Category: Azure IoT Security

Connect your Azure Sphere device to Azure IoT Central – using Visual Studio 2019

Steps Overview

Note: that the following exercise assumes you are already set up your Azure Sphere Tenant and configured your device to connect to IoT Hub as described in my previous Blog Post.

  1. Download the sample code from Github repository
  2. Set up an Azure IoT Central application
  3. Configure Azure IoT Central to work with your Azure Sphere Tenant
  4. Configure the sample application to work with your Azure IoT Central Application

Detailed Steps

  1. If you have not done so already, download or clone the Azure Sphere Samples from the Github repository
  2. Create an Azure IoT Central trial application. 
    IoT Central Home Page
  3. Under the Build sub-menu pick Custom Apps
    IoT Central Start Page
  4. In the New application page, enter an Application Name and a unique URL.
    IoT Central Create New Application
  5. Pick 7-day free trial (supports 5 devices).
  6.  Open your new application
    IoT Central Dashboard
  7. Click on Device Templates and then click “+New” to add a new template
  8. Select IoT Device and click on “Next: Custom”
    IoT Central - select IoT Device template
  9. Click on “Next: Review” button:
    IoT Central Device Template Review
  10. Then click on Create button
    IoT Central - Device Template - Create
  11. Enter a Name for the new Device Template
    IoT Central - Device Template - enter name
  12. Create a Custom Capability Model
    IoT Central - Create Custom Capability Model
  13. Click on Add Interface and Choose Custom interface
  14. Choose the Interface (in the left hand column) and
  15. Click on Add Capability: enter Temperature, temperature. Choose Capability Type Telemetry and Semantic Type Temperature and Choose Degrees Centigrade for Units. Finally, click Save button.
    IoT Central - Add Capability
  16. Then click Customize in left hand column and click on Down Arrow (right-hand-side) to expand the fields.
    IoT Central - Customize Capability
  17. Now you can enter a Min value,a Max value and decimal places. You can also customize the Color on the chart.
    IoT Central - Enter Capability Custom Details
  18. Click on “+Add Capability” and enter “Button Press” as the name
    IoT Central - Add Button Press Capability
  19. Publish the Device Template to your application
    IoT Central Publish Device Template
  20. Click on Devices (left hand side column), pick your device template from the list, then click +New to create a REAL device (not a simulated device).
    IoT Central - Create New Device
  21. For the device ID enter the Azure Sphere device ID (in lower cases letters with the help of PowerShell)
    > azshpere device show-attached
    > powershell -Command ((azsphere device show-attached)[0] -split ': ')[1].ToLower()
    Azure Sphere Show Attached lower case
  22. Configure Azure IoT Central to work with your Azure Sphere Tenant
    > azsphere tenant download-CA-certificate --output CAcertificate.cer
  23. In IoT Central’s dashboard, go to Administration, click on Device Connection and then X509 Certificates
  24. Under the Primary field – click on the folder icon and choose the .cer file created above (choose *.* in the filter field to see the .cer file)
    IoT Central X509 certificate
  25. Then click the Refresh button to generate a Verification Code
  26. Use the verification code to generate a validation certificate
    > azsphere tenant download-validation-certificate --output ValidationCertification.cer --verificationcode <code>
  27. Go back to IoT Central and click on Verify
  28. When prompted, navigate to the validation certificate that you downloaded in step #26 and select the .cer file.
  29. Click Close. This completes the step and verifies that you own the Azure Sphere Tenant.
  30. Configure the sample application to work with your Azure IoT Central Application
    Start Visual Studio 2019
  31. Choose File-Open-CMake
  32. Choose the CMakeLists.txt file in the sample you downloaded from Github
  33. Open the app_manifest.json file
  34. Get the Tenant ID for your Azure Sphere device and enter it under DeviceAuthentication in app_manifest file:
    > azsphere tenant show-selected
  35. On the Azure Sphere command prompt type:
    > ShowIoTCentralConfig
    This command will provide the following information needed in app_manifest.json:
    a) The IoT hub URL for your Azure IoT Central application
    b) The Azure DPS global endpoint address
  36. Power up your Azure Sphere device and make sure it has network access.
  37. Build and Run your application
    IoT Central Analytics - View Data 3
    1IoT Central Analytics - View Data 1
  38. Press button A a few times and see the events in IoT Central (as diamonds below the chart)
    IoT Central Analytics - view event
  39. You can even view the data points in table format:
    IoT Central Analytics - view table of data

Lessons Learned

  • Much of the Microsoft documentation gets outdated quickly because IoT Central and Azure Sphere are being updated and changed continuously. With some trial and error, I am sure you will be able to figure out the right steps.
  • I faced an issue where the device was not connecting to IoT Central. However, I redid the tenant verification step and it worked again.

Connect your Azure Sphere device to Azure IoT Hub – using Visual Studio 2019

I recently ordered an Azure Sphere MT3620 Starter Kit from Avnet to try out Azure Sphere first-hand. In this article I will go over how to connect such a device to Azure IoT Hub. The steps assume that this is your first time setting up your device. So some steps are to be done once (the first time).

Azure Sphere MT3620 Starter Kit

Steps Overview

  1. Test connecting your Azure Sphere development kit to the PC
  2. Install the Azure Sphere SDK
  3. Claim your device: add your device to your Azure Sphere tenant.  This can only be done ONCE in the lifetime of the device!
  4. Configure networking
  5. Check and download any updates
  6. Download the sample code from Github
  7. Connect your device by USB and verify that network connectivity is available
  8. Enable development on your device
  9. Configure the cloud services: create an IoT Hub and a Device Provisioning Service (DPS) and link them together
  10. Download the tenant authentication CA certificate
  11. Upload the tenant CA certificate to DPS and generate a verification code
  12. Verify the tenant CA certificate
  13. Use the validation certificate to add your device to an enrollment group
  14. Add the IoT Hub configuration settings to your Visual Studio project in the app_manifest.json file
  15. Build and run the code and watch for device-to-cloud messages coming to your IoT Hub

Detailed Steps

Prerequisites on Windows: a PC running Windows 10 Anniversary Update or later

Install the Azure Sphere SDK

  1. Attach your Azure Sphere dev kit (e.g. the Avnet Starter Kit) to your PC.  The drivers should be installed automatically.  Then, to verify the Dev Kit installed correctly, open Device Manager and look for 3 COM ports (e.g. USB Serial Port (COM10), USB Serial Port (COM11) and USB Serial Port (COM8)).  See this Troubleshooting page if there any connection errors.
  2. Install the Azure Sphere SDK in order to use Visual Studio 2019 (Enterprise, Professional or Community edition) version 16.04 or later for Azure Sphere development.

Claim your device

An Azure Sphere Tenant provides a way to isolate your devices and allows you to manage them.  Hence, if your organization already has a tenant, you may want to ask to join the existing tenant rather than creating a new one.  And note that once a tenant is created it cannot be moved or deleted.
Important note: once a device is claimed into a tenant then it is PERMANENTLY associated with that Azure Sphere tenant.

  1. Connect your device to your PC
  2. Open the Azure Sphere Command Prompt from the Start Menu
  3. Sign in using a Microsoft Account.  To use Azure Sphere you need a Microsoft account.  Depending on how your Azure Sphere tenant is set up, you can use your Microsoft account as the user or you can ask your administrator to add you.
    azsphere login 
  4. For those who have never logged in to Azure Sphere before or have just installed the 19.10 SDK, they must add the –newuser parameter to the login command:
    azsphere login –newuser <email-address>
  5. Subsequently, once logged in:
    1. If you have one Azure Sphere Tenant (already created) it will be selected as default and you can proceed
    2. Otherwise, if no tenants have been created yet, you will need to create a new tenant
      azsphere tenant create --name <my-tenant>
      Now that the command is successful, you will something like the following message :
      Created a new Azure Sphere Tenant
      --> Tenant Name: new-tenant
      --> Tenant ID: 4c556667-8 …
      Selected Azure Sphere tenant 'new-tenant' as the default.
      You may now wish to claim the attached device into this tenant using 'azsphere device claim'.
      Command completed successfully in 00:00:39.2176539.
    3. If Azure Sphere was previously used with 19.09 SDK or earlier, then the tenant needs to be migrated
    4. If you have multiple tenants, you will need to select one.
    5. Claim your device:
      azsphere device claim
      Upon success, you will see:
      Claiming device.
      Successfully claimed device ID 'AF0A42 ... 7AF0' into tenant 'new-tenant' with ID '4c556667-8 ...'
      Command completed successfully in 00:00:03.4460543

Configure Networking

Now on to configure networking: after you claim your device you need to set up networking so that the device can receive updates from the Azure Sphere Security Service and so that the device can communicate with Azure services such as IoT Hub.

  1. Connect your device to your PC via the USB cable
  2. Open the Azure Sphere device prompt
  3. Register the device’s MAC address if needed.  The following command will display the device’s MAC address:
    azsphere device wifi show-status


Get MAC ID of device

  1. Join your device to the WiFi network by using the following command:
    Note: Azure Sphere supports WPA and WPA2 protocols only.
    azsphere device wifi add –ssid <WIFI SSID> --psk <network security key>
  2. Verify that the device connected to the wireless network by typing:
    azsphere device wifi show-status


Get the WIFI status of your device

Update the Sofware on the Avent device and Enable Application Development on it

  1. Update the software (OS or application) on the device.  The Azure Sphere device checks for updates at boot up time and at every 24-hour interval going forward.  If the device gets updated, the download and update process can take up to 20 minutes.  And the device wifi show-status command will show configuration unknown while the update is progressing.
    To check on the status of an update, you can use:
    azsphere device show-deployment-status
    Upon successful completion you will see:
    Your device is running Azure Sphere OS version 19.11.
    The Azure Sphere Security Service is targeting this device with Azure Sphere OS version 19.11.
    Your device has the expected version of the Azure Sphere OS: 19.11.
  2. The Azure Sphere Samples can be found on this Github repository.  Download or clone the repository and go to the AzureIoT folder. 
  3. Connect your device via USB cable.  And verify that wireless connectivity is available by using:
    azsphere device WIFI show-status
  4. Enable application development on your device:
    azsphere device enable-development


Azure Sphere Enable Development

Configure the cloud services:

  1. Configure the cloud services: create an IoT Hub and a Device Provisioning Service (DPS) and link them together
  2. Download the tenant authentication CA certificate
  3. Upload the tenant CA certificate to DPS and generate a verification code
  4. Verify the tenant CA certificate
  5. Use the validation certificate to add your device to an enrollment group
  6. Add the IoT Hub configuration settings to your Visual Studio project in the app_manifest.json file
    1. The Tenant ID for your Azure Sphere Device can be obtained from the following command.  Enter it into the DeviceAuthentication field in the app_manifest.json file.
      azsphere tenant show-selected
    2. The Scope ID for your DPS instance can be obtained from the Summary screen (top right section).  Paste it into the CmdArgs section of app_manifest.json
    3. The IoT Hub URL for your IoT Hub goes into the AllowedConnections field in the app_manfest.json file
  7. Build and run the code and watch for device-to-cloud messages coming to your IoT Hub

Lessons Learned

  • Development in the C language is not for the faint of heart. However, Visual Studio makes it easy to code using Intellisense and it provides full debug capability.
  • Update to the latest OS version ASAP. There were some issues where the board could not connect to the service before I upgraded to OS version 19.10
  • Once big issue, that occurred during development, was that the LPS22HH sensor was not found. However, after contacting Avnet through the element14 community, they promptly released a fix on Github.
  • Some of the Azure Sphere videos talk about configuring the IoT Hub settings by selecting the project in Visual Studio, selecting Overview and then choosing Connected Services, then clicking on IoT Hub. That never worked. After researching the issue, I found out that this method has been deprecated. In the new OS versions, the IoT Hub settings are all done in the app_manifest.json file. 
  • As of OS version 19.10 Azure Sphere will now be built using a cross-platform build system called CMake.  CMake may be used to build high-level applications or to build real-time applications.  It may also be used for development from the command line.
  • Using CMake paves the way for using the Azure Sphere SDK on Linux and for using the Azure Sphere extension for Visual Studio Code.
  • There are many Azure Sphere sample apps.

How to make sure your connected IoT devices and appliances are secured

The problem that Azure Sphere is trying to tackle?

We are connecting more devices to the Internet all the time. In 2008 the number of network connected things exceeded the earth’s population.  And by 2025, we will connect more than 75 billion of these devices – also known as Internet of Things (IoT) devices – to the Internet.

These connected things are not immune to hacking.  In many cases, these devices are not secured from the beginning and the devices are left with many vulnerabilities. Hence, hackers can control IoT devices remotely. Examples of such vulnerabilities and hacks include:

  1. Hackable cardiac devices from St. Jude or Owlet baby heart rate monitor. 
  2. TRENDNet webcams allowed anyone to see through the cameras or even listen in.
  3. A heater in a casino’s aquarium allowed hackers to access the casino’s customers list.
  4. The Jeep hack where some hackers demonstrated how they can turn the engine off or steer the car remotely.  The vulnerability came from the car’s use of a dashboard system called Uconnect, which provided the ability to re-write the firmware on the chip.  This in turn, enabled access to the rest of the car’s controls via the CANBus interface.
  5. The Mirai Botnet DDoS attack infected many devices (including digital cameras and DVR players). Then, Mirai Botnet used these devices to attack a service provider (Dyn). Subsequently, the Mirai Botnet brought down huge portions of the Internet.
  6. You can other examples of such vulnerabilities and hacks online.

The definition of a truly secured device.

It used to be that only high-end devices had strong security.  Going forward though, it is critical that all network-connected IoT devices are secured.  This includes children’s toys, household appliances and factory equipment.  In the end, an IoT solution is a secure as its weakest link.

To secure such IoT devices, a Microsoft research team came up with the 7 criteria which they assert are required in highly secured devices.  The 7 properties of highly secure devices

  1. Highly secure devices have a hardware-based root of trust: the device has a unique identity tied to the hardware.
  2. Such secured devices have a small trusted computing base. As a result, the security enforcement features are protected from other hardware or software.
  3. These IoT devices have defense in depth. This means that several countermeasures lessen the effect of a successful attack.
  4. Secured devices provide compartmentalization by using different security layers. Therefore, if one layer is compromised the other layers are not affected.
  5. They use certificate-based authentication: trust brokered using signed certificates
  6. These secured devices have renewable security. Consequently, you can update the device’s software automatically.
  7. And finally, secure devices have failure reporting: the device can report failures to its owner.

How does Microsoft Azure Sphere secure Internet connected devices?

Azure Sphere is a secured, high-level ecosystem with built-in communication and security features for Internet connected devices.  It consists of:

  1. The hardware: secured microcontroller unit (MCU).  Microsoft is working with several device manufacturer to produce these certified MCU’s.  The first such MCU is the MT3620 from Mediatek.  And other MCU’s should be coming from Qualcomm and NXP.  And several existing Azure Sphere hardware partners are developing starter kits (prototyping boards) based on the MT3620 MCU.  These include: Seeed Studio, AI-Link and USI.
  1. The OS: a new Linux-based operating system (OS).  Microsoft will service the OS on the device for the 13 years of its life.
  2. The Service: the Azure Sphere Security Service that provides:
    • Over the air updates infrastructure
    • Application deployment and updates
    • Reliable system software updates
    • The Service reports errors at a global scale. The Service will report software bugs or security attacks.

Azure Sphere use cases

  1. You can use Azure Sphere for Brownfield scenarios. Hence, Azure Sphere can protect existing IoT devices that cannot be connected themselves to the Internet. Security concerns or the lack of networking capability prevents these devices from connecting directly to the Internet. For such IoT devices, you can use Azure Sphere Guardian modules to retrofit these older devices.
  1. Greenfield scenarios. With new IoT devices or appliances that you want to connect to the Internet with end-to-end security

Learn more about Azure Sphere secured MCU’s and how they may be used to send data securely to the cloud

Azure Sphere has been generally available since February 2020. I recently got my hands on an Azure Sphere MT3620 Starter Kit from Avnet.  You can read about connecting such an Azure Sphere device to the cloud by reading articles on my blog:

  1. Connecting the MT3620 to IoT Hub
  2. Connecting the MT3260 to IoT Central Service