AWS Public Sector Blog
4 common IoT protocols and their security considerations
With the Internet of Things (IoT), selecting the right communication protocol ensures efficient data exchange and seamless connectivity between devices and the cloud. With a multitude of IoT protocols available, choosing the one that best suits your specific use case can be challenging.
In this blog, we explore four common protocols used to connect IoT devices to the cloud and shed light on when and where to deploy them for optimal results. We explore the different security considerations for each protocol based on guidance from the Cybersecurity and Infrastructure Agency (CISA). Finally, we highlight how Amazon Web Services (AWS) services can help address these security considerations. Whether you’re building a smart home system, managing industrial sensors, or developing a healthcare monitoring solution, understanding how to secure these protocols will empower you to make informed decisions for your application.
Protocol overview
When choosing a protocol, consider factors such as communication type, power consumption, and use case:
Protocol | Communication type |
OSI model layer | Power consumption | Common use case |
WebSocket | Bidirectional, full-duplex |
7 | Highest | Real-time dashboards, interactive control applications, collaborative tools |
MQTT | Publish/subscribe |
7 | Moderate | Sensor data collection, telemetry and real-time monitoring, remote device management |
HTTP | Request/response |
7 | Low | Web-based control interfaces, component integration using APIs, data reporting and retrieval |
LoRaWAN | Asymmetric, star-of-stars topology |
1, 2 | Lowest |
Remote distributed sensors, low-bandwidth telemetry, battery-operated devices |
AWS IoT architecture
AWS IoT Core is a managed cloud service that allows devices to connect to AWS and interact with cloud applications using these four protocols. CISA recommends IoT devices use strong authentication. AWS IoT Core supports three types of client or device authentication: X.509 certificates; AWS Identity and Access Management (IAM) users, groups and roles; and Amazon Cognito identities. IAM policies can be defined and attached to an IoT role to control what actions are allowed. For example, for a device to publish its state to an Amazon DynamoDB table, an IAM role allows IoT to interact with Amazon DynamoDB.
Figure 1 shows an architecture connecting an IoT Thing with the AWS IoT Core cloud service:
For AWS IoT Core, the primary method of securing communication is through the use of X.509 certificates, which can be generated, registered, and managed directly within AWS IoT Core. The AWS IoT Core Device Gateway requires customers to encrypt all communications while in transit using Transport Layer Security (TLS) version 1.2 or 1.3.
Best practices of encryption in AWS IoT Core include:
- Use mutual TLS authentication.
- Regularly rotate certificates.
- Enable AWS Key Management Service (KMS).
- Monitor and audit the security posture of your IoT devices with AWS CloudTrail and AWS IoT Device Defender. It can detect abnormal behavior and alert you to any potential security issues.
With the general best practices established, let’s delve into specific security considerations per protocol.
Hypertext transfer protocol secure (HTTPS)
HTTPS provides a layer of encryption (SSL/TLS) to protect data during transmission, preventing eavesdropping and data tampering. HTTPS is widely used for building IoT dashboards, web services, cloud integration. Its request-response nature makes it suitable for applications that require occasional data exchange or retrieval.
Security considerations for HTTPS
- Authentication – Use robust device authentication methods:
-
- AWS IoT supports X.509 certificate-based mutual authentication. Devices present a valid X.509 certificate to authenticate themselves, and AWS IoT Core verifies this certificate against its registry of trusted certificates. Similarly, the device verifies connection to the legitimate AWS IoT Core endpoint by validating the server’s certificate.
- AWS IoT can also integrate with AWS Identity and Access Management (IAM) for additional authentication and authorization mechanisms.
- Secure Communication – Ensure devices communicate with the cloud using approved standards:
-
- AWS IoT enforces the use of a minimum TLS 1.2 for all communications.
- AWS IoT supports server name indication (SNI) for TLS.
- Authorization – Control what actions a device can take and which services it can interact with:
-
- AWS IoT provides policy-based access control mechanisms that define granular permissions for devices, controlling which resources they can access and what actions they can perform.
- You can also use AWS IoT policies to require specific TLS versions or cipher suites.
- Certificate Management – Ensure only trusted devices and users can access your resources:
-
- AWS IoT provides a certificate management service that allows you to create, register, and manage device certificates securely.
- You can use AWS IoT’s Just-in-Time Registration feature to automatically provision device certificates during the initial connection, reducing the need for pre-provisioned certificates.
WebSocket Secure (WSS)
WebSocket Secure (WSS) is a protocol that supports real-time, bidirectional communication between a client and a server over a single, long-lived connection. This connection provides a full-duplex communication channel that allows for efficient data exchange without the overhead of request-response protocols like HTTP. WSS is particularly well-suited for applications that require real-time updates, such as interactive dashboards, control systems, and collaborative tools. While WSS offers high-performance and low-latency communication, it comes with a higher power consumption. This makes it more suitable for devices with ample power resources.
Security considerations for WSS
- Authentication – Rely on strong authentication standards:
-
- AWS IoT Core supports AWS Signature Version 4 for authentication over WebSockets. This method uses AWS IAM credentials (access key and secret key) to sign requests, ensuring that only authenticated users can establish a connection. This is particularly useful for integrating AWS IoT Core with other AWS services that use IAM-based authentication.
- Authorization – Implement fine-grained policies authorizing connections and specific actions:
-
- AWS IoT policies are JSON-based documents that specify the actions that a device or user is allowed to perform. When a device connects via WebSockets, AWS IoT evaluates the attached policy to determine if the connection and subsequent actions (e.g., publishing, subscribing) are permitted.
- AWS IoT Core supports custom authorizers that allow you to define your own authorization logic. When using WebSockets, you can use custom headers or tokens to determine if a device is authorized to connect and perform specific actions. This provides flexibility in integrating with existing security models or third-party authentication systems.
Message Queuing and Telemetry Transport (MQTT)
MQTT is a widely adopted messaging protocol that is lightweight and designed for constrained devices with limited CPU, memory, and power resources. MQTT is scalable and operates on the publish-subscribe model, where devices can publish messages to topics or subscribe to receive messages from specific topics. It supports different Quality of Service (QoS) levels, which allows devices to specify the message delivery guarantee they need, whether at most once, at least once, or exactly once.
MQTT is well-suited for applications where low bandwidth and minimal overhead are essential.
Security considerations for MQTT
- Authentication – Rely on strong authentication standards:
- AWS IoT supports MQTT over WebSockets, which allows devices to communicate using TLS.
- Authorization – Implement fine-grained policies for topic-based authorization:
-
- AWS IoT provides policy-based access control mechanisms that support defining granular permissions for devices, controlling which MQTT topics they can publish or subscribe to.
- These policies can be used to enforce topic-based authorization and restrict devices to specific topics based on their roles or requirements.
- Broker settings – Configure MQTT broker settings to restrict wildcard subscriptions:
-
- AWS IoT Core acts as an MQTT broker and allows configuring various broker settings.
- You can restrict the use of wildcard subscriptions or enforce specific topic naming conventions through AWS IoT policies.
- Keepalive messages – Properly configure keepalive messages:
- AWS IoT supports configuring keepalive intervals for MQTT connections. This feature helps detect and close inactive connections, mitigating potential security risks associated with long-lived idle connections.
- QoS levels – Consider the implications of different QoS levels on delivery guarantees and reliability:
-
- QoS 0 is a fire-and-forget approach with no delivery guarantees.
- QoS 1 ensures at least once delivery.
Long Range Wide Area Network (LoRaWAN)
LoRaWAN is a wireless IoT protocol that excels in long-range, low-power communication. It is widely used in applications such as smart cities, agriculture, and industrial monitoring, where devices need to transmit data over substantial distances while conserving energy. Its star-of-stars topology and low power consumption make it an ideal choice for battery-operated devices, such as sensors and actuators, with infrequent data transmission requirements.
Security considerations for LoRaWAN
- Network Server Security – AWS IoT Core for LoRaWAN:
-
- AWS IoT Core for LoRaWAN is a managed service that acts as a LoRaWAN Network Server, handling the LoRaWAN protocol and managing device connections, while benefiting from the security measures and best practices implemented by AWS, such as physical security, network security, and data encryption.
- Device Authentication – Understand devices connected and track their status:
-
- AWS IoT Core for LoRaWAN supports unique device authentication using LoRaWAN device addresses and encryption keys. You can provision and manage these device identities and keys through AWS IoT Core, ensuring each device has a unique set of credentials.
- AWS IoT Core for LoRaWAN also supports over-the-air activation (OTAA) for device onboarding and key exchange.
- Secure Communication – Embrace strong encryption with AWS features:
-
- LoRaWAN devices typically encrypt data at the device level using application session keys.
- AWS IoT Core for LoRaWAN supports end-to-end encryption by forwarding encrypted data from the devices to your application server or AWS services like AWS Lambda or Amazon Kinesis.
- Gateway Security – Protect your gateways:
-
- AWS IoT Core for LoRaWAN integrates with third-party LoRaWAN gateways, which bridge LoRaWAN devices to the network server. While AWS does not directly manage these gateways, you can implement security measures like secure gateway configuration, access control, and encrypted communication between gateways and AWS IoT Core for LoRaWAN.
Conclusion
Choosing the right IoT protocol is a critical decision that can significantly impact the performance, security, and scalability of your IoT deployment. By understanding the nuances of each protocol, their communication types, power consumption, and security considerations, you can make informed choices tailored to your specific use case. Remember, while protocols may differ, adhering to best practices for security is essential to protect your IoT communication.
Start securing your IoT workloads and their applications today by adopting the AWS IoT services.