ESP32 + AWS IoT And Secured WiFi LEDs

Introduction

This article demonstrates how to create a secure “Thing” of the internet and securely exchange messages, alerts, commands between the Thing and the application using AWS IoT cloud platform and Espressif’s ESP32 wifi enabled microcontroller.

MQTT protocol is used to communicate between the client and the AWS IoT message broker. IoT policy and certificates are used to authenticate the device and the applications and classify roles and restrict permission in subscribing and publishing messages.

The ESP32 controls a matrix of 3 Green, 3 Blue and 3 Red LEDs. These LEDs are set On and Off according to the commands received from different MQTT clients.

Security

In the world of IoT, security is critical due to lack of human intervention or monitoring. Everything is left at the mercy of dumb device by writing intelligence into it and assume that we made them smart. The smart device cannot defend themselves but need to be protected. The device is only as intelligent as it is command to do something intelligent. These “Things of the Internet” are used in health care, industrial automation, automobiles, supply chain and many more solutions that we can imagine.

Consider a case where a patients health is being monitored and further medicine is determined depending on the patients health status, Or an industrial unit using sensitive chemicals based on external factors reported by chemical sensors, Or driverless car carrying passenger, Or a large supply chain by giant super market. Everything is automated and decision making is based on the messages, alert, commands reported by the Things of the Internet.

If IoT is not secured it is most likely to be attacked by malicious hacker by introducing wrong information in the communication channel. Big and BBigger disasters are inevitable. It may cost lives too. So, what wrong could happen ? Here are few no-body-wants-to-happen

• An overdose or wrong medicines to a curing healthy patient
• overspeeding car with failed brakes
• fatal chemical reaction
• messed and chaotic supply chain

Why ESP32 ?

• ESP32 is a low cost, low power, wifi enabled microcontroller best suited as a Thing
• It can securely connect to AWS IoT
• Can be programmed in Arduino IDE
• Rich Arduino library support by Espressif

Why AWS IoT ?

• MQTT broker provides high throughput with low latency
• IoT policy restricts access to subcription, publish and client resource. Allows fine control over permissions on topics of message distribution.
• Allows seamless integration of IoT events/triggers with other Amazon Web Services

Architecture

The cute little beast, ESP32, has SPI, I2C, Serial, Bluetooth and Wifi for interfacing with other h/w modules. But i really wanted to make the h/w much, much simpler. Thought of buying AWS IoT Button but it provides very limited events to handle or display.

LED matrix with 3 Green, 3 Blue and 3 Red Leds provide us with many options. We can apply restrictions on access to different combination of LEDs through IoT policies. The LEDs, switching on and off , provides better visuals on the hardware side.

The ESP32 subcribes to commands from MQTT clients to set LEDs On or Off and publishes status about LED’s state to AWS IoT MQTT broker that relays and distributes the messages based on IoT policies set for each subscribed MQTT client.

The demo implements MQTT clients in 5 popular languages.

Roles

Lets identify roles and set IoT policies accordingly

There are 4 roles viz Guest, Admin, Master and Owner

1. Guest — Guest has access to only Green LEDs
2. Admin — Admin has access to Green and Blue LEDs only
3. Master — Master has access to All Green, Blue and Red LEDs
4. Owner — Owner has access to all the LEDs and the ESP32 microntroller as well
5. Intruder — Sorry, There is no role of intruder

IoT Policy

AWS IoT policy is a json document containing one or more policy statements defined by Effect, Action and Resource

Effect: Specifies Allow/Disallow actions

Action: Connect a resource, Publish, Subcribe, Recieve messages etc

Resource: MQTT client, MQTT topic, etc

The following table shows policies applied to each role

ESP32_Led_Guest_Policy

Any MQTT client with valid certificate and any clientid is allowed to connect and publish, subscribe and receive to any topic related to only Green LEDs and is denied to subscribe or publish to any topic related to Blue LEDs, Red LEDs and ESP32.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Publish"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "iot:Subscribe",
        "iot:Receive",
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/led/blue/*",
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/led/red/*",
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/esp32/*"
      ]
    }
  ]
}

ESP32_Led_Admin_Policy

Any MQTT client with valid certificate and clientid nodejs-client-admin, mobile-client-admin or pc-client-admin is allowed to connect and publish, subscribe and receive to any topic related to only Green LEDs and Blue LEDs and is denied to subscribe or publish to any topic related to Red LEDs and ESP32

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:client/nodejs-client-admin",
        "arn:aws:iot:us-west-2:944320430879:client/mobile-client-admin",
        "arn:aws:iot:us-west-2:944320430879:client/pc-client-admin"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe",
        "iot:Receive",
        "iot:Publish"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/led/red/*",
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/esp32/restricted/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/led/red/*",
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/esp32/restricted/*"
      ]
    }
  ]
}

ESP32_Led_Master_Policy

Any MQTT client with valid certificate and clientid python-client-master, mobile-client-master or pc-client-master is allowed to connect and publish, subscribe and receive to any topic related to all Green LEDs, Blue LEDs and Red LEDs and is denied to subscribe or publish to any topic related to ESP32 and is denied to publish to topic related to Red LED command.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:client/python-client-master",
        "arn:aws:iot:us-west-2:944320430879:client/mobile-client-master",
        "arn:aws:iot:us-west-2:944320430879:client/pc-client-master"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/led/red/command",
        "arn:aws:iot:us-west-2:944320430879:topicfilter/secure/esp32/restricted/*"
      ]
    }
  ]
}

ESP32_Owner_Policy

Any MQTT client with valid certificate and clientid android-esp32-owner or arduino-esp32-owner are allowed to connect, publish, subscribe and receive to any topic related to any LEDs and allowed to subscribe to any topic related to ESP32

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:us-west-2:944320430879:client/android-esp32-owner",
        "arn:aws:iot:us-west-2:944320430879:client/arduino-esp32-owner"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": "*"
    }
  ]
}

Certificates

AWS IoT uses TLS cryptographic protocol and certificate based Public Key Infrastructure scheme to encrypt messages exchanged between publisher, broker and subscriber. Every MQTT client is authenticated via TLS protocol and uses certificate based credentials.

Lets look into AWS IoT console on how to create certificates and IoT policies as described above

Create Certificate — AWS IoT Console

Lets create 4 certificates, each for 4 different MQTT clients.

Download these files and save them in a safe place. Certificates can be retrieved at any time, but the private and public keys cannot be retrieved after you close this page.

Create IoT Policy — AWS IoT Console

Attach Policy to Certificates and Activate Certificates

Now we have 4 certificates each with a set of permissions specified through IoT policies.

Go App

As Subcriber

aws-iot-sub.go : Subscribes to topic secure/led/green/status wait for messages

As Publisher

aws-iot-pub.go : It implements a “3 bit — Binary Counter” where the 3 Green LEDs represents 3 bits. After every N seconds it publishes binary number as command in the form of LED on/off state to topic secure/led/green/command

Nodejs App

As Subcriber

aws-iot-sub.js : Subscribes to topic secure/led/green/status and secure/led/blue/status and wait for messages

As Publisher

aws-iot-pub.js : It implements a “3 dot — Progress Bar” where the 3 blue LEDs represents 3 dots. After every N seconds it publishes progress state as command in the form of LED on/off state to topic secure/led/blue/command

Python App

As Subscriber

aws-iot-sub.py : Subscribes to topic secure/led/green/status, secure/led/blue/status and secure/led/red/status and wait for messages

As Publisher

aws-iot-pub.py : It implements a “Toggle” where the 3 Red LEDs are all alternately switched On and Off. After every N seconds it publishes toggle state as command in the form of LED on/off state to topic secure/led/red/command

Android App

Android App uses Amazon Cognito to generate certificates. See github code for more details.

The Android App act as MQTT subscriber and publisher. It functions as per the role chosen by the user. The Go’s Binary Counter, Nodejs Progress Bar and Python Toggle can be viewed in the android app. User can manually set the LEDs On and Off by touching the LED button images.

ESP32 Firmware

Hornbill ESP32 library is used to connect to AWS IoT

ExploreEmbedded/Hornbill-Examples

Example: https://github.com/ExploreEmbedded/Hornbill-Examples/tree/master/arduino-esp32/AWS_IOT

Add the library to Arduino environment and use aws-iot-pub-sub.ino

Connect the board, select the hornbill ESP32 dev board and upload the sketch

ESP32 subscribes to command and publishes status

char SUB_TOPIC_GREEN_LED_COMMAND[] = "secure/led/green/command";
char SUB_TOPIC_BLUE_LED_COMMAND[]  = "secure/led/blue/command";
char SUB_TOPIC_RED_LED_COMMAND[]   = "secure/led/red/command";

char PUB_TOPIC_GREEN_LED_STATUS[] = "secure/led/green/status";
char PUB_TOPIC_BLUE_LED_STATUS[]  = "secure/led/blue/status";
char PUB_TOPIC_RED_LED_STATUS[]   = "secure/led/red/status";

It uses ESP32_Owner_Policy, hence uses “arduino-esp32-owner” client-id

char CLIENT_ID[] = "arduino-esp32-owner";

Add certificate by copying the certificates and private key contents to aws_iot_certifcates.c file as array To C:\Users\User\Documents\Arduino\libraries\AWS_IOT\src\aws_iot_certifcates.c

In this demo i have copied contents of

1. VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem
2. 41e374e804-certificate.pem.crt
3. 41e374e804-private.pem.key

**
 * @file aws_iot_certifcates.c
 * @brief File to store the AWS certificates in the form of arrays
 */

#ifdef __cplusplus
extern "C" {
#endif

const char aws_root_ca_pem[] = {"-----BEGIN CERTIFICATE-----\n\
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB\n\
.........
.........

4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N\n\
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq\n\
-----END CERTIFICATE-----\n"};

const char certificate_pem_crt[] = {"-----BEGIN CERTIFICATE-----\n\
MIIDWjCCAkKgAwIBAgIVAO/rapAed2B7Ox2dmaY63ButMCU8MA0GCSqGSIb3DQEB\n\
.........
.........
cBQyRuxy/ddU06D1qUzByw1tbW71daqX7gNafqR+1NNeQgN4I8j/khy+37R51EhA\n\
WQrjROvBgVhO/pF2vEQikmsOE7F8/6tghgW+AGZHdWCpbqVDuE5SyuDCD8dnwg==\n\
-----END CERTIFICATE-----\n"};



const char private_pem_key[] = {"-----BEGIN RSA PRIVATE KEY-----\n\
MIIEpQIBAAKCAQEA7UhSrGBa/4CBJKgr8Ld2BvBSTUPNrDz+HvhDnRu227IdvWkr\n\
i8ow9av6RHXazgLrCdSwiQTn68xR+CmgAW2FX9Jl4fKPQTQRgTWpm27RbXR1pilM\n\
........
........
aaN4xlEx8ybF0C8ZVcJ4v34Q/2YnllHzHCOyvxRGCzEc4/sgn0tNpuIW1FU+d8MF\n\
CIb8M4DLv+LRR/XW9pUCGQbdc29OGHkenc3EUX2qCbVhaClse58RiGU=\n\
-----END RSA PRIVATE KEY-----\n"};


#ifdef __cplusplus
}
#endif

ESP32 Serial Output

PCB Board

Git Sources

mudassar-tamboli/aws-iot-esp32

ESP32 is successor to ESP8266. Checkout ESP8266 series here

https://medium.com/@mudassar.tamboli/esp8266-esp-01-and-iot-of-led-part-1-7798884b4fe9

Conclusion

This article presented a demo of AWS IoT with ESP32 using a simple LED matrix. The access to LEDs are secured through AWS IoT policies and PKI scheme. TLS protocol is used to secure the communication channel

Thank You !!!!!!!