Arduino empowers every user to meet the IoT security challenge

Specifically in the IoT space, operating without sophisticated security measures in place can put customers and their data at risk. Today, data, network, and device security remains the primary concern for 50% of organisations when adopting IoT. Arduino understands the risk of compromise and is constantly looking for ways to improve security in both its hardware and software, with a strong focus on ‘security by design’.

Arduino IoT Cloud is a low-code platform that enables users to log, graph and analyse their sensor data, trigger events, and automate their home or business. You can sign up for Arduino IoT Cloud for free today and now automatically benefit from integrated security features including:

• Secure communication with Arduino Portenta H7, Arduino Nano 33 IoT and Arduino MKR family boards using their on-board secure elements (NXP EdgeLock SE050 or Microchip ATECCX08A) 
• The open-source ArduinoBearSSL library for implementing the TLS protocol on devices
• A device certificate provisioning process to allow client authentication during MQTT sessions.

Fabio Violante, CEO of Arduino said: “Our priority has always been to build solutions that ensure maximum security for our users and developers and take every step to minimise risk. We are extremely proud of the development of a model that can make our solutions secure by design. As IoT devices continue to proliferate at pace, we will remain committed to finding even more ways to improve security for years to come.” 

Many of today’s embedded devices still do not properly implement the full SSL/TLS stack. Optimised for constrained devices, ArduinoBearSSL aims at producing small code footprints and low RAM usage. It provides developers with a sturdy foundation to their codebase that is fully interoperable with existing SSL/TLS servers. 

Security and performance was a focus when fitting the standard Bear SSL into Arduino’s embedded IoT core. Arduino IoT enabled boards include one or more (as in the case of the Portenta H7) hardware crypto chips dedicated to the fast computation of cryptography operations. RAM is therefore free of these demanding tasks, private keys are stored securely, and true random number generation (a basic operation to ensure secure communications) can be delivered effectively. 

Different communication techniques are put in motion behind the scenes to guarantee a point to point encrypted communication between the Arduino-powered IoT device and Arduino’s servers. Both techniques, asymmetric and symmetric encryption, facilitate a handshake between the client and the server, and issuing unique session keys.

The process of device registration in the Arduino IoT Cloud has been simplified to help developers optimise their workflows. Arduino’s API exposes an endpoint a client can interact with, the client requests to register a new device on the Arduino IoT Cloud, to which the server (API) returns a UUID (Universally Unique IDentifier) that will be stored in the board’s crypto element.

From that moment and on, developers can use that UUID in their code to identify their devices against the Arduino IoT Cloud. The device’s private key cannot be extracted by the secure element - a fundamental benefit of installing the IoT Cloud security model on official Arduino boards.