Build a secure IoT solution

Olivier Van Goethem 28th June 2017

Securing large scale Internet of Things (IoT) solutions isn’t as easy as you think. Remember Mirai? This brings us to the following very important question: how do you actually build a secure IoT solution?

As always, there are a couple of options available to you.

The usual option

Most IoT services offered by cloud providers will require edge devices to have a route to the internet. This means that it can reach out to external servers to send out the data that it has been collecting. An example of this would be wind sensors sending out readings of wind speed to an airport control tower to inform them whether it’s safe for a plane to take off.

However, how can you ensure that the information sent out by the device hasn’t been eavesdropped on and tampered with given it has been transmitted over the public internet? Can you trust the wind speed reading that you’ve just received? How do you know that the reading was actually sent by the sensor and not an evil hacker?

Cloud IoT services answers your questions by encrypting data in flight using TLS. This is used in conjunction with x.509 client certificates to ensure that the data received is indeed coming from one of your devices.

However, there are two tiny problems with this option:

  • It relies on TLS encryption and x509 based authentication being faultless. We’ve seen recent examples where at least one of these have been broken. Often these vulnerabilities are quickly patched – but how do you push an update to potentially millions of devices?
  • One way to push updates is to allow inbound connections to the IoT device itself, letting you log in to make changes to the device’s configuration. For example, this could be done over SSH or HTTPS. If you do decide to go down this road, ensure that you use adequate authentication! For example, don’t use a default or weak password as otherwise it’s very likely that other people will be logging in too.

Check out this previous blog post for an example of how AWS’s IoT service can be used. An internet facing IoT device gives you loads of flexibility as internet connections are fairly ubiquitous. But it does require some thought when it comes to security… This brings us to option 2.

Do we really need the internet if it’s dangerous?

Historically this has been a very challenging thing to achieve for a company. It’s one thing to roll out a complex IoT solution. It’s another to connect your nodes scattered around the globe to each other on your own dedicated cables.

However, things are slowly changing. Nowadays there are options available that let you deploy IoT solutions on a private network that is cordoned off from the internet. One such option is Asavie.

Asavie offers an IoT Connect product that lets you connect edge devices to your cloud environment without ever going through the public internet. This is achieved via their Asavie PassBridge IoT connectivity platform that enables on-demand private networking as a service. Devices can be connected to Asavie PassBridge in multiple ways, with the most interesting one being via SIM cards and an Asavie specific Access Point Name (APN). IPSec is used between Asavie PassBridge and your environments to provide end-to-end data encryption.

Once connected, each device can be configured with:

  • A virtual private IP address to have secure bi-directional connectivity to and from your edge devices
  • Inbound and outbound network access rules to ensure that you only permit connections that actually matter

Demo time

As part of our quarterly company away days, engineers are encouraged to develop skunkworks projects and then demo them back to everyone. I’ve always found it difficult to locate people in the office on a busy Friday when I have a question for them. Are they in the kitchen? At their desk?

To solve this, I teamed up with two of our talented engineers, Raid Sulaiman and Richard Bennett, to build a facial recognition system that updated the location of people in our office in real time. People were asked to opt-in to the service – we aren’t a shadow GCHQ organisation after all…

Given the sensitive nature of the data being captured, we incorporated Asavie’s secure IoT connectivity into our solution to quickly set up a secure end-to-end, or edge to cloud, connection between our cameras and the backend components hosted in AWS.

Here’s a quick breakdown of the various components:

  • Motion detection: pictures of people’s faces were captured when motion was detected from a series of laptops in our office. Each laptop was connected to Asavie PassBridge via multiple SIM cards and a mobile WiFi router. Motion detection was done with a simple python script using OpenCV. Connectivity to Asavie PassBridge meant that we could route outbound traffic from the laptops to the VPN agent running in our AWS environment, giving us network connectivity to the internal S3 VPC endpoint. This meant that captured pictures were sent and stored in S3 without ever going over the public internet.
  • Facial recognition: We automatically triggered an AWS Lambda function whenever a new picture arrived in S3. The function leveraged AWS Rekognition to check if the face matched against a pre-indexed collection of Cloudreach people’s faces. If a match was found, the person’s location was updated via an API component according to which camera had picked him/her up.
  • API: The API was used to update and retrieve a person’s location. It used GraphQL to provide a simple query language to interact with the underlying MySQL database. The API used API Gateway and Lambda and was deployed using Zappa.
  • UI: To make the system more user friendly, a website was deployed that made use of the API to easily visualise information. Again, the UI used API Gateway and Lambda and was deployed using Zappa.

Overall, we were surprised at how quickly we got everything up and running. Setting up the Asavie-based secure IoT connectivity was straightforward and the AWS Rekognition service is scarily good!

Interested in building your own IoT solution?

As we’ve seen, architecting a secure IoT solution is not as simple as it sounds. The big Cloud providers all offer IoT services that will help you get set up quickly and let you scale to thousands/millions of edge devices. However, using one of these platforms doesn’t solve all of your security problems as you’re still faced with the dangers of the internet.

Customers often ask us how they can minimise their risks. As we’ve seen, we are starting to see some alternatives that can help improve IoT security.

 

For more IoT posts, click here.