How do you secure IOT devices (e.g. ESP32) out in the field that is physically accessible, given that their SSL client certificate can be copied and used for impersonation and/or publishing wrong data to the server/broker? Alternatively, is there a way of knowing if the IoT client has been compromised?
The best way to secure the hardware is by adding an embedded security module, and if not possible an external one.
The range of solutions range from embedded modules such as
-Integrated Circuit modules like the https://www.microchip.com/wwwproducts/en/ATECC508A
which might be compatible with the module you specified
-to more general purpose hardware secured USB stick, like here: https://www.techradar.com/news/best-secure-drives
-to a secured local storage module on the IOT device
-to a dedicated Hardware Security Module (HSM)
All pending on your specific application and needs.
Related
I am using Azure IoT Edge where I am using Azure SQL Edge module from the marketplace. I have another module written in Python which makes a connectivity with the SQL Server module on the IoT edge device. To make the connection, I have to hardcode the SQL password in the code.
I thought of storing SQL password on Azure KeyVault and pull it in Python module on edge while making SQL connectivity though this would defeat the purpose of edge. What if there is no internet connection for a while and my module will stop working.
Is there a safe way to store the SQL password on the IoT edge device or What is the recommended way to make the connection on edge? Please advice. Thanks.
I guess you are talking about Azure SQL Edge module. Just wanted to ask how is the device secured? Is it using the TPM, X.509 or Symmetric keys?
Also can you please let me know if the default password was already change to a strong password? Usually, when you change the default password for MSSQL_SA_PASSWORD to a strong password, it is more than enough as no one will have access to the device if it has been secured.
Refer to this document for more clarification -
https://learn.microsoft.com/en-us/azure/azure-sql-edge/deploy-portal#connect-to-azure-sql-edge
I'd like to monitor network activity at transport level. No need for ethernet frames and other low level stuff. It looks that Microsoft-Windows-WFP and Microsoft-Pef-WFP-MessageProvider providers actually do the task. However I am not sure that PEF provider (part of MessageAnalyzer) is suitable for use by 3rd party software. Also, I couldn't neither find manifest for Microsoft-Windows-WFP provider nor get traffic from it.
The questions are:
Are these providers intended for public use?
Is it possible to use PEF provider directly without involving OPN and PEF infrastructure?
If the providers above are not intended for public use, are there any other ETW providers that log network traffic?
TIA.
I'm at the beginning of trying to understand the requirements for developing a VoIP app. From what I've learned so far, frameworks that allow for communication using SIP/TCP are the best (I don't intend to implement SIP myself).
However, although SIP can be peer-to-peer, its recommended to use an SIP server service. But I'm finding it difficult to locate information about what SIP services are appropriate for an iOS application / what is required from me in terms of setup of the server so that I can concentrate on client-side development.
Any advice would be much appreciated.
You need to figure out your use-cases to decide. A SIP server is like an HTTP server, it will analyse the request URI, the request headers and whatever hints it can see to execute some resource at the backend. Think if you plan to have a user database and authentication. Do you want presence? Do you want voicemail, call transfers, pbx features? Do you want video, audio, IM? Do you want to support arbitrary endpoints? Encryption, NAT traversal, HA? Only then you can think about actual servers and hosting. Many "minimal" configurations will include at least one SIP/media front-end (for NAT/SBC), a SIP/media server (to act on requests), a database server (to store persistent state) and an HTTP server (for config/admin UIs). While there are products that combine some of these into single server, they are generally at least reasonably isolated modules.
I am working on an chat program with socket programming (Indy in Delphi).
What security solutions can I use to satisfy its security? From user authentication (I used a server to authenticate users) and type of packets security that can be used?
I don't have any idea what can make my app vulnerable.
Indy supports OpenSSL so yo only need to add and configure a OpenSSL handler, and make sure that the firewall allows connections over the secure port.
A popular source of information is the Open Web Application Security Project (OWASP).
Their pages include lots of technical article, for example
https://www.owasp.org/index.php/Category:Vulnerability
about vulnerabilities
I'd like to authenticate the caller of my SOAP webservice (deployed in Ruby 1.8.7/Rails 2.3.5using datanoise gem in Red Hat enterprise linux 5) using some encrypted tag in the XML requests. Normally the client is a windows program (maybe C#/.Net windows programs - not Java/Ruby) which should generate a varying encrypted key in each call to the webservice based on a key/salt - while my server side would always be able to decode it with the private key. Knowledge of the encrypted token on the wire should not allow a third-party program to simply replicate the fully encrypted token and access the webservice. I am looking into OpenSSL but am a newbie to cryptography. The string being encrypted for identification could be (among other items) the MAC ID of the trusted client, which when decrypted would match the stored value on the server side of the trusted hosts.
I've found lots of possibilities on the Ruby side, but need to ideally ensure that the solution does not impose (or minimizes) any library or installation requirement on the windows client side. What i'm most struggling with is a way to generate a new key each time the call is made, so that anyone sniffing the traffic cannot simply infer the mode to create the encrypted tag by getting access to the key.
As you are authenticating the caller here and not necessarily just the contents of what they send, there's no need to put the authentication mechanism into the SOAP request. Others have tried to do what you are after with WS-Security, so if at all, I'd go with that.
There have been problems with the security of the scheme, though, but probably the biggest deal breaker is that there's no support for it available in Ruby (that I know of at least, please correct me if I'm wrong!).
Probably the easiest way to achieve client authentication on both ends would be using mutually authenticated TLS (the former SSL). This will ensure authentication on the transport level, which should suffice in your case. Actual authentication will then happen by first checking the validity of the certificate that is sent by the client (Ruby OpenSSL takes care of that for you), and once that is established, you check it against a white list of known certificates that you maintain on your server.
Please don't invent your own scheme, cryptographic protocols are among the hardest things to get right (that's why there are problems with WS-Security), TLS is probably as good as it gets right now and it has broad support in any language.