Internet of Things... Security

One of the issues with security and the Arduino UNO with the ENC or the WizNet chips for Ethernet is that most of the IP stack is handled by the UNO, not the chipset

The Wiznet does more work for you than the ENC but is still remains that if you want SSL which is the normal web security layer applied to protect the message transport from client to host takes more resources than available on the device

To apply true encryption also is a heavy resource operation as well as the time it takes to perform the encryption

Most projects move toward a more advanced controller if they want SLL or encryption, for instance the CC3200 from TI has an encryption engine built in hardware on chip so it is relatively easy to use with minimal code, they can also handle SSL natively

Newer network modules like the recent WIFI modules may be able to handle SLL on behalf of the UNO but that’s because they have a micro-controller of their own offloading the main CPU

Regards

Peter

Thanks Robert Peter Oakes.

I had a feeling this was going to be an issue. Looks like I'm going to ditch the Arduino platform altogether and upgrade to a more powerful (Perhaps 32-bit) processor. I will take a look into the CC3200 chip.

It did cross my mind at one point to use a GSM shield and send all data through the GPRS network. At least the most susceptible end of the link will be encrypted courtesy of the network provider.

A lot of the new processor chips now include an encryption circuit.

At the very least, you can do a simple encoding to make sure nobody gets your data unless you want them to.

Security issues are the biggest impediment to the IoT in my opinion.

DAB

Hi DAB

Your opinion is shared with mine.

I have seen a fair number of security issues surrounding IOT devices and was keen to avoid falling into the same trap.

After losing confidence that an encryption approach was going to work I looked into a couple of encoding functions (such as XOR). Strangely the decoded output on the Web Server didn't match the data sent, and trying an online decrypting website offered a third alternative. So I had no point of reference anyway.

They say you can't put a price on your health, and for the sake of my mental health I have taken Robert Peter Oakess advice and ordered one of these bad-boys to experiment with: CC3200-LAUNCHXL - TEXAS INSTRUMENTS - LAUNCHPAD CC3200 SIMPLELINK WIFI ON CHIP | Farnell element14

As for internet, look to SSL communication like https!

Thanks clem57, SSL was the first thing I looked at. Unfortunately I googled "Arduino UNO SSL" and got this:

Yup, Arduino UNO and SSL do not mix in any universe but there are options

For instance, the ESP-01 etc. are sub processors with extensive capability and I believe this includes SSL, also a YUN can offload this task from the basic Arduino, some Launchpad’s (TivaC or CC3200 for instance) have crypto libraries built in and can still be fairly easy to program

Food for thought

I think the best way to deal with IoT security is to look at the data you are sending.

As long as you are just looking at states and raw data, you are pretty safe from anyone making sense of what you are sending.

If you send messages, then using the old compiler technic of a message ID number instead of a detailed message allows you to customize what IDs mean different events, data or issues.

Security is most needed when you put data together with context.  At that point, you have valuable information and you really should secure it.

The nice thing about a simple code is that it is secure if only you have the ability to put the code into a useable context.

DAB

This was part of a news item in NZ ... mainly about the smart TV's.

It pointed to this report which reinforces what you're saying DAB.

http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

Mark