WoTT is about making IoT and edge device security easy. Having spent the last few years building Screenly, I spent a lot of time thinking and working on security.
With WoTT, I've taken much of this learning and packaged it up as a separate product to save others from this burden and make it easy to secure your devices.
At its core is the open source WoTT agent that is installed onto a Linux device. This agent performs a wealth of security checks on the device, and reports it all into the central management interface that gives you visibility of your fleet. WoTT will help you with things like:
- Default credentials that can be used for a rouge actor to get into your device(s)
- Insecure network services (such as telnet, rsh, tftp etc)
- Secure the device firewall
- Detect changes to critical changes (users, groups etc)
- Provide hardening recommendations
In addition, WoTT also makes it easy to manage secrets with the credentials manager (think Hashicorp's Vault for IoT). Oh, and did I mention that each device automatically gets a cryptographic identity that can be used for things like mTLS?
After creating an account in the dashboard, press the 'Add Device' and a dialogue like this will appear with a snippet similar to this:
$ sudo apt-get install -y curl && \
sudo mkdir -p /opt/wott && \
echo -e "[DEFAULT]\\nenroll_token = xx" | sudo tee -a /opt/wott/config.ini && \
curl -s https://packagecloud.io/install/repositories/wott/agent/script.deb.sh | sudo bash && sudo apt install -y wott-agent
If you copy this snippet and run it on a Debian/Raspbian/Ubuntu device, the agent will automatically install and the device will appear in the dashboard.
After fixing all the recommended issues (there are a few for a vanilla Raspbian installation), you can try the credential manager. For instance, if we want to manage credentials to write to an AWS S3 Bucket, we can create a credential with the name "aws_s3_credentials" and the following following key/values:
- access_key: foo
- secret_key: bar
If you then configure this secret to be mapped to a given device (using tags), you can then read back this credential on the device as follows:
$ sudo cat /opt/wott/credentials/root/aws_s3_credentials.json
{
"access_key": "foo",
"secret_key": "bar"
}
A more detailed getting started guide can be found here, and you can read more about credentials management here.
We'd love to hear from the Hackster community and get some real world feedback. If you got any feature requests or find bugs, please get in touch.
Comments