Electronics > Microcontrollers

How would you do a heating controller, IOT client, securely?

(1/24) > >>

The context is that an IOT box should always be a client, behind NAT, and never a server, especially not on an open port.

The problem is if you want it remotely accessible. There are many such products.

This has been done for decades (I used to do one in the 1980s which was accessed over a phone line modem, so the security was a) knowing the phone # and b) knowing the password) but how do people do it nowadays?

If the IOT box is a client, there is no way to connect to it freely (obviously). I suspect the existing products are either a server on an open port (with all the vulnerability issues) or the thing which the user's "heating config app" connects to is not the IOT box itself but a copy of its config residing on the public server which fronts the entire installed base of these boxes, and the IOT box retrieves this config periodically, say every 15 mins.

The obvious advantage of the public server is that the mfg gets a long term revenue stream ;) And this means that when the mfg goes bust, you lose the remote config capability. And this has happened a number of times...

The way it is done today: 
Both controller and IoT box are clients and connect to cloud server to relay the commands.

If you do not want to run your own server there are IoT platforms available to integrate. Eg: particle.io, balena.io
There also was an Amp Hour podcast with the founder one of those platforms iirc.

Also VPN solution if you products support it, eg: Zerotier, Tailscale...


--- Quote from: peter-h on March 14, 2024, 08:03:56 am ---The context is that an IOT box should always be a client, behind NAT, and never a server, especially not on an open port.

--- End quote ---


Control of gas boilers, ventilation, lighting - must be fully autonomous. External control should be completely excluded.
The logic of the smart home should filter reports and warnings for the user, so as not to overload with unnecessary information.
An external server can change the address, owner, gender, or just send it on a pedestrian journey. The world is changing very quickly.

Are you asking about a secure communication method over the network? If so, you may use MQTT with TLS. Your device can stay behind a firewall. It will have a continuous TCP connection to a MQTT server. The client initiates the connection and doesn't require a port forwarding on NAT. Your central application will have another connection to the same MQTT server. Then they can share messages instantly. There is no need to wait for the next poll time.

This is especially useful if you use GSM or similar paid networks. When the client doesn't have a static IP address and isn't accessible from the outside, random services trying to connect it cannot increase the used data and the bill will be limited.


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod