The small things security

The small things security

Última edición 22 Jul 2018 Elephant

This article will make a brief introduction to the Internet of Things (IoT) ecosystem, emphasizing the most common security problems and how to avoid them.

Today the world would not work without the Internet, a fundamental pillar of the so-called Internet of Things. In IoT the Internet is not a luxury, it is necessary to be able to communicate the devices with the platforms that monitor and manage them.

The world would not work without wireless technologies and so that antennas could be transmitted and received. They can be found in different sizes depending on the frequency that will be used and the power with which you want to transmit, but with technological advances you can see that a small internal ceramic antenna is capable of transmitting and receiving a large amount of data.


An antenna is a conductive device that has been designed to emit and receive electromagnetic waves. There are many protocols and ways to communicate because there are many wireless devices. They can be classified by design, which in turn depends on the frequency, knowing that the higher, the greater the flow of data can be transmitted.

Most of the time you choose the wireless protocol, (WiFi, Bluetooth, GSM, NFC, etc.) the type of modem or transmitter, power, data and speed before choosing an antenna.

If the position in the device is taken into account you can choose between internal or external antennas. Being the first ceramic type most common in small devices due to its smaller size, large radioelectric characteristics and the possibility of being placed in the PCB. The external ones are usually dipole type and can be found in larger devices that do not have space problem or that need to communicate at greater distances.



For the Internet of Things to exist there must be "things" such as sensors or actuators that can transmit or receive data in greater or lesser amounts and in a greater or lesser period of time. A temperature sensor can store the temperatures every hour and transmit them once a day for example or it may not store anything and send the temperature every 10 minutes.

Although the term IoT is now very fashionable, it is not new at all. For many years there has been domotic; although with the great problem of the wiring, it was able to control the temperature, blinds and awnings of a house, among other things, from a fixed screen placed on the wall or Tablet later. They were expensive systems due to the complexity of installation if it was intended to incorporate a house built as it is necessary to separate the cables of the home automation from the rest of the electrical installation, which made it impossible in old homes and complicated in some modern ones.

The "Smart Home", is the term that was adopted later although it remained the same, devices connected to the home through an independent Bus or PLC. But the revolution has come with IoT, now any device (refrigerator, washing machine, etc.) has direct access to the Internet without the need for complex wiring or closed circuits.

There are plenty of sensors and actuators in the market, from a simple temperature sensor to an air quality sensor and they all have the same principle, having an IP to send and receive information to a server through the Internet.



An Internet gateway is halfway between the devices and the cloud, being responsible for the traffic generated in both directions.

You can imagine a factory that wants to monitor its machinery from a control post, indeed, you can think of a company that has several factories scattered around the world and wants to control and monitor their machines from a remote control center. In either case, sensors and actuators will need to be communicated with servers that may be located in a local CPD or in some cloud. The most common is to use some cloud as a solution, but if you think about the devices, they make a direct connection to the Internet, which leads to two problems, excessive traffic and a very high response time that in some cases can be lethal. Not to mention the problems caused by the momentary loss of the Internet connection. If the cloud sends an order to stop the machinery to an actuator and that order does not arrive in time, it can cause some problems in the production.

The most common solution adopted by IoT is to have a Gateway, in this case it is a GW with some intelligence since it is able to store some data from the cloud and work autonomously reporting the status when necessary. This solution saves unnecessary traffic and most importantly, has direct access to all sensors and actuators with a very low response time. Another advantage of the GW is that it can control different sensors with multiple protocols and connection types (bus or wireless) and it is also capable of encrypting and filtering data.



The buzzword today is "cloud," but it's just a server hosted on a remote CPD. The IoT-specific cloud offer very complete solutions that save a lot of development time, for example:

  • Execute actions when an event occurs
  • Storage in BBDD "without limit"
  • Analysis and treatment of data
  • Dashboards
  • Create functions without the need for programming knowledge
  • Absolute scalability




The IoT ecosystem advances very rapidly and new devices appear on the market every day, which leads to multiple protocols. A good protection system must contemplate the ones we are going to use, a fact that is gradually taking place thanks to the fact that the IDS solutions incorporate more IoT protocols every day.

Many times it is designed and manufactured very quickly and there is not much attention or proper security audits due to market demands and so short delivery times. An impediment for small companies or freelances is the high cost of hardware testing tools in addition to the added cost of manufacturing a test model with all buses and JTAG programming and debugging and another production with hardware protection measures. Although it is increasingly common to find companies that are concerned about the safety of their hardware, usually the most heard response is: "if the vulnerability is not remote, it does not matter" or "no one is going to investigate my hardware at that level", big mistake because the biggest problems start with the smallest things...

If you talk about the security of communications between an IoT device and a Gateway or between the Gateway itself and the nube you can find encryption problems. Many times due to the limited resources of the microcontrollers used in IoT, other times due to lack of knowledge and a high percentage due to the rush, again the rush... It can be understood that there is a limitation in costs of the IoT device and therefore, the communication between the device and GW is not encrypted, but that excuse is no longer valid if we take into account that 8bit MCUs are coming onto the market with AES, DES and RSA encryption, let alone the great variety that can be found in the range of 32bits.

Where excuses are not allowed is in the communications between the Gateway and the cloud, in a GW there is at least a high-level Operating System and programming languages with libraries to encrypt any communication in a very simple way.



If the number of IoT devices that are connected is very high, there will be a high traffic between the Gateway and the nube and if some precautionary measures are not taken, some type of information theft or improper access may be suffered.

Nowadays it is vital to have control over a device, meaning "to have control", to be able to access it without limitations and to update the firmware remotely without endangering the integrity of it. Securing the Gateway is one of the most important measures since it is touching the Internet world and that is where the biggest problems can come from. In a later article, IoT protocols and the problems of device networks will be discussed in detail.

Below are some basic things to keep in mind in the Gateways settings:

  • Perform software quality testing and software audits. It is curious because the Gateways have a lot of hardware resources and that means that more complex software can be created. But it also means that the more complex the software, the more likely it is to have vulnerabilities. Beware of programming in Assembler and C, because in an oversight you can leave a flaw that can be exploited by some Hacker and create an exploit.
  • Secure the perimeter with a Firewall solution. The Gateway is on the first line of the battlefield and will be the focus of automatic or targeted cyber attacks so it has to be protected very well. Never open ports to unused services and perform security audits specific to IoT.
  • Encrypt all communications. Enable the HTTPs protocol in the cloud. This will make it difficult for hackers to steal information.
  • Use X.509 certificates. In line with the above, no data should be sent to the unencrypted devices and the devices should not accept unencrypted packets. This makes it difficult for Hackers to manipulate IoT sensors and actuators.
  • Ensure firmware update. IoT devices usually have limited resources that are unable to verify the authenticity of firmware updates. This point is very important and must be taken into account always, either with the help of the Gateway or in the firmware itself, at least a simple check of checksum and if you can also apply a signature protection.
  • Protect the tracks and pads of the PCB. Something forgotten by most large and small manufacturers. In a very high percentage of the hardware security audits we have carried out, we have encountered this problem. It is not a good idea to leave the firmware programming ports accessible, it is best to place those tracks in intermediate layers and not leave programming connectors. It is also not a good idea to leave the JTAG activated in a production team.
  • Implement some type of fingerprint in the hardware. Although it is rare to find any protection measure in the hardware, on some occasion we have requested it and we have implemented a system PUF (Physical Unclonable Function) or fingerprint successfully.


This article is a no technical introduction to the Internet of Things (IoT) security. All the techniques discussed in subsequent technical articles will be shelled. Leave us your opinion in social networks, tell us what topic you would like us to deepen and do not stop reading!

Next Post