Specifically in the IoT space, operating without sophisticated security measures in place can put customers and their data at risk. Accordingly, data, network, and device security remain the primary concerns for 50% of organisations when adopting IoT.
In response, Arduino has looked at ways to improve security in both its hardware and software, with a strong focus on “security by design”.
The Arduino IoT Cloud is a low-code platform that enables users to log, graph and analyze their sensor data, trigger events, and automate their home or business. Among its integrated security features are:
- Secure communication with Arduino Portenta H7, Arduino Nano 33 IoT and Arduino MKR family boards using their on-board secure elements (NXP EdgeLock SE050 or Microchip ATECCX08A)
- The open-source ArduinoBearSSL library for implementing the TLS protocol on devices
- A device certificate provisioning process to allow client authentication during MQTT sessions.
Commenting Fabio Violante, CEO of Arduino said: “Our priority has always been to build solutions that ensure maximum security for our users and developers and take every step to minimise risk. We are extremely proud of the development of a model that can make our solutions secure by design. As IoT devices continue to proliferate at pace, we will remain committed to finding even more ways to improve security for years to come.”
Today's embedded devices still do not properly implement the full SSL/TLS stack. Optimised for constrained devices, the ArduinoBearSSL aims at producing small code footprints and low RAM usage and looks to provide developers with a foundation to their codebase that is fully interoperable with existing SSL/TLS servers.
Security and performance was a focus when fitting the standard Bear SSL into Arduino’s embedded IoT core. Arduino IoT enabled boards to include one or more (as in the case of the Portenta H7) hardware crypto chips dedicated to the fast computation of cryptography operations. RAM is therefore free of these demanding tasks, private keys are stored securely, and true random number generation (a basic operation to ensure secure communications) can be delivered effectively.
Different communication techniques look to guarantee a point to point encrypted communication between the Arduino-powered IoT device and Arduino’s servers. Both techniques, asymmetric and symmetric encryption, facilitate a handshake between the client and the server, and issuing unique session keys.
The process of device registration in the Arduino IoT Cloud has been simplified to help developers optimise their workflows.
Arduino’s API exposes an endpoint a client can interact with, the client requests to register a new device on the Arduino IoT Cloud, to which the server (API) returns a UUID (Universally Unique IDentifier) that will be stored in the board’s crypto element. From that moment and on, developers can use that UUID in their code to identify their devices against the Arduino IoT Cloud.
The device’s private key cannot be extracted by the secure element - a fundamental benefit of installing the IoT Cloud security model on official Arduino boards.