The risk of pinning TLS certificates in IoT solutions and why your awareness is needed

Device Client SDK, MQTT 2 Minutes

Do you have cloud-connected IoT devices to the Azure IoT Hub and have you specified the specific public ‘Baltimore’ TLS certificate currently in use by the IoT Hub? Do you know customers having (low-powered) devices connected to Azure IoT and possibly pinned that certificate?

Then, please be aware of the following message.

Devices that want to set up any TLS/SSL connection with a (public) service will secure the connection on the transport level via a public certificate.

So, any device needs to have such a public certificate in its local certificate store.

Microsoft secures the IoT Hub traffic for IoT devices too. This is down with this ‘Baltimore’ certificate.

and this is a good thing.

The time has come to replace that certificate after years of service, next year February because it expires eventually.

This is not a bug or indifference; this is how the internet works.

Normally this is not a problem: Operating systems like Windows and Linux just try to download the correct/new certificate for the TLS connection, and your application will never know the difference.

If this is the case with your solution, you are good to go.

If you are using any of the Azure IoT Device SDKs, this problem is probably taken care of too.

However, devices that specifically use this one Baltimore certificate and cannot replace it will no longer function after February 15, 2023.

And indeed there are devices where the Baltimore certificate is placed on the device eg. as part of the firmware installment instead of fetching it dynamically from another resource.

These devices will eventually stop sending telemetry to the cloud!

So…

When in doubt, contact your manager, that technical guy who programmed it, or connect with your customer so they are aware of the risk of pinning. Better to be safe than to say sorry.

As an example, I recently published this GitHub with the example code of connecting a device to the IoT Hub without an SDK. There I specifically specify (and distribute) the certificate.

In my case, it’s just a demonstration application so I deliberately keep it this way. But, as seen in both the comments and the readme this needs the attention of the reader.

More background information about the challenges, how to test for the possible issue, and the resolution is found here in this Microsoft blog post.

Update

If you are ready to (test to) migrate, check this new dialog, part of IoT Hubs:

Gepubliceerd door Sander van de Velde | Microsoft MVP Azure IoT | IoT Solution Architect | Speaker | Advisor

I started as an IT consultant in 1993. I like to get my hands dirty with software innovations and I try to implement these in my daily work. Currently, I am involved in the IoT Platform part of Azure (eg. IoT Hubs, IoT Edge, StreamAnalytics, Azure Functions, etc.) and Azure in general. I've been presented with the 2017, 2018, 2019, 2020, 2021, 2022, 2023 Microsoft Most Valuable Professional (MVP) Award and I'm a member of the Microsoft Azure Advisory Board. For me, it is important to share knowledge. And I am committed to doing so by writing blogs, articles for magazines, and giving lots of presentations. When offline, I like cutting down trees using Gränsfors Bruks axes, sailing, motorcycling or geocaching with my wife and my sons.

Gepubliceerd

Een gedachte over “The risk of pinning TLS certificates in IoT solutions and why your awareness is needed

  1. Pingback: Exploring full Azure IoT Hub device support using MQTT(s) only – Sander van de Velde

Reacties zijn gesloten.