Securing API Route for use with IoT devices
Hey, what would peoples recommendations be for securing my nextjs api for use with Iot devices.
Previously I would use a JWT, or OAuth to secure them but im not really sure if this would suit an iot device.
Essentially my device needs to be able to connect, and then send some telemetry data over https, and will do this at random intervals.
Currently I am generating a cryptographically secure GUUID on the microcontroller using hardware RNG, and storing this in memory and sending this uuid up as the authorization token, which then checks if the token exists in the db, if it doesnt, it ignores the request (i eventually want to add in a way to block ip's if it keeps spamming the API), however i dont believe this to be secure in the long run
10 Replies
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Hey,
so im planning on having the setup for the IOT device to be fairly simple.
Connect to it via bluetooth on my react native mobile app, and register the device. During this the devices GUUID is sent to the app, and i am planning on also registering the devices MAC address, and ip (its a sim module so the ip should be static), which registers it in my db.
My only concern with this is a man in the middle during registration?
Or if someone was to somehow spoof another users guuid (i know, pretty unlikely given its 128 bits)
once the device is setup it should run autonomously without user interaction, thus i dont believe oauth and all that would work as it would require relogging in etc
in my authorization header i could just have a base64 encoded string that is
GUUID, MAC, IP
but i think a guuid should be fine for nowUnknown User•2y ago
Message Not Public
Sign In & Join Server To View
ye oauth is defs overkill
alright cheers ill look into that
the only concern i have is i basically need instant connection, and dont want to waste too much time with tokens, but its only 2 extra requests on startup so it shouldnt be an issue
tokens will need to last quite a whiler
the device will go into sleep mode for up to 24 hours at a time, maybe even longer
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
hmmm ok
alright cheers
definetely soemthing to consider
and ye the only way the uuid would be an issue atm
would be if someone was to listen to traffic on device setup
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
yea
for now while testing i think using the uuid is fine, but definetely will try implementing this approach
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
🙏 cheers