Secure IoT Connectivity with NodeMCU ESP8266 Board, ATECC508A Crypto Chip, Mongoose OS, and AWS IoT

There are many examples of Internet of Things projects, but more often than not the implementation is not secure, either because the device is exposed to the Internet with minimum or no security (worst case), or a gateway (hopefully) provides secure connection to the Internet, but the communication between sensor nodes and the gateway in the local network is not secure, due to memory limitation of the nodes, for example it might be challenging to implement security on ESP8266. Mongoose OS is an open source operating system for the Internet of Things developed by Cesanta working on ESP32, ESP8266, STM32, and TI CC3200, and the developers have demonstrated a secure solution with Mongoose OS running on ESP8266 connecting over a TLS connection to AWS IoT (Amazon Web Service IoT) and using TLS credentials stored in Microchip ATECC508A CryptoAuthentication Device.

NodeMCU with ATCRYPTOAUTH-XPRO (Left) or barebone ATECC508A (Right)

The addition of ATECC508 chip either using “XplainedPro extension board for crypto products” (ATCRYPTOAUTH-XPRO) or ATECC508A chip itself, is to avoid storing private TLS credentials in NodeMCU’s flash memory, as anybody with physical access to the device could steal private keys and get access to the cloud. ATECC508A is connected via the I2C interface of the target board.

So I guess the crypto chip truly makes sense if you have sensor nodes on the field with information important enough that third parties may be interested in getting access to your sensor to try read your private key from ESP8266’s flash. It costs less than $1, so you may consider it anyway, although you can still get a secure TLS connection between NodeMCU and AWS IoT without it, but it adds another level of security.

Once you are done with the hardware connections, you’ll need to install Mongoose OS on the board, and follow the MQTT + AWS IoT tutorial to get started. Nothing complicated need to be done to leverage the crypto chip, as the command mgos aws-iot-setup should automatically detect ATECC508A chip and use it.

Support CNX Software - Donate via PayPal or become a Patron on Patreon
Subscribe
Notify of
guest
16 Comments
oldest
newest most voted
zoobab
3 years ago

Well esp8266 should be able to run Curve crypto.

rojer
3 years ago

@zoobab
yes, it is capable of doing it, though it’s a bit slow at it (takes a couple seconds). point is, with crypto chip the private key is not accessible to someone with physical access to the device. crypto chip also makes handshake faster, which is a nice bonus (but also doesn’t matter much for AWS IoT connection, as it is done in the background).

Pooma
Pooma
3 years ago

Someone with physical access can just take the crypto chip and attack it MITM. ESP weakness is that all code is in an external flash chip.

rojer
3 years ago

@Pooma
that’s true, there’s no way to protect code on esp8266 since there’s no secure trust anchor.
still, external chip for credential storage means e.g. you cannot clone the device (not without cloning the chip, anyway).
for full protection you need to go to esp32, which has flash encryption and secure boot.
also supported by mongoose os.

zymber
zymber
3 years ago

@Pooma

@Pooma
Agree with you on the potential for a MITM attack over I2C. Zymbit security module for RPI isolates the ATECC508A from the user app with a secure MCU. ATECC508A to MCU is ofcouse encrypted. More details here. https://www.zymbit.com/zymkey/#Cryptosilicon

gicho
gicho
3 years ago

Mongoose is quite interesting – not so newcommer friendly as arduino for esp, but quite well implemented – I meant that not-so-huge codebase is the only negative aspect of the mongoose.
In recent weeks they also implemented some kind of arudino compatibility so one could benefit from large code base for arduino and still get the high end features of the mongoose.
I think that “mgos” is old name – now the tool is renamed, “mos” if I remember right. This makes some articles obsolete (not working directly with copy/paste).

cpq
3 years ago

@gicho we’re doing our best to keep docs / articles up to date, so that should not be a concern.

You mentioned Arduino is more friendly to the newcomer than Mongoose OS, could you elaborate why, please?

tkaiser
tkaiser
3 years ago


Thanks for mentioning security relevant issues one more time. My favourite is turning so called ‘smart’ TVs into simple bugs that spy on you. But TVs with a single mic are boring, those Alexa or this ‘Hey Google’ thingies with microphone arrays are way more interesting since they get you even when you just whisper somewhere in your own house 🙂

gicho
gicho
3 years ago

@cpq Yes, I think I just hit a time slice when you changed the name of the tool and there were some issues with code build. Also I acknowledge that you fixed it in several hours after github issue report. About newcomers – my point was about DIY users, not professional programmers. With arduino one could easily build his first project by “copy-paste” with some help from google search. This attracts people with less expirience – at least doesn’t scare them away. Some days later working on the project they will find out the real need of provisioning, OTA update,… Read more »

anon
anon
3 years ago

> Download mos.exe; double-click mos.exe

This is a CTF, first idi-ocy-proofness stage, right? Like, if someone talks you about secure chip and other b/s and tells to download and run .exe, and you laugh in their face, then you can proceed to the next level?

gicho
gicho
3 years ago

https://github.com/cesanta/mongoose-os/tree/master/mos
I believe these are the sources for the tool. Pre-built exe allows newcomers to jump start.

cpq
3 years ago

@gicho

Thank you, very well said.

Toly
3 years ago

Yes, if you want to build it yourself you can just use Mongoose OS sources from GitHub. This is an open source project.
Downloads are for the MOS tool, which significantly simplifies firmware built the process through either terminal/command prompt or UI.

tkaiser
tkaiser
3 years ago


Just do a web search for ‘De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf’ (2012) where everything is explained in detail. (U)EFI rootkits are nothing new unfortunately and I would believe some of these vulnerabilities can be considered design goals of the technology.

Advertisements