15

I am using a NodeMCU board with WiFi capabilities to build a simple asset tracker. I have managed to find a few Arduino sketches that enables connectivity to Azure IoT Hub and post messages.

One of the keys I need to "load" onto the board is the Azure Device Connection string and of course a WiFi SSID and password.

My fear is someone might simply take the board and "download" the files to get access to the security credentials.

Is my fear unwarranted or is the loss of credentials a real threat I need to mitigate?

rams
  • 745
  • 1
  • 5
  • 8

4 Answers4

12

[disclaimer: I'm a security / crypto professional and deal with security architecture questions like this every day.]

You have stumbled onto the problem of storing credentials in such a way that an unattended process can access them, but an attacker cannot. This is a well known and very difficult problem to solve.

If your IoT device has a hardware keystore built-in to the motherboard, like some TPMs, or the equivalent to the Android Hardware-backed Keystore or Apple Secure Enclave, then you can use that.

With traditional servers you can use HSMs or Smart Cards, but the only full software solution that I'm aware of is to derive an AES key from some sort of "hardware fingerprint" built by combining serial numbers of all the hardware devices. Then use that AES key to encrypt the credentials. A process running on the same server can reconstruct the AES key and decrypt the credentials, but once you extract the file from the server, it's essentially un-decryptable.

IoT throws a wrench into that for two reasons:

  1. The assumption that hardware serial numbers are unique probably does not hold, and

  2. Unlike servers, attackers have physical access to the device, therefore can probably get a shell on the device to run the decryption program.

Both hardware encryption (TPMs) and "hardware fingerprint" encryption are obfuscation at best because, fundamentally, if a local process can decrypt the data, then an attacker able to run that local process can also decrypt it.

So the standard trick looks like it doesn't work here. The first question you need to need to ask yourself is:

  • What is my threat model / where does this project sit on the Secure <--> Convenient scale ?

Ultimately, I think you either need to decide that security > convenience and have a human enter the credentials after each boot-up (using something like @BenceKaulics's answer), or you decide that security < convenience and just put the credentials on the device, maybe using some obfuscation if you feel that makes a difference.

This is a hard problem made harder by the nature of IoT devices.

For completeness, the full-blown industrial solution to this problem is:

  • Give each IoT device a unique RSA public key at manufacture time. Record this public key in a db against the device serial number.
  • Store the sensitive credentials on a proper server, let's call it a "gateway".
  • When an IoT device authenticates to the gateway (using its RSA key), the gateway opens a session for it using the stored credentials and hands the session token back to the device.
  • For best security, the gateway is a physical (or VPN) gateway so that all traffic from the IoT device passes through the gateway and you have more control over firewall rules and stuff - ideally preventing the device from having direct (non-VPN tunneled) access to the internet.

This way, and attacker who compromises a device can get a session opened, but never has direct access to the credentials.

Mike Ounsworth
  • 244
  • 1
  • 5
6

The threat is real but luckily it is not you the first or only one with these kind of security concerns.

What you need is the ESP WiFi Manager is what you need here.

With this library the ESP that does not have a saved session will switch into AP mode and will host a web portal. If you connect to this AP with a PC or smart phone, then you will be able to configure the WiFi credentials via a web page.

You do not have to hardcode the critical information and you can use your device on any WiFi network you want without the need of reflashing it.

How It Works

  • when your ESP starts up, it sets it up in Station mode and tries to connect to a previously saved Access Point

  • if this is unsuccessful (or no previous network saved) it moves the ESP into Access Point mode and spins up a DNS and WebServer (default ip 192.168.4.1)

  • using any wifi enabled device with a browser (computer, phone, tablet) connect to the newly created Access Point

  • because of the Captive Portal and the DNS server you will either get a 'Join to network' type of popup or get any domain you try to access redirected to the configuration portal

  • choose one of the access points scanned, enter password, click save

  • ESP will try to connect. If successful, it relinquishes control back to your app. If not, reconnect to AP and reconfigure.

(ESP WiFi Manager documentation)

Community
  • 1
Bence Kaulics
  • 7,843
  • 8
  • 42
  • 90
3

Yes , they can access your password if you leave it as plain text.

The good point is many wifi connection interfaces accept hashed passwords. While the ones I used accepted md5 hashes and md5 is not super secure , it is still a very hard challenge for average joe. Depending on your configuration file, you either state the name of your hashing algorithm and then write your password or you use the default your wifi interface uses.

atakanyenel
  • 477
  • 2
  • 5
1

Simple answer - YES. It can be done. You have to, at least, perform some kind of obfuscation to provide minimal protection.

Amit Vujic
  • 750
  • 1
  • 8
  • 18