solves the problems of scaling and organizing basic protection of system elements, then as mentioned earlier, one should not forget that security is a complex concept, where in most cases, the main link in the chain of measures of protection for the Internet of things is organizational measures, commonplace attention and following elementary principles of organizing the protection of web resources. After all, the main thing is not to trust user data, perform validation and verification of information, encrypt traffic, securely store encryption keys, and much more. Note that especially at the stage of system design,
Amazon provides the AWS IoT SDK to develop IoT hardware devices. Supported languages and platforms: Embedded (embedded) C, JavaScript, Arduino Yun board, Java, Python, iOS and Android. Amazon also supports a number of devices and prototyping boards, among which I would like to highlight the Mongoose OS ESP32-DevKitC solution. This is a board based on the Espressif Systems budget ESP32 module. Espressif's low-cost modules have long been synonymous with the amateur Internet of things. Cesanta's Mongoose OS firmware is also interesting. This firmware is also supported by older Espressif ESP8266 modules, plus devices based on the CC3220, CC3200 and STM32F4 microcontrollers. Unlike the traditional solution based on the Arduino, Lua or MicroPython IDE for ESP8266, the Mongoose OS firmware has two types of licensing: free GPLv2 and commercial license. The choice of license depends on the required supported functionality of the system and the types of projects that use the selected firmware.
As the basis for the prototype IoT device, we will choose the Development Kit NodeMCU module based on the ESP8266, as one of the most popular solutions, however, from the most inexpensive motherboards. The average price for a module is about $ 3 USD. There are several options and versions of NodeMCU boards, the main thing is the ESP8266 chip and an additional 32Mbits (4MBytes) flash memory, and the rest are small differences in the layout of the board, for example, the use of a USB-UART bridge CH34x or CP210x, etc.
Working with the selected firmware - Mongoose OS, is very convenient. We connect the NodeMCU module to the USB port of the computer. If you need a USB-UART bridge driver, which, after installing it on your computer, creates a virtual COM port, then on the Mongoose OS website, in the Downloads section, you can find a link to download the necessary software. Then, from the same Mongoose OS developers site, download the mos utility for the supported operating systems: Windows, MacOS or Linux. Then, after launching mos, all development activities are performed in the graphical shell inside the browser. For development, you can choose two languages: C / C ++ or JavaScript. The first is positioned for industrial solutions, and JavaScript for prototyping and debugging purposes.
JavaScript mos development for Mongoose OS firmware.
Configuring a connection to a Wi-Fi router and AWS IoT cloud is done inside the graphical shell. But since we switched to cloud systems, before setting up our board for working with AWS IoT, you first need to think about AWS Identity and Access Management (IAM). This service is designed to control user access to cloud services and resources. In the AWS control panel, select the IAM service and create a user, group and assign the user access rights to the AWS IoT service (Policy name), for example, for test connection we will give full access to "AWSIoTFullAccess", which, of course, is not the best solution for real tasks.
After that, in the mos panel, we write the corresponding secret authorization keys for the created AWS user: “Access Key ID” and the corresponding “Secret Access Key”. Next, we develop an application for the device, for example, in JavaScript, or simply use a demo example of working with the MQTT broker. Then, after performing local debugging of the application, we will generate cloud connection certificates on the device:
where REGION is the region chosen by the user in which AWS IoT resources will be used. The mos aws-iot-setup command can be left out rather than run, but complete all the operations of connecting to the cloud in the mos utility environment. After that, you can test the system by running the MQTT client in AWS IoT.
Testing for receiving data from connected devices in an AWS IoT environment.
In the Mongoose OS test application for the NodeMCU module based on ESP8266, by pressing the “Flash” button, a message is published, which contains a report on the used memory and the time of continuous operation. It should be noted that in the AWS IoT cloud service, you can effectively use the dashboard, with the help of which summary statistics on the operation of connected devices are presented.
Monitor device health and analyze message statistics in AWS IoT.
Thus, using AWS IoT and Mongoose OS you can get a secure connection for the Internet of things. However, if basic protection is not enough, there is another interesting possibility. Mongoose OS supports the ATECC508A cryptographic chip. It is actually a co-processor that allows you to generate strong encryption keys using cryptographic algorithms on elliptic curves. The key length is 256-bit, the chip guarantees a unique 72-bit serial number, and for storing keys, certificates and data, the built-in 10Kb EEPROM memory is available (up to 16 keys can be stored in the internal memory). The microcircuit operates in the voltage range 2.0V - 5.5V at a temperature of -40 to +85 0C and supports communication via the I2C bus or, depending on the subtype of the selected microcircuit, uses a high-speed serial single-wire interface to communicate with the main processor. The price of the device is about $ 0.8 USD. The ATECC508A chip is positioned as a security system for the IoT node and identifier (ID). You can write a separate article about the crypto chip, but it’s still better to refer to the source - the official documentation on the manufacturer’s website. Microchip Technology also launches boards for reference to support its crypto chips, including the ATECC508A. For example, the fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO). but anyway, it is better to refer to the source - official documentation on the manufacturer’s website. Microchip Technology also launches boards for reference to support its crypto chips, including the ATECC508A. For example, the fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO). but anyway, it is better to refer to the source - official documentation on the manufacturer’s website. Microchip Technology also launches boards for reference to support its crypto chips, including the ATECC508A. For example, the fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO).
In the case of using such a crypto chip, the mos aws-iot-setup command will already use the hardware resources of the microcircuit and will configure the device and cloud data exchange via the secure TLS protocol. Assembling a prototype system based on ATECC508A-SSHDA-B on a solderless breadboard model is not a difficult task. The only thing, by analogy with the ATCRYPTOAUTH-XPRO board, you can add 3.9 kOhm pull-up resistors to the breadboard over the SDA, SCL information circuits and, of course, a 0.1 uF blocking capacitor. As always, so as not to be repeated at the end of the publication, links to detailed publications on connecting the crypto chip to ESP8266 are posted. The only thing is that you need to be careful with the software part, since after generating the keys, the ATECC508A chip can be blocked, as a result of which it will enter the privacy mode,
Interestingly, do our blog readers have a positive or negative experience with the ATECC508A?
Once again, I want to note that all actions with Mongoose OS can be performed directly in the mos utility window of the browser interface. For example, by going to the RPC Browser tab, you can check the connection via the I2C bus by executing the command: I2C.Scan, which, for example, should return a code for ATECC508A [96]. I would like to especially note that the Mongoose OS project has excellent support, and the infrastructure of an open project itself. For example, chat based on the Gitter service is integrated directly into the mos shell, where you can ask developers and enthusiasts of the Internet of things world questions.
In conclusion, we can say that since our device is already connected to the AWS IoT cloud, we can safely disconnect the USB connector from the ESP8266 and connect the mos utility to the device through the AWS cloud service. To do this, run the following command:
Thus, the potential possibilities of working with the cloud and developing IoT devices with examples of modern methods of IoT protection are considered. Undoubtedly, many will think that this is too long an article or that all this is “water”, etc. In turn, I want to note that this is only an introduction to the problem, and our blog will surely have a more detailed study of the concepts of web technology security, including solutions for IoT and the social component of the world of the Internet of things.
The world is changing and it is changing with us. If until recently many developers could only dream about high-performance computing platforms, about building distributed high-load systems, now it is already a reality that is available as a cloud service. If once in the past it was necessary to use special mathematical libraries for calculations based on 8-bit microcontrollers, it is clear if this was required by the task, now it is easier to use a 32-bit calculator that is comparable in price to a project. Our world has changed rapidly, now we can implement our ideas at a much higher level. And here, by the way, a bit of inspirational IoT advertising from Amazon Web Services. It remains to wish readers to create innovations that will help make our world safer, more convenient and more rational.
IoT - Day One - Amazon Web Services
Secretive Fiber Connection: Techniques and Precautions - Habrahabr
A little about Moore’s Law - Habrahabr
Beecham Research reveals extent of security challenges facing the Internet of Things - Comms Business
AWS Free Tier - Amazon Web Services
Getting Started with AWS IoT - Amazon Web Services
AWS Identity and Access Management (IAM) - Amazon Web Services
Comparison of ESP8266 NodeMCU development boards - my2cents
Starting with JavaScript - Cesanta
AWS IoT on Mongoose OS, Part 1 - AWS Partner Network (APN) Blog
AWS IoT on Mongoose OS, Part 2 - AWS Partner Network (APN) Blog
ATECC508A - Microchip Technology
The two-dollar secure IoT solution: Mongoose OS + ESP8266 + ATECC508 + AWS IoT
Security - Mongoose OS Documentation
AWS IoT support for Mongoose OS - Cesanta
Secure remote device management with Mongoose OS and AWS IoT for ESP32, ESP8266, TI CC3200, STM32 - Cesanta
Understanding the AWS IoT Security Model - The Internet of Things on AWS
The 10 Most Vulnerable IoT Security Targets - Internet of Things Institute
The security of data transmission in the open space of Internet communications is the main task that must be taken into account when designing and operating any technology related to the Internet of things. Unlike traditional concepts for building Internet communications, IoT networks are currently only at the starting point of development. In most cases, it may seem that by ensuring sufficient reliability and scaling of server systems, user devices and encrypting data, IoT security can be quite successfully ensured. This is not entirely true, because, for example, it is possible to implement a system where the data from the home assistant’s camera will be encrypted well enough and transmitted to the server, where it will then be unpacked and archived in a reliable storage and, for some reason, open access to this archive via the banal FTP protocol. Here, an attacker can not bother breaking into end devices and servers, but restrict himself to a fairly well-known network file access protocol. Thus, security is a multifaceted concept where you should not forget even about small nuances and trifles. After all, the protection of IoT devices is nullified if it is possible to crack the operating system of the IoT gateway or any other point in the IoT chain of connections, where, for example, data is stored in clear form.
Developers of complex, distributed systems such as IoT should definitely provide a reliable solution for securing the infrastructure of the entire system, i.e. to exclude the possibility of not only hacking the system by attacking devices, but also protect users' personal data or similar information about the owners of IoT end devices, etc. Therefore, when designing a system based on the concept of the Internet of things, you always need to remember that there are two equivalent domains:
- communication of IoT devices;
- ensuring reliable storage, processing and presentation of data.
As it’s not difficult to guess, using a ready-made solution based on modern AWS IoT tools, you can actually get out of the box a solution to the security problem at the level of device interaction. At the same time, data and software solutions can be fully protected through the use of additional services included in the AWS cloud. But we should not forget that for the Internet of things the bottleneck still remains the bandwidth of the communication channels. After all, not everywhere now there is reliable access to Wi-Fi, 3G or LTE.
In industrial and home networks, it is quite possible to get guaranteed access speed, but this will not always be so easy for mobile devices. Therefore, encryption in such systems can be, and vice versa, a relatively negative factor, which only complicates the end devices and increases the size of data packets. For example, you can not think for a long time, answering the question of how complex encryption algorithms can be for implementation on an 8-bit Arduino Uno microcontroller. However, one should not forget about Moore's law and the rapid development of electronics.
Advances in Semi Manufacturing Continue to Make Products Better and More Affordable - Intel Newsroom
If you need to encrypt the data, now it is quite possible to find a solution that is suitable in cost and is able to implement the necessary algorithms based on a microcontroller or microprocessor. Also, data protection can be provided at the hardware level in Ethernet interface chips, Wi-Fi or 3G modules. It should be understood that it is not worth worrying about encrypting data that will already be available in open form, for example, for open temperature monitoring systems, etc. But here a completely different security issue can manifest itself - data compromise. For example, without worrying about authorization and authentication of “your” IoT devices, you can miss the moment when an attacker’s equipment is “disguised” as such a device, giving knowingly false data to the system.
Obviously, as noted earlier, an integrated approach to solving the security problem can now be seen on the example of modern cloud computing. Let's take a closer look at Amazon IoT technologies in this regard. The Amazon Web Services (AWS) cloud is available as a “free tier” test. For example, for AWS IoT, during the first year after registration, 250,000 messages (published or delivered) per month will be available. For many other services, a line of similar limits is available. Unfortunately, Amazon does not allow you to “mindlessly” experiment during trial use. The user of this cloud should always be aware of what triggers or how it generates certain actions. Anything that exceeds the threshold for free use will have to be paid according to current tariffs.
Enrolling in the AWS cloud is fairly straightforward. However, immediately the service will request $ 1 USD from the customer’s card to confirm the possibility of paying bills with this card. Also, for a new user, the service will check the existence of a real phone, and here a small surprise may await it. You can confirm the phone automatically after a service call. But for owners of smartphones, a call may ring out not in the phone application, but in Viber. The amount of entering a confirmation code is limited, if you don’t guess where in Viber you need to enter the cherished numbers, you can simply exhaust the limit and wait about a day before a new attempt. Well, for some reason it happened. In any case, Amazon technical support will always help, even at a free tariff. Having described the problem in the chat, literally in a matter of minutes, it is quite possible to solve a similar question after a live call from the operator. We can assume that all other issues related to working with the service can be very quickly resolved with technical support. And in terms of the use of cloud resources, when unprecedented quality is required, the service provides paid technical support tariffs.
So, starting to work with the cloud, many immediately begin to experiment with virtual machines, file storages, etc. But our task is to consider the AWS IoT service and understand how secure this solution is. Since AWS IoT is only part of the Amazon cloud services, one way or another, this service integrates with many other cloud solutions (AWS Services). To do this, there is a Rules Engine mechanism that allows you to build a set of rules for the interaction of connected devices and other cloud computing resources. For example, you can implement the interaction of AWS IoT and the AWS Lambda code execution service, the Amazon DynamoDB non-relational database, or the Amazon Kinesis Streams streaming and analysis service.
AWS IoT - Amazon Web Services
Central to AWS IoT is the Device Gateway, which enables devices to communicate with the cloud platform. In fact, this is an MQTT broker, which, on the one hand, provides a secure connection of devices using the authentication and authorization mechanism, and on the other hand, allows you to use the full potential of AWS solutions and services. The gateway also supports WebSockets, HTTP 1.1. AWS IoT automatically scales and can support more than a billion devices. Interestingly, in the event of a loss of connection with a remote device from Amazon, there is an interesting solution - these are Device Shadows. “Shadows” are some abstraction or virtual representation of the last state of a device that has become inaccessible. Also for the "shadow" you can set the desired future state.
And most importantly for those who still think that the cloud and the security of the Internet of things is a myth, an excerpt from the AWS IoT documentation: “Each connected device must have credentials to access the message broker or the shadow device service. All traffic to and from AWS IoT must be encrypted through Transport Layer Security (TLS). Device credentials must be kept secure in order to send data securely to the message broker. AWS Cloud Security protects data when moving between AWS IoT and other AWS devices or services. ”
Security and Identity for AWS IoT - AWS Documentation
There is only one problem - the Internet of things requires a huge number of connected devices, however, like many users who can and want to interact with their gadgets and more serious systems. If the cloud solves the problems of scaling and organizing basic protection of system elements, then as mentioned earlier, one should not forget that security is a complex concept, where in most cases, the main link in the chain of measures of protection for the Internet of things is organizational measures, commonplace attention and following elementary principles of organizing the protection of web resources. After all, the main thing is not to trust user data, perform validation and verification of information, encrypt traffic, securely store encryption keys, and much more. Note that especially at the stage of system design,
Amazon provides the AWS IoT SDK to develop IoT hardware devices. Supported languages and platforms: Embedded (embedded) C, JavaScript, Arduino Yun board, Java, Python, iOS and Android. Amazon also supports a number of devices and prototyping boards, among which I would like to highlight the Mongoose OS ESP32-DevKitC solution. This is a board based on the Espressif Systems budget ESP32 module. Espressif's low-cost modules have long been synonymous with the amateur Internet of things. Cesanta's Mongoose OS firmware is also interesting. This firmware is also supported by older Espressif ESP8266 modules, plus devices based on the CC3220, CC3200 and STM32F4 microcontrollers. Unlike the traditional solution based on the Arduino, Lua or MicroPython IDE for ESP8266, the Mongoose OS firmware has two types of licensing: free GPLv2 and commercial license. The choice of license depends on the required supported functionality of the system and the types of projects that use the selected firmware.
As the basis for the prototype IoT device, we will choose the Development Kit NodeMCU module based on the ESP8266, as one of the most popular solutions, however, from the most inexpensive motherboards. The average price for a module is about $ 3 USD. There are several options and versions of NodeMCU boards, the main thing is the ESP8266 chip and an additional 32Mbits (4MBytes) flash memory, and the rest are small differences in the layout of the board, for example, the use of a USB-UART bridge CH34x or CP210x, etc.
Working with the selected firmware - Mongoose OS, is very convenient. We connect the NodeMCU module to the USB port of the computer. If you need a USB-UART bridge driver, which, after installing it on your computer, creates a virtual COM port, then on the Mongoose OS website, in the Downloads section, you can find a link to download the necessary software. Then, from the same Mongoose OS developers site, download the mos utility for the supported operating systems: Windows, MacOS or Linux. Then, after launching mos, all development activities are performed in the graphical shell inside the browser. For development, you can choose two languages: C / C ++ or JavaScript. The first is positioned for industrial solutions, and JavaScript for prototyping and debugging purposes.
JavaScript mos development for Mongoose OS firmware.
Configuring a connection to a Wi-Fi router and AWS IoT cloud is done inside the graphical shell. But since we switched to cloud systems, before setting up our board for working with AWS IoT, you first need to think about AWS Identity and Access Management (IAM). This service is designed to control user access to cloud services and resources. In the AWS control panel, select the IAM service and create a user, group and assign the user access rights to the AWS IoT service (Policy name), for example, for test connection we will give full access to "AWSIoTFullAccess", which, of course, is not the best solution for real tasks.
After that, in the mos panel, we write the corresponding secret authorization keys for the created AWS user: “Access Key ID” and the corresponding “Secret Access Key”. Next, we develop an application for the device, for example, in JavaScript, or simply use a demo example of working with the MQTT broker. Then, after performing local debugging of the application, we will generate cloud connection certificates on the device:
> mos aws-iot-setup --aws-region REGION --aws-iot-policy mos-defaultwhere REGION is the region chosen by the user in which AWS IoT resources will be used. The mos aws-iot-setup command can be left out rather than run, but complete all the operations of connecting to the cloud in the mos utility environment. After that, you can test the system by running the MQTT client in AWS IoT.
Testing for receiving data from connected devices in an AWS IoT environment.
In the Mongoose OS test application for the NodeMCU module based on ESP8266, by pressing the “Flash” button, a message is published, which contains a report on the used memory and the time of continuous operation. It should be noted that in the AWS IoT cloud service, you can effectively use the dashboard, with the help of which summary statistics on the operation of connected devices are presented.
Monitor device health and analyze message statistics in AWS IoT.
Thus, using AWS IoT and Mongoose OS you can get a secure connection for the Internet of things. However, if basic protection is not enough, there is another interesting possibility. Mongoose OS supports the ATECC508A cryptographic chip. It is actually a co-processor that allows you to generate strong encryption keys using cryptographic algorithms on elliptic curves. The key length is 256-bit, the chip guarantees a unique 72-bit serial number, and for storing keys, certificates and data, the built-in 10Kb EEPROM memory is available (up to 16 keys can be stored in the internal memory). The microcircuit operates in the voltage range 2.0V - 5.5V at a temperature of -40 to +85 0C and supports communication via the I2C bus or, depending on the subtype of the selected microcircuit, uses a high-speed serial single-wire interface to communicate with the main processor. The price of the device is about $ 0.8 USD. The ATECC508A chip is positioned as a security system for the IoT node and identifier (ID). You can write a separate article about the crypto chip, but it’s still better to refer to the source - the official documentation on the manufacturer’s website. Microchip Technology also launches boards for reference to support its crypto chips, including the ATECC508A. For example, the fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO). but anyway, it is better to refer to the source - official documentation on the manufacturer’s website. Microchip Technology also launches boards for reference to support its crypto chips, including the ATECC508A. For example, the fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO). but anyway, it is better to refer to the source - official documentation on the manufacturer’s website. Microchip Technology also launches boards for reference to support its crypto chips, including the ATECC508A. For example, the fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO).
In the case of using such a crypto chip, the mos aws-iot-setup command will already use the hardware resources of the microcircuit and will configure the device and cloud data exchange via the secure TLS protocol. Assembling a prototype system based on ATECC508A-SSHDA-B on a solderless breadboard model is not a difficult task. The only thing, by analogy with the ATCRYPTOAUTH-XPRO board, you can add 3.9 kOhm pull-up resistors to the breadboard over the SDA, SCL information circuits and, of course, a 0.1 uF blocking capacitor. As always, so as not to be repeated at the end of the publication, links to detailed publications on connecting the crypto chip to ESP8266 are posted. The only thing is that you need to be careful with the software part, since after generating the keys, the ATECC508A chip can be blocked, as a result of which it will enter the privacy mode,
Interestingly, do our blog readers have a positive or negative experience with the ATECC508A?
Once again, I want to note that all actions with Mongoose OS can be performed directly in the mos utility window of the browser interface. For example, by going to the RPC Browser tab, you can check the connection via the I2C bus by executing the command: I2C.Scan, which, for example, should return a code for ATECC508A [96]. I would like to especially note that the Mongoose OS project has excellent support, and the infrastructure of an open project itself. For example, chat based on the Gitter service is integrated directly into the mos shell, where you can ask developers and enthusiasts of the Internet of things world questions.
In conclusion, we can say that since our device is already connected to the AWS IoT cloud, we can safely disconnect the USB connector from the ESP8266 and connect the mos utility to the device through the AWS cloud service. To do this, run the following command:
mos --cert-file $(mos config-get mqtt.ssl_cert) --key-file $(mos config-get mqtt.ssl_key) --port mqtts://$(mos config-get mqtt.server)/$(mos config-get device.id). Now you can debug without directly connecting the device board to the computer. The main thing is that the ESP8266 module can freely access the Internet.Thus, the potential possibilities of working with the cloud and developing IoT devices with examples of modern methods of IoT protection are considered. Undoubtedly, many will think that this is too long an article or that all this is “water”, etc. In turn, I want to note that this is only an introduction to the problem, and our blog will surely have a more detailed study of the concepts of web technology security, including solutions for IoT and the social component of the world of the Internet of things.
The world is changing and it is changing with us. If until recently many developers could only dream about high-performance computing platforms, about building distributed high-load systems, now it is already a reality that is available as a cloud service. If once in the past it was necessary to use special mathematical libraries for calculations based on 8-bit microcontrollers, it is clear if this was required by the task, now it is easier to use a 32-bit calculator that is comparable in price to a project. Our world has changed rapidly, now we can implement our ideas at a much higher level. And here, by the way, a bit of inspirational IoT advertising from Amazon Web Services. It remains to wish readers to create innovations that will help make our world safer, more convenient and more rational.
IoT - Day One - Amazon Web Services
Interesting resources and links:
Secretive Fiber Connection: Techniques and Precautions - Habrahabr
A little about Moore’s Law - Habrahabr
Beecham Research reveals extent of security challenges facing the Internet of Things - Comms Business
AWS Free Tier - Amazon Web Services
Getting Started with AWS IoT - Amazon Web Services
AWS Identity and Access Management (IAM) - Amazon Web Services
Comparison of ESP8266 NodeMCU development boards - my2cents
Starting with JavaScript - Cesanta
AWS IoT on Mongoose OS, Part 1 - AWS Partner Network (APN) Blog
AWS IoT on Mongoose OS, Part 2 - AWS Partner Network (APN) Blog
ATECC508A - Microchip Technology
The two-dollar secure IoT solution: Mongoose OS + ESP8266 + ATECC508 + AWS IoT
Security - Mongoose OS Documentation
AWS IoT support for Mongoose OS - Cesanta
Secure remote device management with Mongoose OS and AWS IoT for ESP32, ESP8266, TI CC3200, STM32 - Cesanta
Understanding the AWS IoT Security Model - The Internet of Things on AWS