AWS IoT and Security
If we are talking about the security of the Internet of Things (IoT), then we should immediately discuss what side of security will be discussed. The fact is that there is no system that cannot be hacked or which is absolutely reliable. A question only in time, money or banal accident. It would seem that fiber-optic communication networks are quite reliable due to their physical nature of the connection, but attackers can easily get to the information flow if there is no data encryption. What remains to be said about wireless networks and, in fact, the basis of the Internet of things - Wi-Fi technology or, more correctly, IEEE 802.11? It should not be forgotten that any systems can break and not withstand loads. Robots, electronics, various mechanical devices with Internet connections, however, as well as without connection, can potentially cause harm. By the way, they have completely forgotten the direction that mechatronics is engaged in, which is ideally suited to the description of the IoT stack. In general, security is a multifaceted concept and in this publication I would like to touch on only a small part of this problem, using the example of solving the problems of encryption and data transfer for IoT devices.
The 10 Most Vulnerable IoT Security Targets - Internet of Things Institute
The security of data transmission in the open space of Internet communications is the main task that must be taken into account when designing and operating any technology related to the Internet of Things. Unlike traditional concepts of building Internet communications, IoT networks are currently experiencing only the starting point of development. In most cases, it may seem that, by ensuring sufficient reliability and scaling of the server systems, user devices, and encrypting the data, you can quite successfully ensure the security of the IoT. This is not quite true, because, for example, you can implement a system where the data from the home assistant’s camera will be encrypted well enough and transferred to the server, where they are then unpacked and archived in a reliable storage and, for some reason, provide access to this archive in a banal manner. FTP protocol. Here, an attacker can not bother to hack into end devices and servers, but restrict himself to a fairly well-known network file access protocol. Thus, safety is a multifaceted concept, where you should not forget even about small nuances and trifles. After all, the protection of IoT devices is negated if you can hack the operating system of the IoT gateway or any other point in the IoT chain of connections where, for example, data is stored in open form.
Developers of such complex, distributed systems as IoT should definitely provide a reliable solution to protect the infrastructure of the entire system, i.e. to exclude the possibility of not only hacking the system by attacking devices, but also to protect user personal data or similar information about the owners of IoT end devices, etc. Therefore, when designing a system based on the concept of the Internet of Things, one should always remember that there are two equivalent domains:
- IoT device communication;
- ensuring reliable storage, processing and presentation of data.
')
As it is not difficult to guess, using a ready-made solution based on modern AWS IoT tools, you can actually get an out-of-the-box solution to the security problem at the device interaction level. In this case, the protection of data and software solutions can be secured by the use of additional services included in the AWS cloud. But we should not forget that for the Internet of things the bandwidth of communication channels remains a bottleneck. Indeed, not everywhere now there is a confident access to Wi-Fi, 3G or LTE.
In industrial and home networks it is quite possible to get a guaranteed access speed, but it will not always be so easy for mobile devices. Therefore, encryption in such systems can be, on the contrary, a relatively negative factor, which only complicates the end devices and increases the size of data packets. For example, you can not think for a long time when answering the question how complex encryption algorithms can be for implementation on an 8-bit Arduino Uno microcontroller. However, we should not forget about Moore's law and the rapid development of electronics.
Advance in Semi Manufacturing
If you need to encrypt data, now it is quite possible to find a suitable solution that can implement the necessary algorithms based on a microcontroller or microprocessor. Also, data protection can be provided at the hardware level in the chips of the Ethernet interface, Wi-Fi or 3G modules. At the same time, it is necessary to understand that it is not at all worth taking care of encrypting data that will already be available in the open form, for example, for open temperature monitoring systems, etc. But here a completely different security issue can manifest itself - data compromise. For example, without worrying about the authorization and authentication of "their" IoT devices, you can skip the moment when an intruder's equipment is "disguised" under such a device, giving obviously false data to the system.
Obviously, as noted earlier, an integrated approach to solving the security problem can already be seen on the example of modern cloud computing. Let's take a closer look at Amazon IoT technology in this regard. The Amazon Web Services (AWS) cloud is available for testing as part of the “free tier”. For example, for AWS IoT, during the first year after registration, 250,000 messages (published or delivered) per month will be available. For many other services, a line of similar limits is available. Unfortunately, Amazon does not allow for a “mindless” experiment during trial use. The user of this cloud should always be aware of what launches or how it generates certain actions. All that will exceed the threshold of free use will have to pay according to current rates.
Logging into the AWS cloud is fairly simple. However, the service will immediately request $ 1 USD from the client’s card to confirm the possibility of paying bills with this card. Also for the new user, the service will check the existence of a real phone, and here it can be expected by a small surprise. You can confirm the phone automatically after calling the service. But for owners of smartphones, the call can be heard not in the phone application, but in Viber. The amount of input of the confirmation code is limited, if you do not guess where in Viber you need to enter the cherished numbers, you can simply exhaust the limit and wait about a day before the new attempt. Here, for some reason, it happened. In any case, Amazon tech support will always help, even at a free rate. Having described the problem in the chat, in just a few minutes, it is quite possible to solve a similar question after a live call from the operator. It can be assumed that all other issues related to the work with the service can be solved very promptly with technical support. And in the scale of the use of cloud resources, when unprecedented quality is required, the service provides paid tariffs for technical support.
So, starting to work with the cloud, many immediately begin to experiment with virtual machines, file storage, etc. But our task is to consider the AWS IoT service and understand how such a solution is secure. Since AWS IoT is only part of the Amazon cloud services, one way or another, this service integrates with many other cloud solutions (AWS Services). To do this, there is the Rules Engine mechanism that allows you to build a set of rules for the interaction of connected devices and other cloud computing resources. For example, you can implement the interaction of AWS IoT and the AWS Lambda software code service, the non-relational Amazon DynamoDB database, or the Amazon Kinesis Streams stream processing and analysis service.
AWS IoT - Amazon Web Services
The centerpiece of AWS IoT is the Device Gateway gateway, which provides device interaction with the cloud platform. In fact, this is the MQTT broker, which, on the one hand, provides a secure connection of devices using an authentication and authorization mechanism, and on the other hand, it allows using the full potential of AWS solutions and services. The gateway also supports WebSockets, HTTP 1.1 protocols. AWS IoT automatically scales and can support more than a billion devices. Interestingly, in case of loss of connection with a remote device from Amazon, there is an interesting solution - these are the “shadows” of devices (Device Shadows). "Shadows" are some kind of abstraction or virtual representation of the last state of a device that has become unavailable. Also for the "shadow" you can set the desired future state. Thanks to this approach, you can flexibly design your applications for working with remote devices in unstable communications.
And the main thing for those who still think that the cloud and the security of the Internet of Things is a myth, an excerpt from the AWS IoT documentation: “Each connected device must have credentials to access the message broker or the shadow device service. All traffic to and from AWS IoT must be encrypted via Transport Layer Security (TLS). Device credentials must be kept safe to send data to the message broker securely. AWS cloud security mechanisms protect data when moving between AWS IoT and other AWS devices or services. ”
Security and Identity for AWS IoT - AWS Documentation
The only problem is that the Internet of things assumes the presence of a huge number of connected devices, however, as well as the multitude of users who can and want to interact with their gadgets and more serious systems. If the cloud solves the problems of scaling and organizing basic protection of system elements, then, as mentioned earlier, we should not forget that security is a complex concept, where in most cases, the main link in the chain of protection measures for the Internet of things is organizational measures, banal attention and following elementary principles of organizing the protection of web resources. After all, the main thing is not to trust user data, perform validation and verification of information, encrypt traffic, securely store encryption keys, and more. Note that, especially at the system design stage, special attention should be paid to ensuring the integrated security of the upcoming solution.
Amazon provides the AWS IoT SDK for developing IoT hardware devices. Languages ​​and platforms are supported: Embedded C, JavaScript, Arduino Yun, Java, Python, iOS and Android. Amazon also supports a number of devices and prototyping boards, among which I would like to highlight the Mongoose OS ESP32-DevKitC solution. This is a board based on Espressif Systems' ESP32 budget module. Espressif's inexpensive modules have long become synonymous with the amateur Internet of Things. Interestingly, the firmware itself Mongoose OS company Cesanta. This firmware is supported by older Espressif ESP8266 modules, plus devices based on the CC3220, CC3200 and STM32F4 microcontrollers. Unlike the traditional IDE solution based on the Arduino, Lua or MicroPython for ESP8266, Mongoose OS firmware has two types of licensing: free GPLv2 and commercial license. The choice of license depends on the required supported system functionality and the types of projects that use the selected firmware.
As a basis for the prototype IoT device, choose the Development Kit NodeMCU module based on ESP8266, as one of the most popular solutions, however, from the most inexpensive boards. The average price for a module is about $ 3 USD. There are several versions and versions of NodeMCU boards, the main thing is the ESP8266 chip and an additional 32Mbits (4MBytes) flash memory, and the rest are slight differences in the layout of the board, for example, using the CH34x or CP210x USB-UART, etc.
Working with the selected firmware - Mongoose OS, is very convenient. We connect the NodeMCU module to the USB port of the computer. If you need a USB-UART bridge driver, which after installation on your computer will create a virtual COM port, then on the Mongoose OS website, in the Downloads section, you can find a link to download the necessary software. Then, from the same Mongoose OS developer site, you should download the mos utility for the supported operating systems: Windows, MacOS or Linux. Then, after launching mos, all development actions are performed in a graphical shell inside the browser. You can choose two languages ​​for development: C / C ++ or JavaScript. The first is positioned for industrial solutions, and JavaScript is for prototyping and debugging purposes.
Development in the mos environment on JavaScript for Mongoose OS firmware.
Configuring the connection to the Wi-Fi router and AWS IoT cloud is done inside the GUI. But since we moved to cloud systems, before setting up our board for working with AWS IoT, we first need to recall AWS Identity and Access Management (IAM). This service is designed to control user access to cloud services and resources. In the AWS control panel, select the IAM service and create a user group and assign user access rights to the AWS IoT service (Policy name), for example, for a test connection, we will give full access to “AWSIoTFullAccess”, which, of course, is not the best solution for real-world tasks.
After that, in the mos panel we register the corresponding secret authorization keys for the created AWS user: “Access Key ID” and the corresponding “Secret Access Key”. Next, we develop an application for the device, for example, in JavaScript or, simply, use the demo example of working with the broker MQTT. Then, by running local debugging of the application, we will generate cloud connection certificates on the device:
where REGION is a user-selectable region in which AWS IoT resources will be used. You can not launch the “mos aws-iot-setup” command, but perform all actions of connecting to the cloud in the mos utility environment. After that, you can test the system by running the MQTT client in AWS IoT.
Testing data retrieval from connected devices in an AWS IoT environment.
In the Mongoose OS test application for the NodeMCU module based on the ESP8266, by pressing the “Flash” button, the message is published, which contains a report on the occupied memory and continuous operation time. It should be noted that in the AWS IoT cloud service, you can effectively use the dashboard, which presents summary statistical data on the operation of connected devices.
Monitoring device status and analyzing message statistics in an AWS IoT environment.
Thus, using AWS IoT and Mongoose OS you can get a secure connection for the Internet of things. However, if basic protection is not enough, there is another interesting possibility. Mongoose OS supports the ATECC508A cryptographic chip. This is actually a co-processor that allows you to generate strong encryption keys using cryptographic algorithms on elliptic curves. The key length is 256-bit, the chip guarantees a unique 72-bit serial number, and the built-in memory 10Kb EEPROM is available for storing keys, certificates and data (up to 16 keys can be stored in the internal memory). The microcircuit operates in the voltage range of 2.0V - 5.5V at a temperature range from -40 to +85 ° C and supports communication via the I2C bus or, depending on the subtype of the selected chip, uses a high-speed serial single-wire interface for communication with the main processor. The price of the device, about $ 0.8 USD. The ATECC508A chip is positioned as an IoT node security system and identifier (ID). You can write a separate article about cryptochip, but anyway it’s better to refer to the original source - official documentation on the manufacturer’s website. Also, Microchip Technology, to support its cryptochips, including the ATECC508A, issues boards for review. For example, a fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO).
In the case of using such a cryptochip, the mos command aws-iot-setup will already use the hardware resources of the chip and will configure the data exchange of the device and the cloud using a secure TLS protocol. Collecting a prototype system based on the ATECC508A-SSHDA-B on a solderless model box is not a difficult task at all. The only thing, by analogy with the ATCRYPTOAUTH-XPRO board, you can add pull-up resistors of 3.9 kOhm through the SDA, SCL information circuits and, of course, a blocking capacitor of 0.1 microfarad. As always, in order not to repeat at the end of the publication, there are links to detailed publications on connecting the cryptochip to ESP8266. The only thing is that you need to be careful with the software part, since after generating the keys, the ATECC508A chip can be blocked, as a result of which it will go into privacy mode, counteracting hardware hacking.
Interestingly, while readers of our blog have a positive or negative experience with the ATECC508A?
Once again I would like to note that all actions with Mongoose OS can be performed directly in the window of the mos utility of the browser interface. For example, by going to the RPC Browser tab, you can check the connection on the I2C bus by running the command: I2C.Scan, which, for example, for the ATECC508A should return the code [96]. I would like to especially note that the Mongoose OS project has excellent support, and the infrastructure of the open project itself.For example, a chat based on the Gitter service is integrated right into the mos shell, where you can ask questions to developers and enthusiasts of the IoT world.
In conclusion, we can say that since our device is already connected to the AWS IoT cloud, we can safely disconnect the USB connector from the ESP8266 and connect the mos utility to the device via the AWS cloud service. To do this, run the following command:
Thus, the potential of working with the cloud and the development of IoT devices with examples of modern IoT protection methods are considered. Undoubtedly, it will seem to many that this is too long an article or that all this is “water”, etc. In turn, I would like to note that this is only an introduction to the problem and a more detailed study of the concepts of security of web technologies will appear in our blog, including solutions for IoT and the social component of the world of the Internet of things.
The world is changing and changing with us. More recently, many developers could only dream of high-performance computing platforms, building distributed high-load systems, but now this is already a reality that is available as a cloud service. If at one time in the past it was necessary to use special mathematical libraries for calculations based on 8-bit microcontrollers, it is clear that if the task required it, then now it is easier to use a 32-bit evaluator comparable in price to the project. Our world has rapidly changed, now we can implement our ideas at a much higher level. And here, at the right time, a little inspiring IoT advertising from Amazon Web Services. It remains only to wish readers to create innovations that will help make our world safer, more convenient and more rational.
IoT – Day One – Amazon Web Services
: —
« » —
Beecham Research reveals extent of security challenges facing the Internet of Things — Comms Business
AWS — Amazon Web Services
AWS IoT — Amazon Web Services
AWS Identity and Access Management (IAM) — Amazon Web Services
Comparison of ESP8266 NodeMCU development boards — my2cents
Starting with JavaScript – Cesanta
AWS IoT on Mongoose OS, Part 1 — AWS Partner Network (APN) Blog
AWS IoT on Mongoose OS, Part 2 — AWS Partner Network (APN) Blog
ATECC508A — Microchip Technology
The two-dollar secure IoT solution: Mongoose OS + ESP8266 + ATECC508 + AWS IoT
Security — Mongoose OS Documentation
AWS IoT support for Mongoose OS — Cesanta
Secure remote device management with Mongoose OS and AWS IoT for ESP32, ESP8266, TI CC3200, STM32 — Cesanta
Understanding the AWS IoT Security Model — The Internet of Things on AWS
The 10 Most Vulnerable IoT Security Targets - Internet of Things Institute
The security of data transmission in the open space of Internet communications is the main task that must be taken into account when designing and operating any technology related to the Internet of Things. Unlike traditional concepts of building Internet communications, IoT networks are currently experiencing only the starting point of development. In most cases, it may seem that, by ensuring sufficient reliability and scaling of the server systems, user devices, and encrypting the data, you can quite successfully ensure the security of the IoT. This is not quite true, because, for example, you can implement a system where the data from the home assistant’s camera will be encrypted well enough and transferred to the server, where they are then unpacked and archived in a reliable storage and, for some reason, provide access to this archive in a banal manner. FTP protocol. Here, an attacker can not bother to hack into end devices and servers, but restrict himself to a fairly well-known network file access protocol. Thus, safety is a multifaceted concept, where you should not forget even about small nuances and trifles. After all, the protection of IoT devices is negated if you can hack the operating system of the IoT gateway or any other point in the IoT chain of connections where, for example, data is stored in open form.
Developers of such complex, distributed systems as IoT should definitely provide a reliable solution to protect the infrastructure of the entire system, i.e. to exclude the possibility of not only hacking the system by attacking devices, but also to protect user personal data or similar information about the owners of IoT end devices, etc. Therefore, when designing a system based on the concept of the Internet of Things, one should always remember that there are two equivalent domains:
- IoT device communication;
- ensuring reliable storage, processing and presentation of data.
')
As it is not difficult to guess, using a ready-made solution based on modern AWS IoT tools, you can actually get an out-of-the-box solution to the security problem at the device interaction level. In this case, the protection of data and software solutions can be secured by the use of additional services included in the AWS cloud. But we should not forget that for the Internet of things the bandwidth of communication channels remains a bottleneck. Indeed, not everywhere now there is a confident access to Wi-Fi, 3G or LTE.
In industrial and home networks it is quite possible to get a guaranteed access speed, but it will not always be so easy for mobile devices. Therefore, encryption in such systems can be, on the contrary, a relatively negative factor, which only complicates the end devices and increases the size of data packets. For example, you can not think for a long time when answering the question how complex encryption algorithms can be for implementation on an 8-bit Arduino Uno microcontroller. However, we should not forget about Moore's law and the rapid development of electronics.
Advance in Semi Manufacturing
If you need to encrypt data, now it is quite possible to find a suitable solution that can implement the necessary algorithms based on a microcontroller or microprocessor. Also, data protection can be provided at the hardware level in the chips of the Ethernet interface, Wi-Fi or 3G modules. At the same time, it is necessary to understand that it is not at all worth taking care of encrypting data that will already be available in the open form, for example, for open temperature monitoring systems, etc. But here a completely different security issue can manifest itself - data compromise. For example, without worrying about the authorization and authentication of "their" IoT devices, you can skip the moment when an intruder's equipment is "disguised" under such a device, giving obviously false data to the system.
Obviously, as noted earlier, an integrated approach to solving the security problem can already be seen on the example of modern cloud computing. Let's take a closer look at Amazon IoT technology in this regard. The Amazon Web Services (AWS) cloud is available for testing as part of the “free tier”. For example, for AWS IoT, during the first year after registration, 250,000 messages (published or delivered) per month will be available. For many other services, a line of similar limits is available. Unfortunately, Amazon does not allow for a “mindless” experiment during trial use. The user of this cloud should always be aware of what launches or how it generates certain actions. All that will exceed the threshold of free use will have to pay according to current rates.
Logging into the AWS cloud is fairly simple. However, the service will immediately request $ 1 USD from the client’s card to confirm the possibility of paying bills with this card. Also for the new user, the service will check the existence of a real phone, and here it can be expected by a small surprise. You can confirm the phone automatically after calling the service. But for owners of smartphones, the call can be heard not in the phone application, but in Viber. The amount of input of the confirmation code is limited, if you do not guess where in Viber you need to enter the cherished numbers, you can simply exhaust the limit and wait about a day before the new attempt. Here, for some reason, it happened. In any case, Amazon tech support will always help, even at a free rate. Having described the problem in the chat, in just a few minutes, it is quite possible to solve a similar question after a live call from the operator. It can be assumed that all other issues related to the work with the service can be solved very promptly with technical support. And in the scale of the use of cloud resources, when unprecedented quality is required, the service provides paid tariffs for technical support.
So, starting to work with the cloud, many immediately begin to experiment with virtual machines, file storage, etc. But our task is to consider the AWS IoT service and understand how such a solution is secure. Since AWS IoT is only part of the Amazon cloud services, one way or another, this service integrates with many other cloud solutions (AWS Services). To do this, there is the Rules Engine mechanism that allows you to build a set of rules for the interaction of connected devices and other cloud computing resources. For example, you can implement the interaction of AWS IoT and the AWS Lambda software code service, the non-relational Amazon DynamoDB database, or the Amazon Kinesis Streams stream processing and analysis service.
AWS IoT - Amazon Web Services
The centerpiece of AWS IoT is the Device Gateway gateway, which provides device interaction with the cloud platform. In fact, this is the MQTT broker, which, on the one hand, provides a secure connection of devices using an authentication and authorization mechanism, and on the other hand, it allows using the full potential of AWS solutions and services. The gateway also supports WebSockets, HTTP 1.1 protocols. AWS IoT automatically scales and can support more than a billion devices. Interestingly, in case of loss of connection with a remote device from Amazon, there is an interesting solution - these are the “shadows” of devices (Device Shadows). "Shadows" are some kind of abstraction or virtual representation of the last state of a device that has become unavailable. Also for the "shadow" you can set the desired future state. Thanks to this approach, you can flexibly design your applications for working with remote devices in unstable communications.
And the main thing for those who still think that the cloud and the security of the Internet of Things is a myth, an excerpt from the AWS IoT documentation: “Each connected device must have credentials to access the message broker or the shadow device service. All traffic to and from AWS IoT must be encrypted via Transport Layer Security (TLS). Device credentials must be kept safe to send data to the message broker securely. AWS cloud security mechanisms protect data when moving between AWS IoT and other AWS devices or services. ”
Security and Identity for AWS IoT - AWS Documentation
The only problem is that the Internet of things assumes the presence of a huge number of connected devices, however, as well as the multitude of users who can and want to interact with their gadgets and more serious systems. If the cloud solves the problems of scaling and organizing basic protection of system elements, then, as mentioned earlier, we should not forget that security is a complex concept, where in most cases, the main link in the chain of protection measures for the Internet of things is organizational measures, banal attention and following elementary principles of organizing the protection of web resources. After all, the main thing is not to trust user data, perform validation and verification of information, encrypt traffic, securely store encryption keys, and more. Note that, especially at the system design stage, special attention should be paid to ensuring the integrated security of the upcoming solution.
Amazon provides the AWS IoT SDK for developing IoT hardware devices. Languages ​​and platforms are supported: Embedded C, JavaScript, Arduino Yun, Java, Python, iOS and Android. Amazon also supports a number of devices and prototyping boards, among which I would like to highlight the Mongoose OS ESP32-DevKitC solution. This is a board based on Espressif Systems' ESP32 budget module. Espressif's inexpensive modules have long become synonymous with the amateur Internet of Things. Interestingly, the firmware itself Mongoose OS company Cesanta. This firmware is supported by older Espressif ESP8266 modules, plus devices based on the CC3220, CC3200 and STM32F4 microcontrollers. Unlike the traditional IDE solution based on the Arduino, Lua or MicroPython for ESP8266, Mongoose OS firmware has two types of licensing: free GPLv2 and commercial license. The choice of license depends on the required supported system functionality and the types of projects that use the selected firmware.
As a basis for the prototype IoT device, choose the Development Kit NodeMCU module based on ESP8266, as one of the most popular solutions, however, from the most inexpensive boards. The average price for a module is about $ 3 USD. There are several versions and versions of NodeMCU boards, the main thing is the ESP8266 chip and an additional 32Mbits (4MBytes) flash memory, and the rest are slight differences in the layout of the board, for example, using the CH34x or CP210x USB-UART, etc.
Working with the selected firmware - Mongoose OS, is very convenient. We connect the NodeMCU module to the USB port of the computer. If you need a USB-UART bridge driver, which after installation on your computer will create a virtual COM port, then on the Mongoose OS website, in the Downloads section, you can find a link to download the necessary software. Then, from the same Mongoose OS developer site, you should download the mos utility for the supported operating systems: Windows, MacOS or Linux. Then, after launching mos, all development actions are performed in a graphical shell inside the browser. You can choose two languages ​​for development: C / C ++ or JavaScript. The first is positioned for industrial solutions, and JavaScript is for prototyping and debugging purposes.
Development in the mos environment on JavaScript for Mongoose OS firmware.
Configuring the connection to the Wi-Fi router and AWS IoT cloud is done inside the GUI. But since we moved to cloud systems, before setting up our board for working with AWS IoT, we first need to recall AWS Identity and Access Management (IAM). This service is designed to control user access to cloud services and resources. In the AWS control panel, select the IAM service and create a user group and assign user access rights to the AWS IoT service (Policy name), for example, for a test connection, we will give full access to “AWSIoTFullAccess”, which, of course, is not the best solution for real-world tasks.
After that, in the mos panel we register the corresponding secret authorization keys for the created AWS user: “Access Key ID” and the corresponding “Secret Access Key”. Next, we develop an application for the device, for example, in JavaScript or, simply, use the demo example of working with the broker MQTT. Then, by running local debugging of the application, we will generate cloud connection certificates on the device:
> mos aws-iot-setup --aws-region REGION --aws-iot-policy mos-defaultwhere REGION is a user-selectable region in which AWS IoT resources will be used. You can not launch the “mos aws-iot-setup” command, but perform all actions of connecting to the cloud in the mos utility environment. After that, you can test the system by running the MQTT client in AWS IoT.
Testing data retrieval from connected devices in an AWS IoT environment.
In the Mongoose OS test application for the NodeMCU module based on the ESP8266, by pressing the “Flash” button, the message is published, which contains a report on the occupied memory and continuous operation time. It should be noted that in the AWS IoT cloud service, you can effectively use the dashboard, which presents summary statistical data on the operation of connected devices.
Monitoring device status and analyzing message statistics in an AWS IoT environment.
Thus, using AWS IoT and Mongoose OS you can get a secure connection for the Internet of things. However, if basic protection is not enough, there is another interesting possibility. Mongoose OS supports the ATECC508A cryptographic chip. This is actually a co-processor that allows you to generate strong encryption keys using cryptographic algorithms on elliptic curves. The key length is 256-bit, the chip guarantees a unique 72-bit serial number, and the built-in memory 10Kb EEPROM is available for storing keys, certificates and data (up to 16 keys can be stored in the internal memory). The microcircuit operates in the voltage range of 2.0V - 5.5V at a temperature range from -40 to +85 ° C and supports communication via the I2C bus or, depending on the subtype of the selected chip, uses a high-speed serial single-wire interface for communication with the main processor. The price of the device, about $ 0.8 USD. The ATECC508A chip is positioned as an IoT node security system and identifier (ID). You can write a separate article about cryptochip, but anyway it’s better to refer to the original source - official documentation on the manufacturer’s website. Also, Microchip Technology, to support its cryptochips, including the ATECC508A, issues boards for review. For example, a fairly simple CryptoAuthentication Xplained Pro Extension Board (ATCRYPTOAUTH-XPRO).
In the case of using such a cryptochip, the mos command aws-iot-setup will already use the hardware resources of the chip and will configure the data exchange of the device and the cloud using a secure TLS protocol. Collecting a prototype system based on the ATECC508A-SSHDA-B on a solderless model box is not a difficult task at all. The only thing, by analogy with the ATCRYPTOAUTH-XPRO board, you can add pull-up resistors of 3.9 kOhm through the SDA, SCL information circuits and, of course, a blocking capacitor of 0.1 microfarad. As always, in order not to repeat at the end of the publication, there are links to detailed publications on connecting the cryptochip to ESP8266. The only thing is that you need to be careful with the software part, since after generating the keys, the ATECC508A chip can be blocked, as a result of which it will go into privacy mode, counteracting hardware hacking.
Interestingly, while readers of our blog have a positive or negative experience with the ATECC508A?
Once again I would like to note that all actions with Mongoose OS can be performed directly in the window of the mos utility of the browser interface. For example, by going to the RPC Browser tab, you can check the connection on the I2C bus by running the command: I2C.Scan, which, for example, for the ATECC508A should return the code [96]. I would like to especially note that the Mongoose OS project has excellent support, and the infrastructure of the open project itself.For example, a chat based on the Gitter service is integrated right into the mos shell, where you can ask questions to developers and enthusiasts of the IoT world.
In conclusion, we can say that since our device is already connected to the AWS IoT cloud, we can safely disconnect the USB connector from the ESP8266 and connect the mos utility to the device via the AWS cloud service. To do this, run the following command:
mos --cert-file $(mos config-get mqtt.ssl_cert) --key-file $(mos config-get mqtt.ssl_key) --port mqtts://$(mos config-get mqtt.server)/$(mos config-get device.id). Now you can debug without directly connecting the device board to the computer. The main thing is that the ESP8266 module can freely access the Internet.Thus, the potential of working with the cloud and the development of IoT devices with examples of modern IoT protection methods are considered. Undoubtedly, it will seem to many that this is too long an article or that all this is “water”, etc. In turn, I would like to note that this is only an introduction to the problem and a more detailed study of the concepts of security of web technologies will appear in our blog, including solutions for IoT and the social component of the world of the Internet of things.
The world is changing and changing with us. More recently, many developers could only dream of high-performance computing platforms, building distributed high-load systems, but now this is already a reality that is available as a cloud service. If at one time in the past it was necessary to use special mathematical libraries for calculations based on 8-bit microcontrollers, it is clear that if the task required it, then now it is easier to use a 32-bit evaluator comparable in price to the project. Our world has rapidly changed, now we can implement our ideas at a much higher level. And here, at the right time, a little inspiring IoT advertising from Amazon Web Services. It remains only to wish readers to create innovations that will help make our world safer, more convenient and more rational.
IoT – Day One – Amazon Web Services
:
: —
« » —
Beecham Research reveals extent of security challenges facing the Internet of Things — Comms Business
AWS — Amazon Web Services
AWS IoT — Amazon Web Services
AWS Identity and Access Management (IAM) — Amazon Web Services
Comparison of ESP8266 NodeMCU development boards — my2cents
Starting with JavaScript – Cesanta
AWS IoT on Mongoose OS, Part 1 — AWS Partner Network (APN) Blog
AWS IoT on Mongoose OS, Part 2 — AWS Partner Network (APN) Blog
ATECC508A — Microchip Technology
The two-dollar secure IoT solution: Mongoose OS + ESP8266 + ATECC508 + AWS IoT
Security — Mongoose OS Documentation
AWS IoT support for Mongoose OS — Cesanta
Secure remote device management with Mongoose OS and AWS IoT for ESP32, ESP8266, TI CC3200, STM32 — Cesanta
Understanding the AWS IoT Security Model — The Internet of Things on AWS
Source: https://habr.com/ru/post/374021/
All Articles