Introduction to the Internet of Things (IoT), Node Red, and the Raspberry Pi

Cybersecurity First Principles in this lesson

Introduction

Lets build an IoT device – wait, just what is the IoT – and why should I care? I’m afraid to ask – is it secure?

IoT Security

In this lesson, we will take a close look at IoT and the associated security implications by building a simple IoT application on a Raspberry Pi using a program called Node-Red.

Goals

We will continue our work towards our GenCyber camp purpose with the below goals for this lesson:

Materials Required

Prerequisite lessons

Raspberry Pi Intro

### Table of Contents - Cybersecurity First Principles in this lesson - Introduction - Goals - Materials Required - Prerequisite lessons - What is the IoT - A Simple IoT Example - Step 1: Install and update needed programs - Step 2: Start Node-Red - Step 3: Start Firefox - Step 4: Create an IFTTT account - Step 5: Create your first Node-Red flow - Step 6: Link flow to IFTTT - Step 7: Build an IFTTT Recipe - Step 8: Test it! - A Second Example - Step 1: Add a new flow - Step 2: Build your new flow - Step 3: Test it! - Evaluation - Additional Resources - Acknowledgements - License

What is the IoT

The IoT is the term applied to the many internet connected devices now occupying space in our lives. Take a look through your house. You may have phones, tablets, laptops, fitbits, televisions, thermostats, smoke detectors, bathroom scales, refrigerators, light bulbs, and who knows what else all connected to the internet.

Internet of Things

These devices communicate with you, perhaps a cloud server, maybe even each other. Although some devices such as phones or tablets have very powerful operating systems and security features, many IoT devices such as thermostats or fitbits don’t have security features due to the added cost and drain on batteries. Is that a problem? The general consensus amongst security experts is this is like running with scissors. It may help you get a task done but at some point, you may find the results painful. Where do we start with addressing the issue? Let’s start by taking a very generalized look at an IoT device.

IoT Block Diagram

In a very general sense an IoT device is a device that may have sensors (inputs) such as thermometers or light detectors, actuators (outputs) such as switches or alarms, a processor (like your Raspberry Pi running Node-Red) to make sense of the data and direct actions, and a gateway (network connection) to interact with users and other systems. An IoT device can make our lives much easier, or if someone who wants to do harm gets access to the device they could steal data or take control of objects in your house or business.

IoT Ransomware

By properly applying the Cybersecurity First Principles we can reduce the risk that someone can take over our IoT device and cause us harm. The platform we will use to explore the IoT is our Raspberry Pi running a program called Node-Red. Lets jump right into it.

A Simple IoT Example

Step 1: Install and update needed programs

The first thing we need to do is install and update a few needed programs. As much as we would like to have all the programs we would ever need loaded on a system not only does allowable memory not allow this it’s not a good idea from a cybersecuirty perspective. The First Principle of minimization tells us that by reducing the amount of places where vulnerabilities could exist we make our system more secure. We call this reducing our attack surface. Having programs loaded you are not using makes you needlessly open to attacks to those programs.

During the below installs respond yes to any prompts you receive during the following operations.

sudo apt-get install firefox-esr
sudo apt-get install npm
sudo npm i -g npm@2.x
update-nodejs-and-nodered
cd ~/.node-red
npm install node-red-contrib-ifttt
npm install node-red-contrib-camerapi

Step 2: Start Node-Red

On the Raspberry Pi desktop select Menu, Programming, Node-RED

Step 3: Start Firefox

On the Raspberry Pi desktop select Menu, Internet, Firefox ESR

Step 4: Create an IFTTT account

IFTTT (If This Then That) is a cloud service that allows us to automate actions, if the service receives a certain input, then it will execute a pre-selected action. We will use the IFTTT service with Node-Red to interface with some common cloud services.

Webhooks

Connect Webhooks

Step 5: Create your first Node-Red flow

Programs in Node-Red are called flows and they can be very simple or very complex. We will keep our first flows very simple but you will see you can do quite a bit with a simple flow. Flows are made up of connected nodes. Although each node is a single element in a flow there may be several actions which that flow generates. This implementation of nodes and flows illustrate several examples of Cybersecurity First Principles:

With those principles in mind, lets start your first flow.

Timestamp

You will notice on the right-hand side of the screen a description of the node is given. This particular node returns the current system time when you click the button on the left side of the node. For this flow we don’t care about the time on the timestamp, we will just use it to indicate the button was pressed.

IFTTT

Connection

Your flow is now built but we still need to link it to your account on IFTTT.

Remember the Cybersecurity First Principles of Abstraction and Resource Encapsulation? Now we get to take a closer look at how those principles are implemented.

IFTTT Config

Now we need to fill in the first field named key. This is a unique identifier which links this flow to your IFTTT account. To get this value you will need to go back to the browser tab for IFTTT.com

IFTTT key

Node Red Key Entry 1

Node Red Key Entry 2

Step 7: Build an IFTTT Recipe

Your flow is now built and configured but we need to tell the IFTTT service what to do if it gets activated. We do this through building an IFTTT recipe.

Start Recipe

This portion

Choose Service

Choose trigger

Trigger event name

Email action

Complete action

Finish action

Step 8: Test it!

We have now built our flow and the supporting recipe. To test the flow we must first deploy it and then activate the timestamp node.

Test It

If you did everything correctly you will receive an email telling you that the timestamp button was pressed. Although this was very simple and perhaps not very useful think about what how this could be expanded. Maybe instead of clicking the timestamp node, the IFTTT is triggered by an external switch that activates whenever your pet goes out their pet door. Now your pet will send you an email when it goes out into the yard!

A Second Example

Let’s try a second example that doesn’t use the IFTTT service. In this example we will build a new flow that swaps out the IFTTT node for a camera node - remember that principle of Modularization? Here it is in action.

Step 1: Add a new flow

We will begin by adding a new flow, that way the one you created will still be active.

New flow

Step 2: Build your new flow

You’ve already built one flow, this one will follow the same procedures. Add an inject node, a camerapi node (under the Raspberry Pi section of the pallet), and connect them. Your completed flow should look like the below.

Camera flow

Step 3: Test it!

We are going to use the default settings for the nodes for this flow. The camera node, when activated, will take a photo with the Pi’s camera, give the photo a unique (and very long) filename, and store it in the /home/pi/pictures directory. You can configure the node to give custom file names and set picture formats, sizes, and orientations.

Discuss with the class how these features could be used in an IoT device. Maybe the inject is triggered with a sound, takes a photo, and emails it to you - your own burglar alarm!

Spend some time exploring the Node-Red nodes. What else could you build?

Evaluation

Use Kahoot to assess comprehension

Additional Resources

For more information, investigate the following:

Acknowledgements

License

Nebraska GenCyber Creative Commons License
is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Overall content: Copyright (C) 2017-2018 Dr. Matthew L. Hale, Dr. Robin Gandhi, Dr. Briana B. Morrison, and Doug Rausch.

Lesson content: Copyright (C) Doug Rausch 2017-2018. Creative Commons License
This lesson is licensed by the author under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.