How to secure IoT connections

The use of Industrial IoT technology to collect process data in industrial processes by reading sensors anywhere in and around the production line is mandatory to manage and optimise efficiency in production.

However, using mobile IIoT technology that communicates over public networks and uses central applications does introduce IT security risks. Threat actors who have an interest in spying, take over or bringing down your application may cause damage or even endanger people’s life’s. The challenge is to make sure that any component, communication connection and access control in your IoT application is secured well enough to withstand hacking attacks.

This article will provide you with a basic understanding of the security risks involved in using the IoT and public networks. It will help you to increase awareness of IT security risks and provides insight to help secure applications and mitigate these risks in development, operations, and maintenance.

What is IoT and where is it used

The Internet of Things consist of mostly mobile connected devices that are capable of many tasks such as management and access of smart homes, camera surveillance and healthcare applications. Industrial IoT sensors are capable of sense and collect information about production lines and operate manufacturing robots. In the agriculture, ambient parameters can be collected in the field to be analysed and used to grow crop in a more efficient way.

What kind of IoT endpoints do we have

IoT endpoints come in 3 main categories;

1. The very small mostly battery power one-way sensors such as temperature-, humidity-, motion, heart rate etc sensors that have very limited processing capabilities onboard. It must be noted that this kind of sensors often need a local hub such as a smartphone, communication broker, or edge computer using Bluetooth, WiFi, LoRaWAN or other low power and limited range Radio Frequency technologies to operate.
2. Small IoT endpoints having a limited processor onboard and only serve a single simple function. These IoT endpoints can remote-control so-called actuators like electric switches, valves, and motors in industrial applications.
3. Third category are the large group of smart IoT devices that have significant processing power onboard, can be managed remotely and have two-way communication such as webcams and security surveillance cameras, doorbells, printers, smart home devices like fridges or coffee machines, also apps on smart phones, tablets or other handheld devices belong to this category. Smart IoT endpoints can communicate using public mobile networks such as 3, 4 and 5G or WiFi connections.

Visibility and attack surface of IoT endpoints

The visibility and therefore the attack surface of IoT devices connected to the internet is mind blowing.

For example, a quick scan using a well-known and publicly available tool like Shodan.io reveal millions of home and Industrial IoT devices that can be accessed by anyone having basic computing skills. Devices found can be webcams, printers, home automation systems, smart audio, and video equipment and even toys that are connected to the internet.

Tools like Shodan nicely categorise per type of device and, for convenience, list details of application, operating system and its response while trying a connection.  This way, also Industrial IoT devices such as servers that act as local communication brokers for IoT sensors and endpoints that control valves, and motors in manufacturing processes and infrastructure are very easy to find. Using automated scripts and tools available on the internet in combination with the Metasploit vulnerability databases, a quick check for vulnerabilities and a quick try for default username passwords can be done within seconds. It is as simple as like shooting wooden ducks at a fair.

IoT and position tracking

Using IoT technology for position and location tracking is a fast growing and very important application. Here, IoT is used in the logistics and automotive industry as well as in personal applications such as in smart watches, fitness trackers and smart medical devices. Knowing a geographical position is very useful to track shipments and containers, smart cars that can phone home in case of maintenance needed or when a sensor in the car measures a heavy impact caused by a collision, it can call the emergency services directly.

More information on risks related to home IoT devices can be found here:

Risks of position tracking

However, when position tracking data is compromised, it can be a big risk.

This risk is very relevant up to a point that the Pentagon did ban fitness trackers and cell phone applications from war zones recently This happened after a heat map was published that used satellite navigation-based information to map the locations of military personnel that subscribed to an online fitness service.

A memo was sent to the troops saying that "These geo-location capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission".

As a result of this incident, the US National Security Agency published a paper in September 2021 where they strongly recommend avoiding sharing location data exposure in many applications.

Developers that create IoT applications and use location data must be aware that they not only must secure the satellite navigation data alone as position of mobile devices can also be tracked using Bluetooth, Wireless and cellular telephony networks.

Location data can be determined even when the satellite receiver or cellular network is turned off. Developers must be aware that inconspicuous equipment (e.g., wireless sniffers) can determine signal strength and calculate location, even when the user is not actively using the wireless services. Even if all wireless radios are disabled, numerous sensors on the device still provide sufficient data to calculate location. Disabling Bluetooth completely may not be possible on some devices, even when a setting to disable Bluetooth exists. When communication is restored, saved information may be transmitted after all.

Security challenges in IoT communication networks and protocols

Wireless IoT sensors are normally very small, hard to reach and most often powered by a small battery. Therefore, it must have low power consumption to feed the processing module and to keep the communication link up. Low power consumption also means the sensor cannot have much processing power and this limits the use of sophisticated security controls such as authentication, firewalling, or encryption algorithms to secure its communications.

Any IoT device must communicate with a central server that can collect data and sends back commands to operate the IoT endpoint where needed.

Developers must be aware that security weaknesses in 4G, 3G and even 5G exist and can be exploited by using so-called International Mobile Subscriber Identity (IMSI) catchers that act as a fake base station and lure a cellular phoner or SIM based IoT device to connect instead of the real base station by providing a stronger and obviously closer GSM signal. Luring a SIM based IoT device to connect to a fake base gives attackers the power to identify the device’s owner, track their physical location, and potentially execute a downgrade attack by asking it to remove security such as encryption. The attacker then sits in between the communication and can eavesdrop on all communication.

Although under 5G, an attacker cannot see the contents of communications or its metadata, the ability to model the pattern of a device’s connections might allow an eavesdropper to calculate the identity of a device.

Securing connections

An effective control to prevent eavesdropping and man (or device)-in-the- middle attacks is to use encryption technology to secure any communication between nodes. It goes too far to explain the different encryption methods in this article, but one must understand that encrypted connections need algorithms and keys able to encrypt and decrypt the communication streams. In case of symmetric encryption both sites use the same encryption key as a so-called “shared-secret”.

Connections based on a-symmetric encryption are much more secure as it uses different keys at either side, can use bigger key-lengths and more advanced and modern algorithms. However, the downside of a-symmetric encryption is that it needs more processing power which can be a challenge in simple IoT endpoints.

When developing IoT communication applications, special attention must be given to the key exchange processes between nodes while setting up the connections for the first time. This key exchange process must be secured in a way that keys cannot be intercepted while forcing a reset of the communications initiated by an attacker.

The storage of keys in configuration files or code in (non)-volatile memory must also be secured in a way an attacker cannot derive the keys by reading memory or reverse engineering content in data storage devices or chips.

Message Queuing Telemetry Transport (MQTT)

Among other protocols, the Message Queuing Telemetry Transport (MQTT) is commonly used for IoT communication. MQTT was developed by IBM for use with connections between remote locations where resource constraints exist, or the network bandwidth is limited. The protocol is an open OASIS standard and an ISO recommendation (ISO/IEC 20922).

In case communication between these sensors and its central systems such as a MQTT broker server is captured and changed or even made unavailable, there can be a big impact where production processes must be stopped and damage to production facilities or even danger for people and surroundings may occur.

Therefore, it is mandatory that communication between IoT devices and its central management systems should be encrypted and well authenticated. Securing this communication will reduce the risk of damage caused by so-called threat actors who have an interest in spying or bringing down your process.

The MQTT protocol relies on a MQTT broker that runs on a central server to where clients with an appropriate MQTT library, such as a IoT sensor, can subscribe and send their data messages. The broker only accepts messages for specific and pre-configured topics (e.g. a temperature reading) from clients that are subscribed for that specific topic. MQTT can be configured to use TLS encryption with username, password protected connections, and optional encryption certificates. The clients are unaware of each other's IP address.

Although the TLS protocol seems to be a good choice to secure MQTT messages it can only be used when ability and resources of IoT devices to compute encryption algorithms are not limited. It is also possible that older and vulnerable versions of the TLS protocol or less secure cipher suites are used in the IoT devices.

Edge Computing

IoT devices need to upload their data to their home station continuously where in some types of applications the data is very time or latency sensitive.

Although a single IoT sensor may not clog the network by itself, it will be the enormous amount of IoT endpoints uploading their data and polling their home server continuously to proof they are alive that can consume a surprisingly large amount of network bandwidth. This even to a point where bottlenecks cause network congestion.

Edge Computers that are installed physically close to the IoT devices act as a local hub to collect and pre-process the data before it is forwarded to a remote and central Data Center or cloud-based application elsewhere on the globe for storage and reporting. By collecting, consolidating, and pre-processing raw sensor data locally, Edge Computing helps to limit the amount of data sent over long distances causing network congestion. Edge Computing physically close to the IoT sensors can reduce latency for applications that need immediate response on events resulting from the sensor data. Examples can be drive by wire used for self-driving cars where 5G is often used as a low latency network.

Gateway and management system access controls

Every IoT or OT solution needs a central management portal and access gateway from where the solution can be managed and monitored. These gateways are often the main target for threat actors as it can get them access and control to all systems. Access controls such as authentication, privilege management and monitoring are mandatory to avoid unauthorised access to the core of your IoT based applications. Security controls that must be considered are:

• Role based - and Zero Trust Network Access
• Multi Factor Authentication (MFA)
• Encryption
• 24x7 Monitoring
• Properly secured and (token) authenticated Application Program Interfaces (API)

Development of IoT applications

Driven by very specific applications and processes where organisation have all the knowledge, IoT installations are still inhouse developed built on Raspberry PI or Arduino platforms populated with sensors and shield modules. However, knowledge to secure these applications is often missing. Developments are often based on cheap modules that come with simple C or C ++ based code libraries from its manufacturer that make the sensor only provide its basic function without any additional security controls.

These default libraries are often developed as open source and published on public development platforms such as Github. Of course, open-source type of code publication and development has advantages, but it also makes it easy for hackers to find exploitable weaknesses inside the code used.

In-house knowledge, skills and time is often missing to develop and program security controls to improve the default code as provided by the sensor manufacturer. This is also found by Forrester research from April 2021 who report that almost all firms encounter challenges in developing IoT solutions, and many lack analytics and technology expertise. Obstacles exist across key stages of IoT development, spanning strategy, technology, and deployment. Many firms also struggle to address security, connectivity, and edge/endpoint processing, which are key technological capabilities that underpin IoT deployment success. People-related factors emerge as top barriers to overcoming these challenges.

It is highly recommended to seek external expertise to help develop and secure IoT solutions to support and fill the gap of missing in-house specialised knowledge and skills to develop hardware, software and end-to-end IoT solutions in a secure way.

Maintenance and operations

Industrial processes run 24x7x365 days year in year out, any disruption to do maintenance or to replace or upgrade equipment while the process itself seems to work fine is often avoided as this can be very costly. Also, sensors and IoT endpoints are often in remote or hard to reach locations where maintenance is difficult.

Therefore, the risk exists that legacy or not updated IoT devices and Industrial Control Systems equipment are vulnerable for modern attacks. As IoT endpoints are often exposed to the internet or can be picked up locally through Radio Frequencies it is important that they always get the latest security upgrades.  For example, to ensure they get the latest encryption or authentication technology. An example here could be IoT devices using the MQTT protocol to connect to their central broker server and may have outdated TLS algorithms and ciphers making the communication vulnerable to attacks.

How to secure IoT

Unfortunately, there is not a single answer or silver bullet on how to securely develop IoT based applications. Depending on the application, many types of different technologies can be used, all having their own vulnerabilities. The developer must always have the end-to-end communication in mind and must analyse possible threats and risks in every step starting from

• hardware and firmware,
• the communication networks and protocols used,
• avoid using convenience settings such as as Universal Plug and Play (UPnP) in routers that can open ports automatically,
• consider possible weaknesses in any local hubs, edge computing, and management gateways,
• use strong end-to-end authentication and session authentication techniques,
• database access management and ownership,
• consider any GDPR data privacy challenges.

Most important recommendation is to admit that end-to-end security in IoT is a very complex domain, and you should never hesitate to seek professional and experienced assistance during development of your application.

Please contact if you have any questions and if you need help with the design , implementation or securing your IoT application.

Marcel van Wort, CISSP-ISSAP

Managing Consultant

Innovation - Security - Smart Industry - Sustainability

Digital Consulting Europe

marcel.van.wort@orange.com