Security for transmitted and flash memory data

[espruino-discuss3]

Posted at 2018-09-01 by Eyzi

Hi, guys! Hope you're having a great day.

I'm working on a small IoT project and I'm mostly using Espruino WiFi and Sonoff devices.

I'm wondering what's the best way to secure data, both the transmitted data and the data on the flash memory. I've seen a few posts on encrypting transmitted data so I'm less worried about that, but what about the data in flash memory?

Correct me if I'm wrong, but when I load a program into a device, I can plug it into another computer with an Espruino IDE and access the loaded program and anything stored in the flash memory, right? Is there a way to encrypt the data loaded into it, or maybe require a password before being able to access it? I saw that Puckjs has E.setPassword or something. Is there a similar function for Espruino WiFi and/or Sonoff?

Thanks!

[espruino-discuss3]

Posted at 2018-09-01 by @allObjects

There exist serial FLASH EEPROMs that have built in encryption... so reading out things in clear would need special means. There are also chips with same serial FLASH EEPROM interface that can do encryption and decryption for you using asymmetric technique... (using the public key to encrypt, and private key to decrypt... (of course, private key not with device out in the field... but safely guarded in your save environment).

Some chips have fuses that forbid the reading out... but I'm not aware of Espruino supporting that in the context of being reusable/reprogrammable...

---

Posted at 2018-09-01 by Eyzi

Thanks for the reply, @allObjects!

Does the Espruino WiFi have this Flash EEPROM? I load data (wifi ssid, wifi password, server ip, etc) into the device (Espruino WiFi) using the Storage module, but when I connect this device to another computer, I can access these data with Storage.read() which is more or less what I'm trying to avoid.

Essentially, I want the data to only be accessible by the computer that loaded config into the device.

---

Posted at 2018-09-01 by @allObjects

@eyzi, take a look at conversation about Security: not much to do... and worse, if there is easy way to access by wire connection...

There are two things:

1. securing the transmission between Espruino device and other devices
2. securing the Espruino device

Unfortunately, latter is more difficult than the first one.

Not accepting any content or command - javascript expression - that has run successfully through the local decryption by the public key is the only way to secure the Espruino device from executing unauthenticated / unauthorized activities, such as dumping through any communication channel...

Take a look at Microchip - Security ICs.

Espruino firmware would need a change to route all console input - input that does system control - through such a protective filter.

As Microchip has MCs w/ embedded security (SW or HW or both), so does ST have embedded security (SW). Licensing may be an issue, but I'm sure Espruino could be modified in order to enable / include it... Experience though says that code and execution memory are a factor and both are already tight... Porting a security considerate version of Espruino on a STM32 chip with built-in HW security features could be the next step...

---

Posted at 2018-09-02 by Eyzi

Thanks, @allObjects!

I have read the Security thread prior to posting this, actually. Though, the conversation is mostly about the Puckjs. That's where I learned about the E.setPassword which would be a pretty good addition to the Espruino WiFi, if not already included.

I was hoping that Espruino has a native solution for security rather than relying on another firmware/hardware. It'd be great if Espruino releases a board with built-in HW security in the near future!

As for the transmission security, I think MQTT over TLS is a sufficient solution which the Espruino WiFi can already use. So at this point, securing the flash memory is really what I'm worried about.

---

Posted at 2018-09-02 by Wilberforce

E.setPassword which would be a pretty good addition to the Espruino WiFi, if not already included.

It is included

---

Posted at 2018-09-02 by Eyzi

Neat! For starters, I can use that to make the data on the flash memory less accessible. Thanks, @wilberforce!

---

Posted at 2018-09-03 by @gfwilliams

E.setPassword is definitely in there. You also have AES encryption, so you can write stuff to flash memory using something like the Storage module after it's encrypted.

Of course if you encrypt it then to be safe you want to find a way of not storing the encryption key on the device itself :)

The JS code is on the device as you say, but you can minify it using an option in the Web IDE to make it more or less unreadable, and making sure you do the normal upload then save() (not 'save on send') means that in flash memory your JS code is all over the place so it'll be extremely hard to reconstruct if someone were to try and read the contents of your memory.

---

Posted at 2018-09-03 by Eyzi

Awesome. Thanks, @gfwilliams! Every device will be configured by the server/MQTT broker (in this case, an Rpi) where the encryption keys will be stored so they're not in the device itself.

I'll give the AES encryption a go. Though, I wonder if the device will run as is without needing to decrypt the data in it, if it doesn't have the key. For example, if I store an AES encrypted WiFi SSID and password via the Storage module, will it be able to read/use it?

---

Posted at 2018-09-03 by @gfwilliams

if I store an AES encrypted WiFi SSID and password via the Storage module, will it be able to read/use it?

No, not without the key - that's kind of the point :)

You could encrypt it using the device's serial number, but then someone could just read that off the flash memory if they have access to it as well.

You can definitely make things hard for people, but I think at some point you have to say that if someone has full hardware access to your system and can take it apart and inspect it while it's running, it's not going to be 100% secure (that's not Espruino-specific, it applies to pretty much any embedded electronics).

---

Posted at 2018-09-03 by Eyzi

Yeah, I understand. I don't expect anyone to go as far as taking the device apart or anything hardcore. (If they're that dedicated in getting data off of the device, they deserve to know lol)

I'm more or less just trying to prevent other people from easily accessing it, specifically plugging the Espruino WiFi into their computer and getting access to the SSID and password with Storage.read. If E.setPassword can do that, then it's all I need, for now at least.

Thanks, @gfwilliams!

---

Posted at 2018-09-03 by @allObjects

It all depends what you want to protect.... and as clearly stated, if you can get physically your hands on a piece of hardware and it is running, due diligence will get anyone what they want.

For 'normal' security -protecting gathered data, for example - with the device not under power anymore, there are ways even with current means: the device asks over secure connection - as you mention - for the password and keeps it in volatile RAM, encrypts the data with it and stores it in a Flash EEPROM. Just make sure no phishing happens when credentials are exchanged (and the electronics cannot be unintendedly accessed). Using asymmetric encryption - with the public key - would make sure that it is practically impossible to get the content. The device can even retrieve that key over a connection, just authenticity of the source has to be guaranteed.

---

Posted at 2018-09-04 by @gfwilliams

If that's the level you're after, E.setPassword seems good - or you can just move the console away from USB permanently with something like LoopbackA.setConsole(1) - then there's literally nothing on USB at all that someone can get started with.