How would you do a heating controller, IOT client, securely?

[peter-h]

The context is that an IOT box should always be a client, behind NAT, and never a server, especially not on an open port.

The problem is if you want it remotely accessible. There are many such products.

This has been done for decades (I used to do one in the 1980s which was accessed over a phone line modem, so the security was a) knowing the phone # and b) knowing the password) but how do people do it nowadays?

If the IOT box is a client, there is no way to connect to it freely (obviously). I suspect the existing products are either a server on an open port (with all the vulnerability issues) or the thing which the user's "heating config app" connects to is not the IOT box itself but a copy of its config residing on the public server which fronts the entire installed base of these boxes, and the IOT box retrieves this config periodically, say every 15 mins.

The obvious advantage of the public server is that the mfg gets a long term revenue stream And this means that when the mfg goes bust, you lose the remote config capability. And this has happened a number of times...

[Jeroen3]

The way it is done today: 
Both controller and IoT box are clients and connect to cloud server to relay the commands.

If you do not want to run your own server there are IoT platforms available to integrate. Eg: particle.io, balena.io
There also was an Amp Hour podcast with the founder one of those platforms iirc.

Also VPN solution if you products support it, eg: Zerotier, Tailscale...

[zilp]

The context is that an IOT box should always be a client, behind NAT, and never a server, especially not on an open port.

Why?

[AVI-crak]

Control of gas boilers, ventilation, lighting - must be fully autonomous. External control should be completely excluded.
The logic of the smart home should filter reports and warnings for the user, so as not to overload with unnecessary information.
An external server can change the address, owner, gender, or just send it on a pedestrian journey. The world is changing very quickly.

[selcuk]

Are you asking about a secure communication method over the network? If so, you may use MQTT with TLS. Your device can stay behind a firewall. It will have a continuous TCP connection to a MQTT server. The client initiates the connection and doesn't require a port forwarding on NAT. Your central application will have another connection to the same MQTT server. Then they can share messages instantly. There is no need to wait for the next poll time.

This is especially useful if you use GSM or similar paid networks. When the client doesn't have a static IP address and isn't accessible from the outside, random services trying to connect it cannot increase the used data and the bill will be limited.

[Siwastaja]

The context is that an IOT box should always be a client, behind NAT, and never a server, especially not on an open port.

Why?

One reason that comes into mind is that a TCP client taking a connection to a server on the Internet will always work without the user having to think about firewall/router/NAT configuration - if it didn't, pretty much nothing would work and they would notice it. It is also then irrelevant what IP address the device obtains, as long as the server address or hostname is correctly configured in the device, and this is possible to fix.

Having a local server accepting incoming TCP connections is possible, but more iffy to set up.

[zilp]

One reason that comes into mind is that a TCP client taking a connection to a server on the Internet will always work without the user having to think about firewall/router/NAT configuration - if it didn't, pretty much nothing would work and they would notice it. It is also then irrelevant what IP address the device obtains, as long as the server address or hostname is correctly configured in the device, and this is possible to fix.

Having a local server accepting incoming TCP connections is possible, but more iffy to set up.

Well, that is a reason to have a client on the IoT box. It's not a reason to not have a server. And also, it's not really a reason for it to always be/have a client, at best it's a reason to have a client if that is an application scenario that you need to support, which isn't universally the case.

The point being that I was not asking why one might want to have a client on the IoT box, but why that should always be the case, and why there should never be a server.

After all, you can have a client thingy that registers with the manufacturer's servers for remote discovery/connection establishment/whatever purposes, say, but also support, I dunno, local discovery via broadcast/multicast and incoming connections via other name resolution mechanisms (i.e., hard-coded addresses or DNS, say) to allow for operation without internet connectiviy and/or the manufacturer's infrastructure.

[peter-h]

I would have thought it was obvious why you don't want to have an embedded system as a server on an open port, but e.g.

- the IOT box will be detected by port sniffers within hours and attacked
- its software will never be up to date security-wise (due to constant R&D cost, and commercial risk of OTA)
- auto update download (client-triggered OTA basically) is possible but risky since the mfg publishing a bad update could brick the entire installed base!
- look at how many versions of say MbedTLS come out, and the recent ones (v3+) are a big job to integrate into a product which has v2
- only a proper heavy duty server (e.g. Centos, Linux and Apache, NGINX etc) should be exposed, and the admin and security patching of such is much easier
- the server can be protected against DOS with e.g. Cloudflare
- IOT box having both client and server is a whole load of RAM; MbedTLS client alone is ~60k
- the client mode means the entire "connection" which the IOT box has to support is private and hidden, which enables operation with no software updates for years or decades
- one would use TLS for data encryption, with the server certificate having a 100 year life (one can argue that one may as well just run aes256 with a shared key; there is no difference between a shared key and a long lived certificate, is there?)

Both controller and IoT box are clients and connect to cloud server to relay the commands.

I guess you mean a) the customer's app and b) the heating controller are both clients and connect to the "proper heavy duty server". a) is obvious and b) is what I am getting at.

If so, you may use MQTT with TLS

Yes; I have read up a bit on MQTT. But it doesn't directly address the main reason for the architecture I suggest. MQTT is just a more efficient protocol, and it is a separate debate on how exactly to do the protocols. The way I would do this is that the heating controller ("the IOT box") is an HTTPS client, and HTTPS is implemented with MbedTLS (my product does exactly all this already, although it isn't actually a heating controller).

The IOT box would call up the server say every 10 mins to collect any config changes, and since it is behind NAT it would be very hard to hack it. NAT can be penetrated using a couple of methods but AFAIK both involve - at a minimum - the attacker gaining control of the server which the IOT box periodically calls up, which is obviously possible but with good admin should be hard, otherwise the internet could never exist Then if the IOT box is hard to trash (a simple way would be to have no way to remotely re-flash it) you have pretty good security. My box does support OTA updates but the security around it is very good - basically as good as the 32F4 level 2+ protection (yes I know there are attacks on these chips, and the attacker will always be able to get hold of one of your products for disassembly).

It would be highly risky to build this around some commercial service. These have a habit of ditching protocols and needing a big redesign.

I don't get the advantage of a VPN for this.

Obviously the server will need careful firewalling. If say you have an installed base of 10k boxes, each one will need to store an https url for the server (not a fixed IP which is dodgy long-term) but publishing a DNS will immediately start chinese etc hacking. But this is no worse than attacking the server's customer side. Servers just have to be properly set up.

[AndyBeez]

Personally, I would take a path of creating a locked down IoT device. Regardless of the client only model, a locked down device should be the default in today's networked landscape. As well as considering data in transit   through TLS encryption, for example, the design should be robust enough to resist deconstruction by dumping the flash. This can be done with a secure element or hard key store - the hacker gets garbage. Collectively, all design features must guarantee that all iincoming malicious attacks will never reach the GPIO.

PDF IoT Security Foundation : IoTSF Secure Design Best Practice Guides
https://www.iotsecurityfoundation.org/wp-content/uploads/2019/03/Best-Practice-Guides-Release-1.2.1.pdf

[peter-h]

Interesting doc - thanks.

However, most of it is obvious, and some bits e.g.

All test access points on production units must be disabled or locked, for example by blowing on-chip fuses to disable JTAG

is a misunderstanding of what is actually possible e.g. the vast majority of embedded CPUs can and have been hacked via the old methods of glitching VCC, /RST, clock input, low/high temp, etc. The really secure chips e.g. smartcard chips, can't run these IOT applications, and/or tie you to some weird device, tools, etc. There is some level of reverse engineering risk which is really hard to avoid.

But does it matter? The really risky area is somebody hacking the installed base of devices, not just a few of them. This will always be possible, indeed trivial, if somebody hacks the server (whether or not the actual devices are affected, is irrelevant, because obtaining control of the server enables misconfiguring the entire installed base, and setting 10k heating controllers to +5C 24/7 is as good as wiping their flash). But server admin is a well established discipline...

[AndyBeez]

You need to define both your threat landscape and the cost of compromise. I can understand your server-less methodology, but is a base unit really the server backbone? Fundamental question, why does everything need a cloud connection? You could have  IoT devices 'meshed' together on some kind of VLAN - but when devices span networks, we enter a whole new house of pain.

Poor design, implementation, infrastructure and support, are a few areas where IoT has gained a bad reputation. Who cares if a kid in China can read everyone's home wifi key off of their spin dryer? Maybe the peado on the laptop parked outside does. As an IoT designer, building a black box should be the philosophy. Unfortunately, most IoT hardware is some ESP32 variant with a open source codebase. Secure elements and secure processors are the reserve of large companies who signed the NDA.

[peter-h]

why does everything need a cloud connection

A higher-end heating controller needs a remote config feature.

For example you stay in a ski resort. Most apartments are owned by remotely (no pun intended) located people, who get notifications from booking.com or airb&b that somebody booked a 5 day stay, arrival 1400, so they turn on the heating remotely.

Like I said, this requirement has been there since for ever. In the 1980s you used a phone line (which was normally shared with the house phones; the heating controller would go off-hook only after say 20 rings) and a modem chip or module. I even did one with an MT8870 DTMF decoder for turning on/off one of 8 relays

Today you do it over the internet, but the problem is that everything which you can remotely connect to is easily discoverable and therefore hackable. Port knocking is quite good. And with an embedded system you have poor defences because the software is of necessity rather primitive. I see the MbedTLS devs (I am on their mailing list) grind through N versions in a year or two, and address increasingly esoteric "vulnerabilities" like zeroing malloc'd buffers before doing a free() (which are worthless unless an attacker is practically inside your box already, but there is nothing to help with back doors in the low level code connecting e.g. LWIP to the ETH hardware). This IOT stuff is simply impossible to secure... the only way is to have it hidden behind NAT and have it run as a client.

I agree with your other comments. The problem is that everybody on the internet is a security expert So, DES, PPTP, FTP, MD5, etc are all "crap". Yet practically nobody is attacking crypto itself.

[zilp]

I would have thought it was obvious why you don't want to have an embedded system as a server on an open port, but e.g.

Yeah, that's what it seemed like. Which is why I am trying to get you to really think this through. This is widely believed, especially among people who don't know all that much about IT security, but really, it's pretty close to cargo cult and often leads to bad security.

- the IOT box will be detected by port sniffers within hours and attacked

How would it be attacked? And how does not having a server prevent that?

- its software will never be up to date security-wise (due to constant R&D cost, and commercial risk of OTA)

And how does not having a server help with that?

- auto update download (client-triggered OTA basically) is possible but risky since the mfg publishing a bad update could brick the entire installed base!

As for accidental bricking, there certainly are things one can do to minimize that risk (like two boot images in flash with some automatic or manual way to recover into an old version if the new version is broken).

But also note that automatic updates are a huge security risk, as a compromise of the update deployment system can be used to fully compromise and/or brick all installed devices.

- look at how many versions of say MbedTLS come out, and the recent ones (v3+) are a big job to integrate into a product which has v2

I am assuming that you are talking about versions due to security fixes here? If so: How does not having a server help with that?

- only a proper heavy duty server (e.g. Centos, Linux and Apache, NGINX etc) should be exposed, and the admin and security patching of such is much easier

It seems like you are suggesting that an IoT device that only acts as a client is not exposed? Why do you think that?

Really think about this.

If there is a buffer overflow in the IP layer, say, how does not having a server on the device prevent exploitation of that buffer overflow?

- the server can be protected against DOS with e.g. Cloudflare

Maybe. But be aware that that can also be a huge security risk, especially if this implies TLS termination by Cloudflare (Cloudflare is a very juicy target).

- IOT box having both client and server is a whole load of RAM; MbedTLS client alone is ~60k

Of per-connection state, you mean? Well, yeah, that's a thing to consider, but certainly not a reason to never have both.

- the client mode means the entire "connection" which the IOT box has to support is private and hidden, which enables operation with no software updates for years or decades

No, it most certainly does not mean that. If you want to estimate IT security risks, you have to think in terms of attack surface, i.e., what parts of the code in your system are reachable by an attacker, and how difficult it is to get into a position that would allow that attack to be performed.

Take my example above: The low-level IP stack does not care about "client" or "server" at all, all it is concerned with are IP packets. Just because you happen to only use one TCP socket to establish an outbound connection, doesn't mean that someone who can send IP packets to your device can't exploit a vulnerability in that code.

Now, you might be thinking: "But how would anyone possibly send IP packets to the device?" Well, for one, even from the public internet through a stateful firewall that blocks incoming connections, that is way easier than your wording above would suggest.

A firewall isn't a magic device that prevents packets from all unauthorized sources from reaching your device. All it does is that it matches a bunch of fields in a packet against fields it has seen in other packets to determine whether the packet might belong to an established connection. But the entropy of those fields isn't all that high. With TCP over IPv4, that's 32 bit each for the IP addresses of the two endpoints, 16 bits each for the port numbers of the two endpoints, and the 32 bit sequence number.

So ... 128 bits? That should be enough to prevent someone just blindly guessing the values to get a packet through the firewall, shouldn't it? Well, if these indeed were purely random 128 bits, sure. But of course, they aren't. In your IoT-device-connects-to-manufacturer's-server scenario, the IP address of the server is public knowledge, so trivial to "guess". The port number of the server is also public knowledge, so doesn't help either. Now, if the attacker has no idea where the devices that they are trying to attack are on the network, then you could consider the client IP address as sort-of random. But of course, that's not really necessarily true, as it might not necessarily be a secret that someone has one of your devices installed, and thus, if someone were to try and run a targeted attack against them, they might easily know the (public) IP address where the device is to be found (be it a business with static addresses, or you get the victim to load some page or image or whatever from your web server, or maybe you can get them to send you an email where the email provider puts their address into the email headers ...), so you really have to assume that the client IP address isn't exactly a secret either.

Well, then we at least have 32 bits of random sequence number, right? Well ... for one, you'd have to make sure that the initial sequence number is really random (especially on embedded systems with bad randomness sources, that can be a problem, though most implementations nowadays at least try to make the ISN unpredictable). But also, the firewall can not do an exact match, because it has to allow for reordering and packet loss within the transmission window. I would be surprised if any firewall let through less than 64 KiB of window, this reducing the remaining entropy of he sequence number fo 16 bits. And I would not be surprised if many firewalls didn't check sequence numbers at all.

So ... well, I guess the only somewhat reliable entropy is the client port number, then? That also depends on the client actually randomizing the port number, of course. And also, if your code establishes multiple connections in short order, chances are that the firewall takes a while to time them all out, so multiple port numbers might actually be let through.

Also, mind you that NAT is not a firewall, and chances are that NAT is less strict than a firewall when matching connections.

So ... you are relying on 16 bits of randomness to prevent an attacker exploiting a vulnerability in your IP stack. I.e., on average 32768 packets to compromise your device. So, with a Gbit/s fiber link, that would be matter of less than a milisecond.

And all of that assumes that the attacker can't eavesdrop the legitimate connection, which is also a risky assumption to make.

And that is just one of many possible attack vectors. Depending on the vulnerability, an attacker might also just be able to use other devices behind the firwall to attack your device, for example. If the user has a smartphone or PC on the same network (which would certainly be common in home setups), an attacker might be able to get the user to load some web page that then can use the numerous javascript APIs in the browser to send packets to your device without those packets ever even passing through a firewall that might exist between the public internet and your device.

- one would use TLS for data encryption, with the server certificate having a 100 year life (one can argue that one may as well just run aes256 with a shared key; there is no difference between a shared key and a long lived certificate, is there?)

That depends on the cipher suites that you are using with TLS. Best practice nowadays would be to only use cipher suites with forward secrecy, i.e., cipher suites that use ephmeral (elliptic curve) diffie hellman key agreement, so that a compromise of the server's secret key does not allow decryption of past connections.

Also, as PSK that's used directly for payload encryption is at high risk of IV reuse and/or difficult to reliably protect against replay attacks.

Or more generally: If you have to ask this question, do not even think about designing your own cryptographic protocol, including "just encrypt the data befrore transmitting it". You are almost guarenteed to fuck it up in a way that allows trivial compromise of the encryption.

The IOT box would call up the server say every 10 mins to collect any config changes, and since it is behind NAT it would be very hard to hack it. NAT can be penetrated using a couple of methods but AFAIK both involve - at a minimum - the attacker gaining control of the server which the IOT box periodically calls up,

No, that is not necessary. Actually, that wouldn't even count as "hacking the NAT", as the server that the client legitimately connects to obviously can send packets to the client device, that is just how a NAT is expected to be used. Of course, there will also be potential attack surfaces that are reachable only from that server, but that would just be using the NAT the way it is intended to be used, not in any way "hacking" it.

Really, the idea that NAT "prevents unsolicited connections" is just a myth. It is a very commonly believed myth, but it still is just a myth.

which is obviously possible but with good admin should be hard, otherwise the internet could never exist

Well, in any case, it is strongly recommended to have defense in depth. It is generally a very bad idea to have a central point of (security) failure, because that makes for a juicy target. While it might be true that it is easier to secure one server than thousands of appliances (which doesn't work anyhow, because you still need to secure the appliances, see above), that one server is also a far more interesting target for attackers than all those appliances that might not be that easy to find otherwise.

Then if the IOT box is hard to trash (a simple way would be to have no way to remotely re-flash it) you have pretty good security.

For one, no, that doesn't mean that you have pretty good security. If your heating controller can be made to burn down the house, then it is irrelevant whether it is possible to remotely re-flash it.

But also ... if an attacker can obtain remote code execution through some vulnerability, how do you prevent them from just rewriting the flash contents, assuming the MCU supports self-flashing? Unless you are talking about an MCU with MMU and unprivileged processes and stuff ... which still assumes correctness of the code that's enforcing that security boundary.

It would be highly risky to build this around some commercial service. These have a habit of ditching protocols and needing a big redesign.

Agreed.

Obviously the server will need careful firewalling.

If your server needs firewalling, you have already failed.

[AndyBeez]

With any remote device out there on the Internet, the only assumption one can make is that everything network side of the device's MAC address is insecure.
For example, the IT administrator at the ski resort might be a lazy tool and, without telling anyone else, resets every switch and access point to their default 1234 login credentials. This really happens in the real world.
How then do you keep your IoT devices safe from network attacks? Answer, you cannot. Anyone with access to the ARP can run amok. So if the IoT device can be disrupted on the network, how do you keep it from being damaged? Answer, secure design. Okay, firmwares and hardware do not need to be as tight as a crypto wallet, but it has to be impervious by design. WAN facing servers should provide minimal functionality and secure only access. There cannot be any backdoor IPs or ports either.

Do not forget how useful Bluetooth can be, where proximal access to the IoT device is required.

[zilp]

I agree with your other comments. The problem is that everybody on the internet is a security expert So, DES, PPTP, FTP, MD5, etc are all "crap". Yet practically nobody is attacking crypto itself.

But that's just a "you don't have to outrun the bear, you just have to outrun the slowest guy" kind of scenario.

As long as there is so much terrible quality stuff out there that can be compromised using trivial exploits, obviously, noone is going to bother with attacking the crypto, unless they want to get into a particular target where no easier path exists. But especially for long-lived products it's maybe not a good idea to bet on everyone else staying terrible for the lifetime of your product.

[eutectique]

- the IOT box will be detected by port sniffers within hours and attacked

How would it be attacked?

By flooding the network with bogus ACK or SYN/ACK packets. I witnessed the fleet of battery-powered devices being knocked down.

A device in question could normally live 12 hours on a battery charge, and a fleet of them should be located behind the firewall. One day the customer reported battery life of only about 5 hours for the whole fleet. The logs showed surge of power consumption in all of ~30 devices. This was traced down to continuous modem activity dealing with the flood. Which was, in turn, traced down to the absence of the firewall.

If your server needs firewalling, you have already failed.

No.

[peter-h]

zilp - you make some good points but when one gets to

If your server needs firewalling, you have already failed.

then there isn't anything one can say in response

With any remote device out there on the Internet, the only assumption one can make is that everything network side of the device's MAC address is insecure.

That isn't totally possible, however. What is supposed to happen is that an incoming packet gets to your TCP/IP stack, say LWIP, and if nothing is listening on that port then it will be discarded. If there is e.g. buffer overflow in LWIP, you can have a problem. But to get to this point, someone need to do quite a bit of work. Hacking some wifi AP to do nasty stuff takes a fair bit of expertise. You also need an extremely deep knowledge of the IOT box software. Bits of it may be open source but most won't be (hopefully).

By flooding the network with bogus ACK or SYN/ACK packets. I witnessed the fleet of battery-powered devices being knocked down.

Sure, that comes down to stuff like not allowing unrestricted RX interrupts on the ETH hardware. In my box I do it by polling the RX. One still gets 1MB/sec which is 100x fast enough for the job The industry drift is for great speeds, zero-copy drivers, etc, but that just makes it vulnerable to e.g. a misbehaving device on the LAN sending out broadcasts at 100mbps. That is a real issue with embedded and ETH. But still somebody needs real expertise and, to set up the flood, decent bandwidth.

[zilp]

How would it be attacked?

By flooding the network with bogus ACK or SYN/ACK packets. I witnessed the fleet of battery-powered devices being knocked down.

A device in question could normally live 12 hours on a battery charge, and a fleet of them should be located behind the firewall. One day the customer reported battery life of only about 5 hours for the whole fleet. The logs showed surge of power consumption in all of ~30 devices. This was traced down to continuous modem activity dealing with the flood. Which was, in turn, traced down to the absence of the firewall.

... which is relevant here how?

If your server needs firewalling, you have already failed.

No.

... because?

[zilp]

zilp - you make some good points but when one gets to

If your server needs firewalling, you have already failed.

then there isn't anything one can say in response

... because?

Like, name one thing that a firewall would be needed for that isn't the result of a failure elsewhere?!

[madires]

I would have thought it was obvious why you don't want to have an embedded system as a server on an open port, but e.g.

- the IOT box will be detected by port sniffers within hours and attacked

We can't make IoT stuff idiot-proof. There's always some professional moron connecting the control system of a water treatment plant directly to the internet and keeping the default PW. However, it's about choices. We shouldn't require the IoT device to connect to a cloud based service, it should be an option. The IoT device should also have the option to connect to a local control server or to be controlled via an on-board service. And tell the user the best current practice to protect the device.

[peter-h]

Like, name one thing that a firewall would be needed for that isn't the result of a failure elsewhere?!

One should firewall a server to accept only traffic it is supposed to be getting. So e.g. you firewall a web server to accept only 80, 443, and the other stuff like Putty (remote admin), DNS, and such like. Otherwise, in the usual virtual server scenario, absolutely everything sent to that IP will need processing.

You can also set up stuff like IP banning following a flood, etc. On one site I "run" it is behind Cloudflare and I have blocked china, russia, india which greatly reduced various nuisances. CF offers 5 such blocks for free. Obviously hackers can use VPNs but the indications are they mostly don't bother and DOS over a VPN will cost the attacker money.

Luckily, virtual servers tend to have huge incoming bw like 50Gbit/sec, so a firewall actually works.

But I am sure you knew that

This is not wholly OT because a firewall is not going to be available in an embedded box, and if it was (which would hardly be difficult) it would be of limited use because a DOS attack will just overwhelm the CPU anyway. Some CPUs with ETH do have a packet filter so LWIP will be seeing only packets destined for its IP (plus, ahem, broadcasts etc).

We can't make IoT stuff idiot-proof. There's always some professional moron connecting the control system of a water treatment plant directly to the internet and keeping the default PW.

Sure, and my original point was that in your above case the "control system" is probably a server, maybe even with a published DNS, so half of china is going to be in there, with 24/7/365 dictionary attacks at around 10Hz (I see this on some servers). But if it was a client connecting as I suggest above, it would not be attacked like that.

[madires]

I don't get the advantage of a VPN for this.

Layered security. Attacking becomes harder.

[madires]

[

If your server needs firewalling, you have already failed.

No.

... because?

... the firewall can perform rate limitting or handle other offloading tasks.

[peter-h]

I use VPNs too and have wondered about this.

A port sniffer will instantly discover VPN termination ports, whether pptp, ipsec, openvpn, whatever. Then it can send packets down there.

The assumption is that a given router (probably a consumer type, or maybe a £500 mid-level one) has fewer bugs in the VPN terminator than are elsewhere. That is probably right as in e.g. Remote Desktop is wide open and should be run only over a VPN. But is this relevant to IOT? Would you actually implement a VPN terminator in your IOT box? How much less vulnerable is that to setting up an https server on that IP?

[madires]

Sure, and my original point was that in your above case the "control system" is probably a server, maybe even with a published DNS, so half of china is going to be in there, with 24/7/365 dictionary attacks at around 10Hz (I see this on some servers). But if it was a client connecting as I suggest above, it would not be attacked like that.

Best current practice is to not connect the control system directly to the internet. You place it behind a VPN router, connect via a VPN client to the router and then access the control system (layered security).