Contents
Common IoT Threats
IoT devices face unique security challenges due to limited resources and remote deployment.
Top IoT Security Threats:
- Botnets: Mirai, Reaper infect poorly secured devices
- Default Credentials: 70% of devices ship with weak passwords
- Unencrypted Data: Sensitive data exposed in transit
- Insecure Updates: Firmware tampering, rollback attacks
- Physical Access: Device tampering, debug port access
- DDoS Attacks: Compromised devices attack infrastructure
Device Hardening
Disable Unused Services
# ESP32: Disable unused features in menuconfig
CONFIG_BT_ENABLED=n
CONFIG_LWIP_TCP_ENABLED=y
CONFIG_LWIP_UDP_ENABLED=y
CONFIG_LWIP_SND_BUF_DEFAULT=5760
# Disable debug interfaces
CONFIG_LOG_DEFAULT_LEVEL_NONE=y
CONFIG_ESP32_DEBUG_OCDAWARE=nRemove Debug Access
- Disable JTAG/SWD in production
- Remove UART debug output
- Enable flash encryption
- Enable secure boot
Encryption
Data in Transit
| Protocol | Encryption | Use Case |
|---|---|---|
| TLS 1.3 | AES-256-GCM | HTTPS, MQTT over TLS |
| DTLS 1.2 | AES-128-CCM | CoAP, UDP-based |
| WireGuard | ChaCha20 | VPN tunnels |
Data at Rest
// ESP32 Flash Encryption
// Enable in menuconfig:
CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
// Encrypt partition table
espsecure.py encrypt_flash_data --keyfile key.bin --address 0x10000 app.binSecure Boot
Ensure only signed firmware runs on devices:
- Generate secure boot key
- Sign firmware with private key
- Device verifies signature on boot
- Reject unsigned/tampered firmware
# Generate secure boot key
espsecure.py generate_signing_key --version 2 key.pem
# Sign application
espsecure.py sign_data --version 2 --keyfile key.pem --output signed_app.bin app.bin
# Burn key to eFuse (ONE TIME - irreversible!)
espefuse.py burn_key secure_boot_v2 key.pemAuthentication
Device Authentication Methods
- X.509 Certificates: Most secure, PKI-based
- Pre-Shared Keys (PSK): Simpler, less secure
- Token-based (JWT): Good for cloud services
- HMAC: Message authentication
Certificate Best Practices:
- Generate unique cert per device
- Use hardware secure element (ATECC608A)
- Implement certificate rotation
- Set appropriate expiry (1 year max)
- Have revocation process
Network Security
Network Segmentation
# VLAN Configuration
VLAN 10: IoT Devices (isolated)
VLAN 20: Management (admin access)
VLAN 30: Guest (no IoT access)
# Firewall Rules
Allow IoT → Internet (specific ports only)
Allow IoT → MQTT Broker (port 8883)
Deny IoT → Internal Network
Deny Internet → IoT (no inbound)Port Security
| Service | Secure Port | Insecure Port |
|---|---|---|
| MQTT | 8883 (TLS) | 1883 |
| HTTP | 443 (HTTPS) | 80 |
| CoAP | 5684 (DTLS) | 5683 |
| SSH | 22 | - |
OTA Updates
Secure firmware update process:
- Firmware signed with private key
- Device verifies signature before install
- Use A/B partition for rollback
- Encrypt firmware in transit
- Authenticate update server
// ESP32 OTA with verification
void performOTA() {
WiFiClientSecure client;
client.setCACert(rootCACertificate);
HTTPClient https;
https.begin(client, "https://updates.example.com/firmware.bin");
int httpCode = https.GET();
if (httpCode == 200) {
Update.begin();
Update.writeStream(https.getStream());
Update.end();
if (Update.isFinished()) {
ESP.restart();
}
}
}
Security Checklist:
- ✓ Change default passwords
- ✓ Enable encryption (TLS/DTLS)
- ✓ Implement secure boot
- ✓ Enable flash encryption
- ✓ Disable debug interfaces
- ✓ Use certificate authentication
- ✓ Implement OTA updates
- ✓ Network segmentation
- ✓ Regular security audits
Next Steps
- Implement hardware security module
- Set up security monitoring
- Create incident response plan
- Regular penetration testing
- Stay updated on CVEs
Related: MQTT Security with TLS | IoT Device Authentication