Posts | Comments

Planet Arduino

Archive for the ‘Security’ Category

SSL/TLS stack and HW secure element

At Arduino, we are hard at work to keep improving the security of our hardware and software products, and we would like to run you through how our IoT Cloud service works.

The Arduino IoT Cloud‘s security is based on three key elements:

  • The open-source library ArduinoBearSSL for implementing TLS protocol on Arduino boards;
  • A hardware secure element (Microchip ATECCX08A) to guarantee authenticity and confidentiality during communication;
  • A device certificate provisioning process to allow client authentication during MQTT sessions.

ArduinoBearSSL

In the past, it has been challenging to create a complete SSL/TLS library implementation on embedded (constrained) devices with very limited resources. 

An Arduino MKR WiFi 1010, for instance, only has 32KB of RAM while the standard SSL/TLS protocol implementations were designed for more powerful devices with ~256MB of RAM.

As of today, a lot of embedded devices still do not properly implement the full SSL/TLS stack and fail to implement good security because they misuse or strip functionalities from the library, e.g. we found out that a lot of off-brand boards use code that does not actually validate the server’s certificate, making them an easy target for server impersonation and man-in-the-middle attacks.

Security is paramount to us, and we do not want to make compromises in this regard when it comes to our offering in both hardware and software. We are therefore always looking at “safe by default” settings and implementations. 

Particularly in the IoT era, operating without specific security measures in place puts customers and their data at risk.

This is why we wanted to make sure the security standards adopted nowadays in high-performance settings are ported to microcontrollers (MCUs) and embedded devices.

Back in 2017, while looking at different SSL/TLS libraries supporting TLS 1.2 and modern cryptography (something that could work with very little RAM/ROM footprint, have no OS dependency, and be compatible with the embedded C world), we decided to give BearSSL a try.

BearSSL: What is it?

BearSSL provides an implementation of the SSL/TLS protocol (RFC 5246) written in C and developed by Thomas Pornin.

Optimized for constrained devices, BearSSL aims at small code footprint and low RAM usage. As per its guiding rules, it tries to find a reasonable trade-off between several partly conflicting goals:

  • Security: defaults should be robust and using patently insecure algorithms or protocols should be made difficult in the API, or simply not possible;
  • Interoperability with existing SSL/TLS servers; 
  • Allowing lightweight algorithms for CPU-challenged platforms; 
  • Be extensible with strong and efficient implementations on big systems where code footprint is less important.

BearSSL and Arduino

Our development team picked it as an excellent starting point for us to make BearSSL fit in our Arduino boards focusing on both security and performance.

The firmware developers team worked hard on porting BearSSL to Arduino bundling it together as a very nice and open-source library: ArduinoBearSSL.

Because the computational effort of performing a crypto algorithm is high, we decided to offload part of this task to hardware, using a secure element (we often call it a “cypto chip”). Its advantages are:

  • Making the computation of cryptography operations faster;
  • You are not forced to use all the available RAM of your device for these demanding tasks;
  • Allows storing private keys securely (more on this later);
  • It provides a true random number generator (TRNG).

How does the TLS protocol work?

TLS uses both asymmetric and symmetric encryption. Asymmetric encryption is used during the TLS handshake between the client and the server to exchange the shared session key for communication encryption. The algorithms commonly used in this phase are based on Rivest-Shamir-Adleman (RSA) or Diffie-Hellman algorithms. 

TLS 1.2 Handshake flow

After the TLS handshake, the client and the server both have a session key for symmetric encryption (e.g. algorithms AES 128 or AES 256).

The TLS protocol is an important part of our IoT Cloud security model because it guarantees an encrypted communication between the IoT devices and our servers.

The secure element

In order to save memory and improve security, our development team has chosen to introduce a hardware secure element to offload part of the cryptography algorithms computational load, as well as to generate, store, and manage certificates. For this reason, on the Arduino MKR family, Arduino Nano 33 IoT and Arduino Uno WiFi Rev2, you will find the secure element ATECC508A or ATECC608A manufactured by Microchip.

How do we use the secure element?

A secure element is an advanced hardware component able to perform cryptographic functions, we have decided to implement it on our boards to guarantee two fundamental security properties in the IoT communication: 

  • Authenticity: You can trust who you are communicating with;
  • Confidentiality: You can be sure the communication is private.

Moreover, the secure element is used during the provisioning process to configure the Arduino board for Arduino IoT Cloud. In order to connect to the Arduino IoT Cloud MQTT broker, our boards don’t use a standard credentials authentication (username/password pair). We rather opted for implementing a higher-level authentication, known as client certificate authentication.

How does the Arduino provisioning work?

The whole process is possible thanks to an API, which exposes an endpoint a client can interact with.

As you can see in the diagram below, first the Client requests to register a new device on Arduino IoT Cloud via the API, to which the server (API) returns a UUID (Universally Unique IDentifier). At this point, the user can upload the sketch Provisioning.ino to the target board. This code is responsible for multiple tasks:

  • Generating a private key using the ATECCX08A, and store it in a secure slot that can be only read by the secure element;
  • Generating a CSR (Certificate Signing Request) using the device UUID as Common Name (CN) and the generated private key to sign it;
  • Storing the certificate signed by Arduino acting as the authority.

After the CSR generation, the user sends it via the API to the server and the server returns a certificate signed by Arduino. This certificate is stored, in a compressed format, in a slot of the secure element (usually in slot 10) and it is used to authenticate the device to the Arduino IoT Cloud.

Home automation is a popular project to undertake but its complexity can quickly become daunting, especially if you go further than controlling a few lights (or if you’re a renter). To test the waters you may want to start with something like this home safety monitor, which is an IoT device based on an Arduino. It allows remote monitoring of a home for things such as temperature, toxic gasses, light, and other variables, which is valuable even if you don’t need or want to control anything.

The device is built around an Arduino Nano 33 IOT which has WiFi and Bluetooth capabilities as well as some integrated security features. This build features a number of sensors including pressure/humidity, a gas/smoke detector, and a light sensor. To report all of the information it gathers around the home, an interface with Ubidots is configured to allow easy (and secure) access to the data gathered by the device.

The PCB and code for the project are all provided on the project page, and there are a number of other options available if Ubidots isn’t your preferred method of interfacing with the Internet of Things. You might even give Mozilla’s WebThings a shot if you’re so inclined.

Arduino Create Agent is a plug-in that was designed to help Arduino users connect their devices to the Arduino Create platform. The plug-in lets your browser communicate with your device’s serial port from a web application.  

We chose Bitrock’s InstallBuilder, a powerful and easy to use cross-platform installer creation tool, for generating the Arduino Create Agent installers (Windows, macOS, Linux). Those binaries are then served through our global CDN.

Yesterday, Bitrock has published an important security advisory in which they stated that Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid.

The issue, originally reported to them by Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech), got addressed by releasing an updated version of InstallBuilder so all their customers could re-build and re-release their installers. CVE-2019-5530 has been assigned to this issue (CVSSv3 score of 6.7).

Once we’ve been notified, and given the potential impact of this security issue, we worked around the clock to re-build and re-release our Agent’s Windows installer. Version 1.1.89 has now been released through our official channels.

Please note that all versions of the Windows installer before version 1.1.89 are vulnerable to CVE-2019-5530.

Because this issue can be exploited with existing binaries already released, we also want to remind all of you to only download installers from official sources.

If you have any questions regarding this security issue, or if you need any help with upgrading your installer, please do not hesitate to contact Arduino Support through e-mail at support@arduino.cc.

We are excited to announce that we’ve selected Auth0 as the identity management platform of choice for Arduino. We will replace our own Single Sign On solution with Auth0 for all public facing web properties, including Arduino Create and other apps.

We discovered that our own homegrown authentication solution would not scale to meet the rapidly developing needs of the growing global community and decided to reach out to Auth0. In addition to Single Sign On, Arduino will take advantage of Auth0’s new Universal Login, which enables developers to completely customise their branded authentication experiences quickly, and Device Flow for browserless or input-constrained devices.

“We wanted a robust platform to replace our SSO solution but also give us the flexibility to do cool, new things in the device authentication space. Auth0 is a brand we admire, and their API-based approach makes it easy to migrate our login data in a way that’s completely transparent for the customer. We are excited to welcome them to our global community.” – Gianluca Varisco, Arduino CISO

We plan to leverage the power of both communities and events, and explore a technical partnership in the IoT domain. Auth0 currently secures more than 2.5 billion logins per month for 21 million users.

“I have been using Arduino for years as the brain for my personal projects, so working with them in a business capacity is really rewarding. When you empower the developer with simple, powerful tools, the whole business benefits. We are excited by the reach of the Arduino community and aligned in our mission to help the developer in their journey to innovate.” – Eugenio Pace, Auth0 CEO and co-founder 

A little less than a month ago, I joined Arduino as their Chief Information Security Officer. I’ve been in touch with the team for the past couple of months and feel incredibly lucky to be part of such a talented and driven group of people.

We’re working hard on developing a robust, well-rounded security program that fits our organisation and busy improving our security posture across all departments. I am a true believer that it all starts from introducing a strong culture of security awareness — where employees feel confident and empowered to take action against security issues.  

Today, I’m thrilled to announce the first release of Arduino’s Coordinated Vulnerability Disclosure (CVD) Policy.

We used some great references when putting it together and we’d like to give them a shout out here: HackerOne’s VDP guidelines, CEPS’ report on “Software Vulnerability Disclosure in Europe,” and the US DoJ Cyber Security unit’s VDP framework. We also took into consideration recent Senate testimony of experts in vulnerability disclosure in the role hackers can play in strengthening security, Dropbox’s announcement on protecting researchers and 18F’s own policy. I even wanted to publicly thank Amit Elazari Bar On, a doctoral law candidate (J.S.D.) at UC Berkeley School of Law and a Lecturer at UC Berkeley School of Information Master in Cybersecurity program for her useful advices and for providing the amazing “#legalbugbounty” standardisation project.

We’re also happy to announce that all of the text in our policy is a freely copyable template. We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our teams and if you like what you see, please use it. Similarly, if you have improvements to suggest, we’d love to hear from you.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process aimed at mitigating/eradicating the potential negative impacts of vulnerabilities. It can be defined as “the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of vulnerabilities and their mitigation to various stakeholders, including the public.”

Figure 1: Relationships among actors in the CVD process. Source: “The CERT Guide to Coordinated Vulnerability Disclosure,” Software Engineering Institute, Carnegie Mellon University

Why is it important for us?

At Arduino, we consider the security of our systems and products a top priority. No technology is perfect, and Arduino believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered, as set out in this policy, so that we can fix them and keep our information safe.

If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

This policy describes how to send us vulnerability reports and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Where can I find it?

A copy of the policy is published on our Vulnerability Disclosure Policy page. The official document lives in GitHub. If you would like to comment or suggest a change to the policy, please open a GitHub issue.

Thank you for helping keep Arduino and our users safe!

— Gianluca Varisco

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

[Ido Gendel] was thinking about new and interesting ways to send data between devices, when he realized that the answer was right in his hand. Literally: he decided to try sending data using the mouse pointer. What he came up with was an interesting hack that uses small movements of the mouse pointer to send data at up to 1200bps, or about 150 bytes per second.

The way he did this was very, very clever. He used an Arduino Leonardo that is set to emulate a mouse, working alongside his existing mouse. This setup means that he can use his existing mouse: the system just sees the Arduino as a second mouse, and the pointer just looks a little jerky when you zoom in. That is because the Arduino is just sending tiny movements, each of which is a code that represents a nybble (4 binary bits) of data. By using both a combination of three left-right or up-down movements, he was able to create 16 movements, each of which can encode 4 bits of data. Each of these encoding movements also returns the mouse to its origin point, so the mouse doesn’t mysteriously scroll off the screen when data is being sent.

The encoding scheme used by [Ido].
The encoding scheme used by [Ido].
On the computer, a custom program detects and decodes this movement, recreating the stream of data. In his example, this is data from a photoresistor, but it could be anything from random data to the contents of a secret file.

Of course, this isn’t a practical way of sending secret data: it only works when the custom program is active, 150 bytes per second is rather slow and enabling mouse acceleration in Windows stops it working because it masks the small movement. But it is an awesome hack that shows how you can send data in ways that you might not first think of. When you are trying to make a device as simple as possible, this is an important lesson to learn.


Filed under: Arduino Hacks, peripherals hacks

All photos taken by space150.Use an Apple Watch to automagically open doors at home or at work with a tap on your wrist.

Read more on MAKE

The post Make an Apple Watch Door Unlocker appeared first on Make: DIY Projects, How-Tos, Electronics, Crafts and Ideas for Makers.

Giu
03

Secure and Track Your Bike with this Arduino-Based GPS Lock

arduino, bicycle, bike, bike lock, lock, Security, Transportation Commenti disabilitati su Secure and Track Your Bike with this Arduino-Based GPS Lock 

Riding a bike can be fun, great exercise, and, if you live in a city conducive to it, a great mode of transportation. According to author Scott Bennett who lives in Vancouver BC, Canada, a city with a high bike theft rate, he “wanted to have some peace of mind […]

Read more on MAKE

The post Secure and Track Your Bike with this Arduino-Based GPS Lock appeared first on Make:.



  • Newsletter

    Sign up for the PlanetArduino Newsletter, which delivers the most popular articles via e-mail to your inbox every week. Just fill in the information below and submit.

  • Like Us on Facebook