Arduino devices are a favorite among do-it-yourself (DIY) enthusiasts to create, among other things, Internet of Things (IoT) devices. We have previously covered the Espressif ESP8266 family of devices that can be programmed using the Arduino SDK, but the Arduino project itself also provides WiFi-enabled devices such as the Arduino MKR WiFi 1010 board. Recently, the Arduino Security Team raised the problem of security shortcomings of IoT devices in a post, and how the Arduino project is working to make improvements. We will take the opportunity to share some interesting things from that, and also look at the overall state of TLS support in the Arduino and Espressif SDK projects.
When it comes to making a secure IoT device, an important consideration is the TLS implementation. At minimum, TLS can prevent eavesdropping on the communications, but, properly implemented, can also address a number of other security concerns as well (such as man-in-the-middle attacks). Moreover, certificate-based authentication for IoT endpoints is a considerably better approach than usernames and passwords. In certificate-based authentication, a client presents a certificate that can be cryptographically verified as to the client’s identity, rather than relying on a username and password to do the same. These certificates are issued by trusted and cryptographically verifiable authorities so they are considerably more difficult to compromise than a simple username and password. Still, according to the team: “As of today, a lot of embedded devices still do not properly implement the full TLS stack”. As an example, it pointed out that “a lot of off-brand boards use code that does not actually validate the server’s certificate, making them an easy target for server impersonation and man-in-the-middle attacks.”
The reason for this is often simply a lack of resources available on the device — some devices only offer 32KB of RAM and many TLS implementations require more memory to function. Moreover, validating server certificates requires storing a potentially large number of trusted root certificates. Storing all of the data for Mozilla-trusted certificate authorities on a device takes up over 170KB in a system that potentially only has 1MB of available total flash memory. A general lack of education regarding the importance of security in this space unfortunately also plays a role. After all, TLS isn’t the most straightforward subject to begin with, and having to implement it on a resource-limited platform does not make implementing it correctly any easier of a problem to solve.
The Arduino project appears to take these issues seriously, and is backing that up with some concrete improvements in its offerings. For Arduino boards with WiFi capabilities that means providing a hardware-based cryptographic solution. These chips (the ATECC508A and ATECC608A by Microchip) provide services like certificate storage, encryption, and verification for TLS implementations — without consuming the limited resources of the device running the firmware. Essentially, these hardware-cryptographic chips implement everything needed to handle asymmetric encryption like TLS. Using these hardware solutions requires the necessary software, and for Arduino that meant providing a lightweight TLS implementation that is easy for developers to use. To address this, the Arduino project has built on of the work of the MIT-licensed BearSSL project, written by Thomas Pornin.
BearSSL implements RFC5246 — TLS version 1.2. According to the BearSSL project’s guiding rules, the project “tries to find a reasonable trade-off between several partly conflicting goals”, one of which is support for CPU-challenged platforms. In short, it provides an implementation of TLS well-suited for an IoT device. BearSSL appears to be tightly controlled by Pornin. On the project’s “How to Contribute” page, Pornin states that patches are welcome, but should be emailed directly to him for consideration. Pornin says he “will rewrite any patch suggestion” and the “resulting code uses the MIT license, listing me (and only me) as the author.” According to Pornin, any contributions that are accepted will only be credited on the BearSSL site itself. The code can be retrieved from Pornin’s Git repository described here. The latest release of BearSSL, v0.6, was released in August 2018 and was described as “beta-quality” software.
Despite both the lack of community and recent releases, the Arduino project selected BearSSL “as a starting point” for its TLS library. This implementation, called the ArduinoBearSSL library, bundles the last release of BearSSL and augments it with the ArduinoECCX08 library to take advantage of the hardware-provided cryptographic tools (when available). This provides to Arduino developers a reasonable library for implementing hardware-accelerated TLS correctly, with the same overall simplicity developers expect from Arduino development.
It is worth noting that Arduino isn’t the only embedded device project to make use of BearSSL. The Arduino core for ESP8266 by Espressif also implements BearSSL for its WiFi client. Like Arduino, the ESP8266 implementation bundles BearSSL v0.6. According to the official Espressif forum for the ESP8266, however: “There isn’t any hardware accelerated crypto support” available for the ESP8266. This makes implementation of TLS more complicated on the ESP8266 devices, as the entire implementation must be done in software. This can cause difficulties implementing TLS correctly; for example software-based TLS can lead to exceedingly slow connection times.
The newer offering from Espressif is the ESP32 chip, which provides a considerable boost to power and overall functionality when compared to the ESP8266. One of those improvements is a version of the module (the ESP32-WROOM-32SE [PDF]) that includes the same hardware-accelerated cryptographic chip as can be found on Arduino boards (Microchip’s ATECC608A). While BearSSL was ported to Espressif’s Arduino ESP8266 library, it has not been ported for use in Espressif’s Arduino core for ESP32. Instead, the ESP32 TLS support is provided by a port of Mbed TLS to the device as part of the WiFiClientSecure library. Unlike ArduinoBearSSL, this library does not appear to be designed to take advantage of the hardware acceleration available in some ESP32 models at this time. Since the point of Arduino core for ESP32 is to enable Arduino libraries in development, it stands to reason that developers can take advantage of ArudinoBearSSL — and the hardware support it provides.
All in all, it is good to see projects like Arduino and chip manufacturers like Espressif, both of which tend to cater to the DIY community, take security seriously. These sorts of improvements are important for more than the DIY community, however, as the family of Espressif chips are also used in a wide variety of off-the-shelf consumer devices. In the world of IoT, having the ability to do something as simple as store certificates in a way that doesn’t eat up precious resources makes it easier for developers to avoid cutting corners in their projects. Hopefully, making the technology more accessible will help improve IoT security overall.