Tag Archives: tag11

Don’t be an “ID-IoT”


Authentication may just be the “sine qua non” of the Internet of Things. 


Let’s just come out and say it: Not using the most robust security to protect your digital ID, passwords, secret keys and other important items is a really, really bad idea. That is particularly true with the coming explosion of the Internet of Things (IoT).

Hacker

The identity (i.e. “ID”) of an IoT node must be authenticated and trusted if the IoT is ever to become widely adopted. Simply stated, the IoT without authenticated ID is just not smart. This is what we mean when we say don’t be an ID-IoT.

It seems that every day new and increasingly dangerous viruses are infecting digital systems. Viruses — such as Heartbleed, Shellshock, Poodle, and Bad USB — have put innocent people at risk in 2014 and beyond. A perfect case in point is that Russian Cyber gangs (a.k.a. “CyberVor”) have exposed over a billion user passwords and IDs — so far. What’s scary is that the attacks are targeted at the very security mechanisms that are meant to provide protection.

If you think about it, that is somewhat analogous to how the HIV/AIDS virus attacks the very immune system that is supposed to protect the host organism. Because the digital protection mechanisms themselves have become targets, they must be hardened. This has become increasingly important now that the digital universe is going through its own Big Bang with the explosion of the IoT. This trend of constant connectivity will result in billions of little sensing and communicating processors being distributed over the earth, like dust. According to Gartner, processing, communicating and sensing semiconductors (which comprise the IoT) will grow at a rate of over 36% in 2015, dwarfing the overall semiconductor market growth of 5.7%. Big Bang. Big growth. Big opportunity.

The IoT will multiply the number of points for infection that hackers can attack by many orders of magnitude. It is not hard to see that trust in the data communicated via an ubiquitous (and nosey) IoT will be necessary for it to be widely adopted. Without trust, the IoT will fail to launch. It’s as simple as that. In fact, the recognized inventor of the Internet, Vint Cerf, completely agrees saying that the Internet of Things requires strong authentication. In other words, no security? No IoT for you!

BxLpafwIcAAMcG0

There is much more to the story behind why the IoT needs strong security. Because the world has become hyper-connected, financial and other sensitive transactions have become almost exclusively electronic. For example, physical checks don’t need to be collected and cancelled any more — just a scanned electronic picture does the job. Indeed, the September 11th terror attacks on the U.S. that froze air travel and the delivery of paper checks accelerated the move to using images to clear checks to keep the economy moving.

Money now is simply electronic data, so everyone and every company are at risk of financial losses stemming directly from data breaches. See?  Data banks are where the money is now kept, so data is what criminals attack. While breaches are, in fact, being publicized, there has not been much open talk about their leading to significant corporate financial liability. That liability, however, is real and growing. CEOs should not be the least bit surprised when they start to be challenged by significant shareholder and class action lawsuits stemming from security breaches.

lawsuits

Although inadvertent, companies are exposing identities and sensitive financial information of millions of customers, and unfortunately, may not be taking all the necessary measures to ensure the security and safety of their products, data, and systems. Both exposure of personal data and risk of product cloning can translate to financial damages. Damages translate to legal action.

The logic of tort and securities lawyers is that if proven methods to secure against hacking and cloning already exist, then it is the fiduciary duty of the leaders of corporations (i.e. the C-suite occupants) to embrace such protection mechanisms (like hardware-based key storage), and more importantly, not doing so could possibly be argued as being negligent. Agree or not, that line of argumentation is viable, logical, and likely.

A few CEOs have already started to equip their systems and products with strong hardware-based security devices… but they are doing it quietly and not telling their competitors. This also gives them a competitive edge, besides protecting against litigation.

Software, Hardware, and Hackers

hacker_inside_intel

Why is it that hackers are able to penetrate systems and steal passwords, digital IDs, intellectual property, financial data, and other secrets? It’s because until now, only software has been used to protect software from hackers. Hackers love software. It is where they live.

Rogue

The problem is that rogue software can see into system memory, so it is not a great place to store important things such as passwords, digital IDs, security keys, and other valuable things. The bottom line is that all software is vulnerable because software has bugs despite the best efforts of developers to eliminate them. So, what about storing important things in hardware?

Hardware is better, but standard integrated circuits can be physically probed to read what is on the circuit. Also, power analysis can quickly extract secrets from hardware. Fortunately, there is something that can be done.

Several generations of hardware key storage devices have already been deployed to protect keys with physical barriers and cryptographic countermeasures that ward off even the most aggressive attacks. Once keys are securely locked away in protected hardware, attackers cannot see them and they cannot attack what they cannot see. Secure hardware key storage devices — most notably Atmel CryptoAuthentication — employ both cryptographic algorithms and a tamper-hardened hardware boundary to keep attackers from getting at the cryptographic keys and other sensitive data.

tamper

The basic idea behind such protection is that cryptographic security depends on how securely the cryptographic keys are stored. But, of course it is of no use if the keys are simply locked away. There needs to be a mechanism to use the keys without exposing them — that is the other part of the CryptoAuthentication equation, namely crypto engines that run cryptographic processes and algorithms. A simple way to access the secret key without exposing it is by using challenges (usually random numbers), secret keys, and cryptographic algorithms to create unique and irreversible signatures that provide security without anyone being able to see the protected secret key.

Crypto engines make running complex mathematical functions easy while at the same time keeping secret keys secret inside robust, protected hardware. The hardware key storage + crypto engine combination is the formula to keeping secrets, while being easy-to-use, available, ultra-secure, tiny, and inexpensive.

hash

While the engineering that goes into hardware-based security is sophisticated, Atmel does all the crypto engineering so there is no need to become a crypto expert. Get started by entering for your chance to take home a free CryptoAuthentication development tool.

AVR XMEGA-A3BU Xplained demo board unboxing

So we cleaned out a storage area and lo and behold, there was an XMEGA Xplained demo board. So I scrounged up a USB cable and plugged it into my computer. I don’t have Studio 6 installed yet, but I thought it would be fun to just un-box it. This is what happened:

KONICA MINOLTA DIGITAL CAMERA

You can get your very own XMEGA Xplained eval board for on $29. The LCD alone is worth that.

KONICA MINOLTA DIGITAL CAMERA

What a score, the seals are still on the box. I think this was used in FAE training in May.

KONICA MINOLTA DIGITAL CAMERA

This is what is inside. There is that great LCD, a CR1225 battery for the real-time-clock (RTC), 3 tact switches and a touch switch, a temp sensor, a light sensor, all the signals on headers, and a JTAG port so you can hang a Dragon on it and see inside the chip while it executes. Sweet.

KONICA MINOLTA DIGITAL CAMERA

Here is a close-up. Oh, there is a non-volatile serial memory chip too. Needless to say, I have not read any manuals or paperwork yet, heck I am a man, like my buddy Tim who didn’t read the manual on his $60,000 Cadillac before he drove it to San Diego.

KONICA MINOLTA DIGITAL CAMERA

On the backside, you can see the 2010 date, but it turned out the board was way newer, stay tuned. You can see the flux residue where they hand-soldered the LCD. You can’t send an LCD through an IR reflow oven.

KONICA MINOLTA DIGITAL CAMERA

I stick a USB cable on it, and wow, it has a backlight on the LCD. It was obvious that the welcome screen here is telling you how to navigate the pre-installed program. That is not a touch-screen, it is telling you the tact switches and the one touch pad on bottom left are your navigation buttons.

KONICA MINOLTA DIGITAL CAMERA

Here is the screen with a flash picture—you can read the LCD either way. You can bet I am thinking how to mount this on my Harley and make a voltmeter/ammeter, temp sensor system out of it.

KONICA MINOLTA DIGITAL CAMERA

This is what you see if you press “Enter” (the top left button). It’s a sub-menu that displays the temperature, the light intensity, or the production date.

KONICA MINOLTA DIGITAL CAMERA

Here is the production date screen.

KONICA MINOLTA DIGITAL CAMERA

It took me a while to figure out that there was a touch-pad on the bottom left instead of a tact switch. This is how you go back up the menu tree.

KONICA MINOLTA DIGITAL CAMERA

Here is the temperature display. It seems pretty accurate, despite the board saying “NTC SENSOR”. I assume there is a linearization program, negative temperature coefficient sensors are notoriously non linear. This is reading hot since I put my finger on the sensor to see it work.

KONICA MINOLTA DIGITAL CAMERA

The top menu had more items and would scroll. This is the page for setting date and time. It was set to Norway time, but the date was right after 6 months.

KONICA MINOLTA DIGITAL CAMERA

This is a menu choice that shows how long the board has had its real-time clock powered.

KONICA MINOLTA DIGITAL CAMERA

When you stick in the USB the computer prompts you to add a driver. I don’t think that is a good idea. The way this is meant to be used is that you install Studio 6 or use some other IDE or the Atmel Software Framework (ASF) and that has the driver the card needs. So I cancelled. We have all been burned installing things on Windows.

Well this got me pretty fired up. It never occurred to me one of our demo boards would have such a nice program on it pre-loaded. I guess it’s time to install Studio 6. I have been avoiding it, since I am an assembly language dinosaur, and I am sure all this code is in C. After all that is one of the coolest things about AVRs, they were designed to run C and run it well.

In addition to installing our free Studio 6, I will hang a Dragon debugger/emulator onto the card. Thata is another cheap purchase from Atmel, about 50 bucks. There were a couple of those in the storage room too. With a Dragon I can see inside the chip as it runs, single step programs, and read the registers and memory locations.

ECO 1 (engineering change order). Let’s make that navigation screen show more representative symbols for the tact switches, and the touch pad. And let’s move the symbols to the outside corner of the screen, like they are on the PCB (printed circuit board).

ECO 2. Lets add a menu pick to read analog voltages—hang on—holy cow, this thing not only has two 12-bit ADCs, it has 4 comparators. I can see there is a lot to love. And get this—6, count ‘em, 6 USARTs. That will satisfy my buddy Dave who insists on one dedicated UART just for software debug. Sure you can use the debugger when it is hooked to Studio 6 or your IDE, but it is also nice to have a port you can query or that spits out status when the system is deployed in production.

Stay tuned, I will be hooking up one of those Dragons and installing Studio 6 next. Just remember the first rule, never keep a handgun in the same desk you have a computer on. I do expect to be frustrated, it’s been 12 years since I programmed in assembly, and never have used C, but let’s take this little adventure together and see what happens.

ATMega1284P powers this web-logger/server

A Maker by the name of Stewart has designed a web-logger server powered by Atmel’s ATMega1284P microcontroller (MCU).

As the HackADay crew notes, the board can be tasked with collecting and posting data to logging sites such as Thingspeak or Xively.

Dubbed “Pokewithastick,” the device boasts a rather small 50x37mm footprint (approximately 2″x1.5″). Key specs include a Wiz820 Ethernet module, a micro-SD card slot, two serial ports, one battery backed Real Time Clock (RTC), one radio connector (nRF24L01 2.4GHz), one power & user LED and a reset button.

“There are two power rails on the board which can be split (5v + 3.3V) or combined (3.3v only) which may allow you to connect Arduino shields to it,” wrote HackADay’s Mathieu Stephan. “You can program the board using the standard 6-pin header or via a serial programmer if an appropriate (Arduino) bootloader is installed.”

The open hardware project was designed using Kicad, with the relevant files available for download here (.zip). Additional information about the Atmel-powered “Pokewithastick” can be found on Stewart’s project page here.