Category Archives: Security

Atmel launches the industry’s first hardware interface library for TLS stacks used in IoT edge node apps


The new HW-TLS platform provides an interface between software TLS packages and the ATECC508A cryptographic co-processor.


With the rise of the Internet of Things, security has become a pressing topic because autonomous remote devices are now routinely connecting to wireless networks to form complex smart device and cloud-service ecosystems. As a result, autonomous IoT gadgets constitute a significant part of those networks and must be able to authenticate themselves to the network resources to maintain the integrity of the ecosystem. In addition, these remote, resource-constrained clients must be able to perform this authentication using minimal processing, memory and power.

Ate.png

Cognizant of this, Atmel has launched the industry’s first hardware interface library for TLS stacks used in Internet of Things edge node applications. Hardening is a method used for reducing security risks to a system by applying additional hardware security layers and eliminating vulnerable software. This new Hardware-TLS (HW-TLS) platform provides an API that allows TLS packages to utilize hardware key storage and cryptographic acceleration even in resource constrained edge node designs. HW-TLS is a comprehensive solution pre-loaded with unique keys and certificates designed to eliminate the complexities of generating secure keys in the manufacturing supply chain.

OpenSSL is a general-purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and TLS protocols. wolfSSL is a cryptography library that provides lightweight, portable security solutions with a focus on speed and size. Atmel’s new ATECC508A-OpenSSL and ATECC508A-wolfSSL are available for immediate download at their respective software distribution repositories, offering seamless adoption of more secure elements without disruption to the developer workflow.

OpenSSL

Secure hardening for both OpenSSL and wolfSSL is made possible with HW-TLS which enables those TLS software packages to interface seamlessly with the ATECC508A CryptoAuthentication co-processor. This IC provides protected key storage as well as hardware acceleration of Elliptic Curve Cryptography (ECC) cipher suites including mutual authentication (ECDSA) and Diffie-Hellman key agreement (ECDH). As such, HW-TLS allows developers to substantially harden Transport Layer Security (TLS), enhancing security for IoT ecosystems.

When used together, HW-TLS and the ATECC508A let even extremely small, low-cost IoT nodes implement strong cryptographic security. All private keys, certificates and other sensitive security data used for authentication are stored in secure hardware and protected against software, hardware and back-door attacks. Beyond that, the integrated ECC accelerators in the ATECC508A offload cryptographic code and math from the MCU allowing even a low-end processor to perform strong authentication.

ATEC

“Everyone with an interest in IoT security should be excited about Atmel HW-TLS with wolfSSL,” explains Larry Stefonic, wolfSSL CEO. “The combination of our secure software and Atmel’s new chips brings TLS performance and security to a level unrivaled in the industry. Atmel’s HW-TLS platform also makes it easier than ever for developers to incorporate truly hardened security into our TLS stack.”

Traditionally, TLS performed authentication and stored private keys in software. However, Atmel’s latest platform closes the vulnerability gap in this arrangement by offloading the crucial key management responsibility to dedicated, tamper-resistant secure elements such as the ATECCC508A crypto engine. What’s more, the intensive crypto algorithms are processed in the CryptoAuthentication device, offloading the MCU on the remote devices and enabling the IoT edge node to authenticate to the cloud without a user-perceptible delay. Furthermore, Atmel Hardware-TLS comes as a complete platform pre-loaded with unique keys and certificates for eliminating the complexities of adding secure keys to each device in a manufacturing supply chain.

“With more and more remote devices being connected to the cloud every day in the era of the IoT, it becomes increasingly critical to ensure these devices are not vulnerable to attack,” adds Nicolas Schieli, Senior Director of Atmel’s Secure Products Group. “Such devices can be entirely secure only when they are hardware secure, meaning the ‘secret’ keys are stored in a separate hardware unit. We are excited to bring this innovation to market, enabling device manufacturers that need to connect to the cloud to take advantage of hardware security.”

Cry

The Hardware-TLS complements Atmel Certified-ID, a seamless and secure keys provisioning platform for assigning trusted identities to devices joining the IoT.

Is your smartwatch stealing your passwords?


A computer science student has demonstrated that software running on a smartwatch could be used to record a user’s passwords and PINs.


Unless you eschew modern technology altogether (such as reading websites), chances are that data on you is being collected. Smartphones are capable enough data sponges, but smartwatches have the potential to extend this reach even further. According to Tony Beltramelli’s master’s thesis for the IT University of Copenhagen, the sensors on the Sony SmartWatch 3 (and likely many other present and future watches) are so accurate that they can be used to sense what button you press on a 12-segment keypad with “above-average” precision.

hackingwatchimage

As seen in the video below, it appears that this ability comes from the user actually moving their hand from button to button. The wearable’s built-in accelerometer and gyroscope can sense these motions and then feed that information into a recurrent neural network. Using a deep learning algorithm, Beltramelli is able to sift through all the “noisy data” and detect patterns for various events, such as when the user moves and taps their finger on a touchscreen to unlock a PIN-protected phone or when the user enters a code on an ATM’s keypad.

Interestingly, as reported in section 6.3 of the thesis, the device did a better job of “touchlogging” — recording virtual keystrokes on a touchscreen — at 73% acuracy, versus “keylogging” — where a physical keyboard is used for input — at 59% accuracy. The touchscreen used was larger in this experiment than the keypad, apparently leading to this discrepancy.

“By their very nature of being wearable, these devices, however, provide a new pervasive attack surface threatening users privacy, among others,” Beltramelli explains. “The goal of this work is to raise awareness about the potential risks related to motion sensors built-in wearable devices and to demonstrate abuse opportunities leveraged by advanced neural network architectures.”

As you can imagine, there are still a few limitations that make this type of approach with a smartwatch impractical as an attack against specific targets. For starters, it only works if the person is using the arm that the gadget is on. So, if you have a watch and are concerned about spying, you can simply strap it onto your less dominant wrist. Or alternatively, you could make a habit of typing with three fingers on numeric keypads.

Security coprocessor marks a new approach to provisioning for IoT edge devices


It’s worth noting that security breaches rarely involve breaking the encryption code; hackers mostly use techniques like spoofing to steal the ID.


The advent of security coprocessor that offloads the provisioning task from the main MCU or MPU is bringing new possibilities for the Internet of Things product developers to secure the edge device at lower cost and power points regardless of the scale.

Hardware engineers often like to say that there is now such thing as software security, and quote Apple that has all the money in the world and an army of software developers. The maker of the iPhone chose a secure element (SE)-based hardware solution while cobbling the Apple Pay mobile commerce service. Apparently, with a hardware solution, engineers have the ecosystem fully in control.

sec-1

Security is the basic building block of the IoT bandwagon, and there is a lot of talk about securing the access points. So far, the security stack has largely been integrated into the MCUs and MPUs serving the IoT products. However, tasks like encryption and authentication take a lot of battery power — a precious commodity in the IoT world.

Atmel’s solution: a coprocessor that offloads security tasks from main MCU or MPU. The ATECC508A uses elliptic curve cryptography (ECC) capabilities to create secure hardware-based key storage for IoT markets such as home automation, industrial networking and medical. This CryptoAuthentication chip comes at a manageable cost — 50 cents for low volumes — and consumers very low power. Plus, it makes provisioning — the process of generating a security key — a viable option for small and mid-sized IoT product developers.

A New Approach to Provisioning

It’s worth noting that security breaches rarely involve breaking the encryption code; hackers mostly use techniques like spoofing to steal the ID. So, the focus of the ATECC508A crypto engine is the tasks such as key generation and authentication. The chip employs ECC math to ensure sign-verify authentication and subsequently the verification of the key agreement.

The IoT security — which includes the exchange of certificates and other trusted objects — is implemented at the edge node in two steps: provisioning and commissioning. Provisioning is the process of loading a unique private key and other certificates to provide identity to a device while commissioning allows the pre-provisioned device to join a network. Moreover, provisioning is carried out during the manufacturing or testing of a device and commissioning is performed later by the network service provider and end-user.

Atmel ATECC508A crypto-engine

Presently, snooping threats are mostly countered through hardware security module (HSM), a mechanism to store, protect and manage keys, which requires a centralized database approach and entails significant upfront costs in infrastructure and logistics. On the other hand, the ATECC508A security coprocessor simplifies the deployment of secure IoT nodes through pre-provisioning with internally generated unique keys, associated certificates and certification-ready authentication.

It’s a new approach toward provisioning that not only prevents over-building, as done by the HSM-centric techniques, but also prevents cloning for the gray market. The key is controlled by a separate chip, like the ATECC508A coprocessor. Meaning, if there are 1,000 IoT systems to be built, there will be exactly 1,000 security coprocessors for them.

Certified-ID Security Platform

Back at ARM TechCon 2015, Atmel went one step ahead when it announced the availability of Certified-ID security platform for the IoT entry points like edge devices to acquire certified and trusted identities. This platform leverages internal key generation capabilities of the ATECC508A security coprocessor to deliver distributed key provisioning for any device joining the IoT network. That way it enables a decentralized secure key generation and eliminates the upfront cost of building the provisioning infrastructure for IoT setups being deployed at smaller scales.

AT88CKECCROOT-SIGNER

Atmel, a pioneer in Trusted Platform Module (TPM)-based secure microcontrollers, is now working with cloud service providers like Proximetry and Exosite to turn its ATECC508A coprocessor-based Certified-ID platform into an IoT edge node-to-cloud turnkey security solution. TPM chips, which have roots in the computer industry, aren’t well-positioned to meet the cost demands of low-price IoT edge devices.

Additionally, the company has announced the availability of two provisioning toolkits for low volume IoT systems. The AT88CKECCROOT toolkit is a ‘master template’ that creates and manages certificate root of trust in any IoT ecosystem. On the other hand, AT88CKECCSIGNER is a production kit that allows designers and manufacturers to generate tamper-resistant keys and security certifications in their IoT applications.

This $10 device can predict your next credit card number


MagSpoof is an ATtiny85 based device that can accurately predict your next Amex card number, disable chip-and-PIN and even spoof magnetic stripes wirelessly.


After recently losing his credit card, it wasn’t long before American Express sent Samy Kamkar a replacement. It was that moment in time that the serial hacker noticed something quite peculiar: the digits on the new card were similar to his previous ones. With a little more research, he uncovered a global pattern that would enable him to accurately predict the digits on any subsequent Amex card by knowing the preceding card’s full number.

687474703a2f2f73616d792e706c2f6d616773706f6f662f6d616773706f6f662e6a7067

“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” Kamkar explains. “I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”

Like many of his prior security-focused projects, this discovery yielded another opportunity to highlight a vulnerability. And so MagSpoof was born. Kamkar’s new $10 device is capable of emulating any magnetic stripe or credit card, entirely wirelessly, and storing more than 100 card numbers in various form factors. The unit works by generating an electromagnetic field that’s strong enough to reach a traditional reader’s sensor within close proximity, sending a signal that mimics the card being swiped.

“What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration),” he notes.

687474703a2f2f73616d792e706c2f6d616773706f6f662f636369726f6e2e6a7067

And that’s not all. MagSpoof features a button that employs his prediction algorithm. In order words, if a thief using the device finds out that the card they were trying to imitate had been cancelled, the gadget could instantly determine the victim’s next card number.

“As soon as the card gets declined, you press a button and it switches to the next number,” Kamkar tells WIRED. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”

Aside from disabling chip-and-PIN protection (a function that he has since removed), accurately predicting expiration numbers and switching between different Amex cards (even when reported lost or stolen), MagSpoof can be employed for security research in any area that would traditionally require a magstripe, such as readers for drivers licenses, hotel room keys and automated parking lot tickets.

687474703a2f2f73616d792e706c2f6d616773706f6f662f6d657465722d736d616c6c322e676966

As you can tell, the MagSpoof’s hardware doesn’t look anything like a credit card, so a criminal couldn’t just simply hand it to a cashier or waiter without raising any red flags. However, Kamkar points out that he can use a digital credit card device like Coin to store the numbers that his system generates — a technique that would make his trickery much less noticeable.

Impressively, Kamkar built his prototype out of several off-the-shelf components. These included an ATtiny85, a 100mAh 3.7V LiPo battery, a motor driver, an LED, a capacitor, a resistor and some 24AWG magnet wire. He created a smaller version with an ATtiny10 as well. By simply pulsing the H-bridge and activating the coil of wire, the MagSpoof is capable of emulating the swipe of a card. MagSpoof is compatible with the Arduino framework and can work on traditional Arduino boards, as well as ATtiny chips.

According to the hacker, he has notified American Express of the issue and will not exploit their algorithm. Kamkar has made both MagSpoof’s source code and schematics available on GitHub, and elaborates upon his method on his page here.

[h/t WIRED via Samy Kamkar]

Develop secure IoT apps with the Atmel Certified-ID platform


The Atmel Certified-ID security platform prevents unauthorized reconfiguration of an edge node to access protected resources on the network.


Atmel has announced a comprehensive security platform that enables businesses of all sizes to assign certified and trusted identities to devices joining the secure Internet of Things. The Atmel Certified-ID security platform prevents unauthorized reconfiguration of an edge node to access protected resources on the network. This new platform is available on the Atmel SmartConnect Wi-Fi, Bluetooth, Bluetooth Smart and ZigBee solutions that connect directly to Atmel Cloud Partners, providing a secure turnkey solution for IoT edge node-to-cloud connection.

Sec

The Atmel Certified-ID platform delivers a distributed key provisioning solution, leveraging internal key generation capabilities of the ATECC508A CryptoAuthentication device, without invoking large scale infrastructure and logistics costs. This platform even allows developers to create certified and trusted identities to any device before joining an IoT network.

With billions of devices anticipated by 2020 in the rapidly growing IoT market, security is a critical element to ensuring devices can safely and conveniently access protected assets through the Internet. Today, secure identities are commonly created through a centralized approach where IoT device keys and certificates are generated offline and managed in secure databases in Hardware Security Modules (HSM) to protect the keys. These keys are then programmed into the IoT devices by connecting the HSM to automation equipment during device manufacturing. This approach is indispensable in large deployments consisting of millions of devices. It can also entail significant upfront costs in infrastructure and logistics which must be amortized over a large number of devices for cost effectiveness.

By utilizing the unique internal key generation capabilities of ATECC508A device, the recently-unveiled platform enables decentralized secure key generation, making way for distributed IoT device provisioning regardless of scale. This method eliminates the upfront costs of the provisioning infrastructure which can pose a significant barrier in deploying devices in smaller scales. On top of that, developers will be able to create secure IoT devices compatible with partner cloud services and to securely join ecosystems.

Atmel is currently working with several cloud service companies, including Proximetry and Exosite, on the Certified-ID platform. These collaborations will give developers a wide range of ecosystem partners to choose from for a secure connection between the edge nodes and the IoT. Other partners will be announced as they are integrated in the Certified-ID platform.

“As a leader in the security space with a track record of over two decades, enabling secure networks of all sizes is our mission,” said Nuri Dagdeviren, Atmel Vice President and General Manager of Secure Products Group. “Streamlining secure processes and simplifying deployment of real world secure networks will be key to unlocking the potential and enabling rapid growth of IoT. We will continue delivering industry-leading solutions in security, a critical element in enabling billions of ‘things’ to be connected to the cloud.”

banner_AT88CKECCROOT-SIGNER

Atmel now offers security provisioning tool kits to enable independent provisioning for pilot programs or production runs when used in conjunction with the ATECC508A ICs. These devices are pre-provisioned with internally generated unique keys, associated certificates, and certification-ready authentication once it is connected to an IoT ecosystem.

Developers will need two kits to securely provision their gadgets: the AT88CKECCROOT tool kit, a ‘master template’ that creates and manages certificate root of trust in any ecosystem, and the AT88CKECCSIGNER tool kit, a production kit that enables partners to provision IoT devices.

The AT88CKECCSIGNER kit lets designers and manufacturers generate tamper-resistant keys and security certifications requiring hardware security in their IoT applications. These keys provide the level of trust demanded by network operators and allows system design houses to provision prototypes in-house—saving designers overall investment costs.

The tool kits also include an easy-to-use graphical user interface that allow everyone to seamlessly provision their IoT devices with secure keys and certificates without special expertise. With distributed provisioning, developers are not required to use expensive HSM for key management and certificate acquisition fees.

In addition to secure IoT provisioning, the new Certified-ID platform provides high-quality random number generation to guarantee a diverse set of public and private keys. It delivers solutions to a variety of IoT security needs including node anti-cloning protection, data confidentiality, secure boot, and secure firmware upgrades over-the-air. The tamper resistance built into the ATECC508A device continues to provide the desired protection even when the device is under physical attack.

Ready for the Internet of Trusted Things? Both the Atmel AT88CKECCROOT and AT88CKECCSIGNER are available today.

A $10 USB charger can record your keystrokes wirelessly


A security researcher has developed a USB wall charger that can eavesdrop on nearly every Microsoft keyboard.


Although we shared this discreet hack from Samy Kamkar back in January, a recent tweet from Lifehacker triggered our memory and we just had to share again! KeySweeper is an Arduino-based keylogger for Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) that is cleverly camouflaged as a functioning USB wall charger. The stealthy ATmega328 driven device can sniff, decrypt, log and report back all keystrokes — saving users both locally and online.

keysweepersmall

Keystrokes are then relayed back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper comes within range of the target KeySweeper. In fact, the well-known hardware hacker suggests that an effective reach of KeySweeper is that of a typical Bluetooth device, but could be extended using a low-noise amplifier. A web-based tool enables the live keystroke monitoring.

spysmall

Users can set up SMS alerts that are triggered when certain keystrokes in the form of words, usernames or URLS are being typed, e.g. “bank” or heck, even “www.atmel.com.” (*Shameless SEO plug.*) If KeySweeper is removed from AC power, it will give off the impression that it is shut off; however, the inconspicuous gadget continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.

As you are well aware, wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. Such units often encrypt their data before sending it wirelessly, but Kamkar claims to have discovered multiple bugs that make it easy to decrypt. While the researcher hasn’t tested the device on every Microsoft keyboard, he does believe that due to given their similarities, they will all be affected.

The KeySweeper project builds on previous work from Travis Goodspeed, Thorsten Schröder and Max Moser around the megaAVR controlled KeyKeriki.

internal

Kamkar says the cost for KeySweeper can range anywhere from $10 to $80, depending on the operation and its necessary functions. Aside from the Arduino Pro Mini that he selected for its size, other components include:

  • nRF24L01+ 2.4GHz RF chip which communicates using GFSK over 2.4GHz
  • AC USB charger for converting AC power to 5v DC.
  • (Optional) A SPI Serial Flash chip can be used to store keystrokes on.
  • (Optional) Adafruit FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
  • (Optional, if using FONA) The FONA requires a mini-SIM card — not a micro SIM.
  • (Optional, if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.

nrfgf2small

It should be noted that the hacker does say a Teensy MCU can be used in place of the ‘duino. As for the software, the primary code is installed on the microcontroller, while the web-based backend uses jQuery and PHP to log all keystrokes and provide an interface for live monitoring of target keyboards. KeySweeper’s source code and schematic are available on GitHub.

Intrigued? You can access the entire build on Kamkar’s official page.

Angee is an autonomous home security system


This smart system doubles as both your security guard and personal assistant.


Did you know that every 13 seconds, a home is broken into in the United States? In fact, 41% of burglaries happen when a system isn’t armed. Although it’d be nice to have guards protecting our homes, not all of us have that luxury or the convenience.

972a0c953870584c65e8dc47a83c622b_original

Angee is an advanced security and communication system that changes how you protect and connect to your humble abode. The device provides a 360-degree view of your household and is loaded with several valuable features, including voice recognition, at-the-door identification, motion-detecting rotation, advanced learning and cordless portability. By learning the daily habits of your family members, Angee can autonomously arm and disarm herself.

Setting up Angee is easy — you simply connect the device with your smartphone and add security points around throughout your rooms to secure your home. The unit provides full perimeter protection by using security tags on your doors and windows so the system knows exactly who comes and goes. In fact, it can determine suspicious activity such as movement by someone it doesn’t recognize through detecting entry and exit patterns, changes in background noise, Bluetooth signal in phones and voice differentiation. If Angee happens to sense suspicious activity, a notification is sent to your smartphone (or smartwatch) via its accompanying app so you can stream video in real-time. Plus, you can receive updates on temperature, humidity or just take a look around, if you so choose.

81581e38ccaeb35b5c91e1a36f96d899_original

At roughly five by three inches, Angee boasts an ARM processor at its core and weighs about 1.3 pounds. Angee’s camera rotates to provide full coverage of a room and employs an array of six passive infrared sensors for 360-degree motion detection. The security tags are powered by two AAA-batteries and feature Bluetooth connectivity, which is not only used to wirelessly communicate with Angee, but also sense nearby phones to identify who is home. And should the power go out, not to worry. The gadget’s built-in battery enables it to sustain energy, and more importantly, continue monitoring. Similarly, if your Wi-Fi goes offline, Angee will alert you while still recording any activity and saving the footage to its local storage.

The makers of Angee built the system by learning from people’s experience with early versions of smart security systems. The team has focused on creating the smartest home security system ever — one that is useful, convenient, and tailored to each individual’s needs. And that’s not all. It can double as a personal assistant by recording all-too-often missed moments for a family member who is away, answering calls, checking the calendar and even reminding you to close the windows if rain is in the forecast.

2743b5d54eb560c36a6750ed1cf0785a_original

“In the future, smart hardware and technologies will be omnipresent. They will be easy to use and perfectly integrated into our environment. These systems will understand and predict what we need, saving us time and energy, and making our lives easier and more productive. Angee is a big step toward this future,” explains CEO and co-founder Tomas Turek.

Sound like the system you’ve been looking for? Head over to Angee’s Kickstarter campaign, where the team is currently seeking $250,000. Delivery is estimated for October 2016.