lab5

IoT Security

Online Link

This lab is available as part of my online portfolio at: https://lehi.dev/labs/lab5

 

Objective

The purpose of this lab is to learn how to use a relay to control your garage door Opener. Establish complex conditions by an additional sensor, these principles include:

  • Enumerate requirements from use case and user stories.
  • Become more familiar with representing the desired system by using flowcharts, state diagrams, etc.
  • Learn to plan what materials will be necessary to accomplish the system’s purpose
  • Build Iot sensors by utilizing GPIO pins for inputs.
  • Understand how relay works
  • IoT security design architecture

 

Materials

  • Personal Computer
  • 1 x Wemos D1 Mini microcontrollers (ESP8266)
  • 1 x 2.5A USB Power Supply with micro USB Cable
  • 1 x breadboard
  • 1 x Relay sensor
  • 1 x raspberry pi with SD micro sd card and charger
  • Arduino IDE
  • Fritzing
  • Jump wires
  • Soldering iron
  • Solder
  • GPIO pinout guide

References

The following resources were used in this lab:

 

Procedures

  1. Having done all the previous lab to make a collection of ESP8266 along with sensors to send data amongst themselves  (ultrasonic sensor, stoplight, reed switch, raspberry pi running mosquitto), now it is time to add one more arduino sensor with a relay. Solder the headers on the additional Wemos D1 mini, also solder the headers for the relay.
  2. Once Soldering are done then connect the relay shield on top of arduino shield.
  3. For the relay script import library ESP8266WiFi
  4. Connect to a wifi and start a server.
  5. Create 2 http rest endpoints one for relay on and another for relay off so you can control relay state. Change relay state accordingly.
  6. The logic set up was the following in pseudo code:
    1. If Relay circuit is off then turn off the relay
    2. If Relay circuit is on then turn on the relay
    3. Update relay state

 

  1. Models:
    1. Functionality: State machine as shown on the diagram below, this is a simplified form of the relay state machine.

  • On Start up, the machine will be on Relay Off state
  • Case “RELAY OFF”
    • If system receives /relay=on then system changes to “RELAY ON” state.
    • If system receives /relay=off then system remain in “RELAY OFF” state.
  • Case “RELAY ON”
    • If system receives /relay=on then system remains in “RELAY ON” state.
    • If system receives /relay=off then system changes to “RELAY OFF” state.
    1. System Flow: See Appendix 1.
    2. Component and Schematic Diagram: The relay is represented below by the following diagrams, relay is stacked on top of ESP8266 (Component and Schematic Diagram respectively)

Diagrams were facilitated by open source programs such as: Google drive plugin draw.io Diagrams and Fritzing.

 

  1. Program the code in the Arduino IDE
    1. Code the Arduino GPIO pins interaction with D1 pin and 5V is already being provided by the stacked shield accordingly to match the component/schematic diagram.
    2. Test/Debug relay as to make sure the logic is sound. You can debug by first making sure the baud rate is set up in setup method. Then click on serial monitor icon  .
    3. Use commands such as Serial.println(<variableToBeEvaluated>) to print out debug messages, so you can make sure what you think the code is doing is actually happening.

 

IoT Security Architecture

 

Some possible attack vectors on the devices running on a network are: DoS, connect to an open network, breaking a weak password, having services or network with default passwords, sharing password with neighbors, using a weak network encryption such as WEP, etc.

One way to design IoT systems to be accessible from a different network to the network running all these devices is to join the networks via VPN. Have a VPN server set up to expose the private network (IoT devices) to the public network (internet) where you can connect to it using a VPN client. Using strong passwords potentially the ones that are not in a dictionary and that are generated using a complex set of rules from a password generator like LastPass https://www.lastpass.com/password-generator would be a good resource, save the password in a locked down file or a password helper like LastPass. Use trusted VPN servers and clients. With this design you should be able to access home private network via VPN and therefore able to interact with ESP8266 devices, like the relay garage door opener website and send commands to open or close it. Also by laying down a few house rules may help in protecting the devices in the network as well as implementing some network rules, for instance:

  1. No more sharing network credentials with neighbors
  2. Change all default passwords
  3. Using strong network encryption such as WPA AES
  4. Create a guest network that is separate from the main home network
  5. Only connect important devices to the main home network or even a separate network specialized to only have a few devices as long as it is not the open guest network.
  6. Review network logs and which devices are attached to your network as to make sure there is no hacker connected.
  7. Get a network switch that has Auto DoS prevention, this will protect your network from DOS attacks.
  8. On your wifi router disable Port Scan and enable DoS Protection, which will protect you wireless network from attacks.

Thought Questions

  • How did you secure devices that are not inherently secure devices? How does layering security approaches help?
  1. I joined all the devices on a secured internet using WPA2-Personal, WPA AES  encryption.
  2. To keep unwanted devices off of the trusted network I have used a strong password, not in a dictionary, that were generated by a strong password generator, using LastPass (https://www.lastpass.com/password-generator)
  3. I have hidden the SSID broadcasting the networking name, so that people close by will not be able to scan my SSID.
  4. I removed all the clients keys and secrets to a different file not in the code for any device, created a file with client keys and secrets and removed that file from git using “.gitignore” so it doesn’t pushed to git repository.
  5. To open up the home private network you can setup a VPN server and login from external network using a client VPN, which internally negotiates authentication using VPN certificates.
  6. Layering security approaches help because you don’t want to be the low hanging fruit waiting for a hacker to attack. By developing layers of security you will no longer be that low hanging fruit that hackers ever so often look for to take advantage of. You’re making it harder for a hacker to attack you specifically and he/she may just try find someone else that is easier to hack into and faster.

 

  • What was the biggest challenge you overcame in this lab?

One of my biggest challenge was that I soldered the relay pins wrong and attaching to the ESP8266 did not work at all, so I had to desolder the pins and in the process damaged the relay and then tried again to solder with new pins. Also making all the devices to connect to my phone hotspot was a challenge because my phone only allows hotspot for up to 5 clients and I had 5 devices and a laptop to be on the same network making it 6 total, so I had to use my own home network to make all devices work as it should.

  • Please estimate the total time you spent on this lab and report.
    • 3 hour building and refactoring the circuit and cluster of devices to work well.
    • 10 hours coding the server and fixing bugs
    • 4 hours working on the lab report using tools such as Google draw.io Diagrams  and fritzing.
    • 2 hours publishing a website with lab 5 instructions.

 

Certification of Work

I certify that the solution presented in this lab represents my own work. In the case where I have borrowed code or ideas from another person, I have provided a link to the author’s work in the references, and included a citation in the comments of my code.

 

— Lehi Alcantara

Appendix

Appendix 1: System Flowchart

Appendix 2: Relay website On State

Appendix 3: Relay website Off State

Appendix 4: All System Diagram State

Appendix 6: Arduino Code

 

(Available at https://github.com/ylehilds/iot-security)