Security question about imps in general


#1

A hypothetical scenario, that may probably become more common as more IOT devices come online , not only IMPs, but other devices as well.
If a rogue operator somehow got the details of an imp, the device Id ,https://agent.electricimp.com/************, and Device: *****************, what could they do, for example could they reprogram the imp, or just call the existing functions running. If this could happen,have you lost control forever of that piece of hardware, (knowing that it could be compromised at any time). What could anyone do to get control back of this device, is the DeviceID fixed and permanent, (same with the Device ). How can you stop say someone calling multiple requests to a devices Agent, in a blocking technique to Deny Services.
Hope my question is not too vague, more about opening up the subject of Security of IOT hardware in general. TOM.


#2

Access to the agents has mostly been protected via url obscurity. Not really just trusting that, one of the first lines that i put in my agent code for incoming request processing, is a check for a ‘key’. Similar to an API key, all my clients send this key with the request and at the top of the agent code, if this key isn’t there or doesn’t match, stop processing the request. One thing you can use for a key is a UUID. There are UUID generators all over the net. Hope this helps.


#3

We have a page here going over some methods to secure agents: https://electricimp.com/docs/resources/agentsecurity/

Various commercial customers take various approaches, but HMAC signing requests is a common approach and one which we support natively with agent APIs.

Whilst the agent URL namespace is big (brute forcing it would be painful/expensive), the more likely attack would be from a service or app that uses us being compromised. This could indeed lead to DoS of single devices, which is something we’d address at a service level.

Any system is only as strong as its weakest link and both the platform and application are part of that chain. We’re very consultative with customers and will help them build and deploy “good” solutions on our platform.

We are the first (and currently only) platform to get UL 2900-2-2 cybersecurity certification, plus we have public company customers who put us through multiple independent security audits and tests. Our stuff is good, and we’ll be talking publicly about this in more detail in the coming months - right now, the fine-grained detail is only available under NDA to customers and their security testers which isn’t ideal but if you have questions, please ask away!


#4

If you are creating your own web pages to manipulate your imp agent (imp URL), you might be tempted to put the URL in your HTML, or javascripting (as with AJAX), but you can use PHP CURL to do all of the POST and GET to your imp URL. By using PHP CURL, your imp URL never appears in any HTML or javascripts … so nobody can view it by looking at your HTML source.

Even if someone knows your imp URL, they cannot reprogram it. They can only POST to the URL. They would need to know what the agent is expecting. You are correct that if I knew your imp URL, I could hammer it with POST data continuously. As @dmutterer (Dave) mentioned, you can have the agent verify an API key coming in the header of a POST. If it does not match, the agent ignores the incoming data.

So really the worst would be that I could write a PHP script to POST to your imp URL, over and over again. That would be annoying, but not a catastrophe anyhow.

Looking at other IoT devices, such as Arduino, the user would be accessing an IP instead of a URL, assuming they are not using any cloud services. The Arduino to an IoT cloud is worse because they have non-encrypted data going both ways (as in the WiFi data).

And I’ll add that it’s just my personal opinion that I would never use an imp or any other internet connected device to control critical equipment, such as my house’s heating and cooling system. If my imp controls some outdoor lights, or some monitor-only applications, it would not be a disaster if it got hacked somehow.

Remember there are no IoT security standards. Everything from cars to homes can be hacked. If you want to IoT something, assume someone can wreck it. It’s no different than using a credit card.


#5

Standards are beginning to emerge. As Hugo mentioned in his previous post in this thread, Electric Imp is the first platform to achieve UL2900-2-2 Cybersecurity Certification. We have considered a lot when creating this platform. Electric Imp has been been tested numerous times, and has been found secure enough for Pitney Bowes to process government currency transactions on their devices (postage machines). Your heating and cooling system will be quite secure on our platform. (There are commercial systems like that on our platform today). The EATON EMCB (Energy Management Circuit Breaker) uses Electric Imp. www.eaton.com/emcb


#6

As I said, it’s a personal opinion. I think the Imp is great. Everyone that sees what I’ve done with my Imps are really amazed, especially at what it took to buy, create, and build my projects. How little time and money I actually had to spend. People entering the world of IoT just need to be aware and informed that weak links exist. Be careful of what you control via the internet.