This session proposes an alternative approach for bi-directional data flows with IoT devices. The IoT device makes only outbound connections over secure, connection-oriented protocols that support bi-directional communications such as AMQP. The IoT device must always initiate the outbound connection and thus does not require an addressable server endpoint or a VPN to secure the endpoint. This also facilitates communication through any number of NATs, proxies, and firewalls that are commonly deployed on managed network.
Because the IoT device does not have an addressable server endpoint the attack surface is significantly reduced as the threat of network-based attacks against vulnerable protocol stacks, for example, has been eliminated. Additional device security features such as hardware-based root of trust and unforgeable device identity, for example, can reduce the residual risk even further.
The session will include a demonstration of an IoT device which sends telemetry to the cloud and responds to commands from a web application to perform actions on the board. The demonstration will include a network scan to show the device does not have an addressable server endpoint.