How Should WiFi Passwords be securely stored on micropython device?

General discussions and questions abound development of code with MicroPython that is not hardware specific.
Target audience: MicroPython Users.
GordanTrevis
Posts: 11
Joined: Sat Aug 24, 2019 8:59 am

How Should WiFi Passwords be securely stored on micropython device?

Post by GordanTrevis » Fri Sep 27, 2019 11:28 am

I currently think a lot about Network Security, especially with embedded devices.
I'm mainly using ESP-8266/32 boards.

Now to access the network with the device you have to put the clear WIFI credentials into your scripts (somewhere) since normal routers do not support hashing etc. This is a common problem on all embedded IoT devices. My thoughts on this are exactly as the question/answers on this StackExchange Post.

Now let's assume someone deploys boards outside of the home like a "Ring Video Bell" mounted in front of the Door for example, or a garden sensor. A valid IoT use case. - the board would be easily accessible to someone with bad intentions.

Now especially with micropython, the scripts on the board are easily accessible (R/W) with a normal USB cable. Given that an "attacker" knows the board is running micropython, it would take just minutes to get information off or even on the device - so its actually not even necessary to "Steal" the device which at some point at least would be noticed.

So what are some possibilities / best practices to secure sensitive information like credentials on the devices?

- As mentioned in the Forum question, it is not really helping to encrypt the credentials since the decryption-Key has to be stored on the same device, making it only a little bit harder to retrieve the information but not secure. (Or did I miss something here, and there is a way?)

- My current thought is to embed/freeze the credentials, maybe even encrypted with a key, in the firmware. With the key being placed in some other script, to kind of "hide/layer" it - so at least it would not be inside a boot/main file and making it bit harder.

Of course, at some point, the credentials or decryption-Keys have to be in a clear form on the device somewhere. So the goal is to make it as hard as possible to get to them. There was a interesting "Ring Bell" incident in which someone found a way to retrieve the wifi credentials from it in seconds, it is linked in the StackExchange post.

Any thoughts / Tipps on that?
How do you store credentials on your boards?
@Devs: Would there be maybe a build in the micropython-core solution to that?


(This is mainly focused on a security improvement from the viewpoint of the board, not general Network-security - Of course, there are multiple ways like giving the IoT devices an own network, MAC-Filtering in case of a breach, etc. Which also should be applied.
And please, don't answer with: why put an accessible board outside of your home in the first place.)

jomas
Posts: 59
Joined: Mon Dec 25, 2017 1:48 pm
Location: Netherlands

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by jomas » Fri Sep 27, 2019 3:51 pm

GordanTrevis wrote:
Fri Sep 27, 2019 11:28 am

I'm mainly using ESP-8266/32 boards.
Now to access the network with the device you have to put the clear WIFI credentials into your scripts
For esp32 that is true for esp8266 there is no need to store credentials in your script.

But as you said, if you have access to the device you can read out all flash. So if your credentials are "somewhere" on the flash you
have NO way to protect these credentials. Period.
Now especially with micropython, the scripts on the board are easily accessible (R/W) with a normal USB cable. Given that an "attacker" knows the board is running micropython, it would take just minutes to get information off or even on the device - so its actually not even necessary to "Steal" the device which at some point at least would be noticed.
So you should prevent this by cutting of the pins that connect to tx/rx, fill your device (especialy also the flash memory) with epoxy etc. Then it will not be easy to get out the credentials.
So what are some possibilities / best practices to secure sensitive information like credentials on the devices?
I would say there is an option to put the credentials in (RTC) RAM. Then you have to construct your device in such a way that the power is disconnected whenever someone opens the device.

You also have to set up an AP then once to get your credentials in RAM and use deepsleep to "switch off" your device.

GordanTrevis
Posts: 11
Joined: Sat Aug 24, 2019 8:59 am

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by GordanTrevis » Fri Sep 27, 2019 5:22 pm

Nice Input!
For esp32 that is true for esp8266 there is no need to store credentials in your script.
Yes I heard about that while working with Peter Hinch's MQTT lib. But never tested until now. Actually wanted to put the possibility in the post to. I tried it and it works on ESP8266. - Also, to my surprise, the Docs for Network module got improve/extended in the last few hours thanks to that! :lol: ;) .
So you should prevent this by cutting off the pins that connect to tx/rx, fill your device (especially also the flash memory) with epoxy etc. Then it will not be easy to get out the credentials.
Yes, I thought about that too, at least about remove the USB port from the D1 Mini to eliminate the fast access. (Exactly what brings you to the starting point of every Security decision. -> Convinicen vs. Security.
What exactly do you mean with "epoxy" etc. ? I never heard about this term in this kind of area.
I would say there is an option to put the credentials in (RTC) RAM. Then you have to construct your device in such a way that the power is disconnected whenever someone opens the device.
I have to say! This is an excellent thought, to begin with. But how do you access RTC Ram? - With "power is disconnected" You mean so the RTC RAM gets Deleted?

jomas
Posts: 59
Joined: Mon Dec 25, 2017 1:48 pm
Location: Netherlands

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by jomas » Fri Sep 27, 2019 6:08 pm

So you should prevent this by cutting off the pins that connect to tx/rx, fill your device (especially also the flash memory) with epoxy etc.
What exactly do you mean with "epoxy" etc. ? I never heard about this term in this kind of area.
I mean like 2 component epoxide glue.
I have to say! This is an excellent thought, to begin with. But how do you access RTC Ram? - With "power is disconnected" You mean so the RTC RAM gets Deleted?
You program your device that when there is no credential in your ram, you setup an AP and some kind of simple web server so you can access this web server to "set" the credentials. After that the AP is not needed anymore.
And yes, if the power is disconnected the ram will be erased.

RTC memory can be set as follows (at least for esp8266)

Code: Select all

import machine
rtc = machine.RTC()
rtc.memory(b'hello')
I now realize that this approach only works for esp32 because esp8266 will retain the credentials in flash after a successful connection

User avatar
jimmo
Posts: 2754
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia
Contact:

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by jimmo » Sun Sep 29, 2019 10:46 am

FWIW, as discussed earlier in the thread, on ESP8266 you currently have no option to prevent the credentials from being stored on flash. In order to implement a RAM-based option as is being suggested, you'll need a way to make connect() use wifi_station_set_config_current() instead of wifi_station_set_config() which it currently used. Perhaps making this an optional argument to connect, I think this would actually be a genuinely useful feature.

User avatar
Roberthh
Posts: 3667
Joined: Sat May 09, 2015 4:13 pm
Location: Rhineland, Europe

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by Roberthh » Sun Sep 29, 2019 11:23 am

The micropython variant for PyCom devices can be built with flash encryption enabled. Then, the flash is encrypted (with AES128?) using the on-board mechanism of the ESP32. The key is stored inside the ESP32 chip in fuse registers. Even if I do not expect this encryption engine to be side-channel-resistant, the effort to recover the key should be far beyond the level to be expected here.
The encryption is transparent to the executed code, so it just has to be enabled. Once enabled, it cannot be undone. Installed code can still read and write to the flash, but access to the flash by other means just retrieves encrypted content. The Pycom WiPy firmware can be used on any Genuine ESP32 device. The GPIO port numbers are somewhat strange, Pxx instead of just the GPIO port number, but making a generic configuration file is possible.

GordanTrevis
Posts: 11
Joined: Sat Aug 24, 2019 8:59 am

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by GordanTrevis » Thu Oct 03, 2019 12:10 pm

@jomas
I mean like 2 component epoxide glue.
Oh, you meant that literal...

Code: Select all

import machine
rtc = machine.RTC()
rtc.memory(b'hello')
NICE! yes this only should work for ESP32.
But where did you get that info? I don't see any documentation about a "rtc.memory(b'hello')" function? (i also could be blind but..)

@jimmo
Yes, I think this would be a nice feature.

Where exactly are the credentials stored in the ram? And how easy is it to access?

@Roberthh
This would be the ultimate solution, I guess.
Thanks for the WiPy ESP32 Hint!

User avatar
jimmo
Posts: 2754
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia
Contact:

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by jimmo » Thu Oct 03, 2019 12:51 pm

GordanTrevis wrote:
Thu Oct 03, 2019 12:10 pm
Where exactly are the credentials stored in the ram? And how easy is it to access?
I was referring to the suggestion to use RTC
GordanTrevis wrote:
Thu Oct 03, 2019 12:10 pm
But where did you get that info? I don't see any documentation about a "rtc.memory(b'hello')" function? (i also could be blind but..)
Unfortunately this is an ESP32-only feature and not currently documented. https://github.com/micropython/micropyt ... rtc.c#L128

jomas
Posts: 59
Joined: Mon Dec 25, 2017 1:48 pm
Location: Netherlands

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by jomas » Thu Oct 03, 2019 3:31 pm

jimmo wrote:
Thu Oct 03, 2019 12:51 pm
Unfortunately this is an ESP32-only feature and not currently documented. https://github.com/micropython/micropyt ... rtc.c#L128
That is not true. It is implemented (and undocumented) for esp8266 too.

User avatar
tve
Posts: 216
Joined: Wed Jan 01, 2020 10:12 pm
Location: Santa Barbara, CA
Contact:

Re: How Should WiFi Passwords be securely stored on micropython device?

Post by tve » Sun Jan 05, 2020 1:33 am

Roberthh wrote:
Sun Sep 29, 2019 11:23 am
The micropython variant for PyCom devices can be built with flash encryption enabled. Then, the flash is encrypted (with AES128?) using the on-board mechanism of the ESP32. The key is stored inside the ESP32 chip in fuse registers.
So this helps in that an attacker can't put some probes onto the SPI flash chip and read out the contents. If you use an esp32-pico you get close to the same benefit without encryption given the significantly higher hurdle to get at the flash. But if there is any access to the repl or any way to inject some code into the esp32 an attacker can still get at the password.

My conclusion has been to treat wifi as only one security layer and to adopt a second one as much as possible. I like to use MQTT with PSK, which is really easy to use and provides two-way auth and I'm looking into restricting access to the universe of topics on a per-key basis. In the example given, an attacker could forge door rings and perhaps subscribe to some global topics, such as time and time-zone notifications, but not anything else. Unfortunately micropython doesn't support PSK at the moment, I hope to fix that...

Post Reply