An Internet of Things (IoT) Virtual Private Network (VPN) brings enterprise level network security to a famously insecure networking approach (let’s remember: the S in IoT stands for security) with reliable authentication and end-to-end encryption.
An IoT VPN provides a private communications network “overlaid” on a public network like the Internet, safe from prying eyes. A VPN’s flows of data use the same infrastructure – and often the same communications protocols – but the bits travel through opaque “tunnels”, largely impenetrable (and sometimes invisible) to anyone with bad intentions.
That said, there’s more than one flavor of VPN for IoT. And more than one way to implement them – with some methods better than others for the specific demands of IoT devices.
In this article, you’ll build an understanding of how IoT VPNs work and what to consider as you roll out your own IoT devices and applications.
Table of Contents
What are IoT VPNs?
First, don’t confuse IoT network security with the consumer VPN apps used for secure connections to business networks or added security when surfing the internet (or to appear as if your in another country to watch live rugby streams, for example).
Consumer VPNs and IoT VPNs have topline capabilities in common, but there are differences in the detail.
Here’s what IoT VPNs do in brief:
- When an IoT device sends or receives data, a VPN encrypts that data for security
- The VPN authenticates each device, making sure it’s approved for the connection
- When engineers or other humans need access to the device, a VPN secures it
- VPNs help contain the risks of a data breach, with different VPNs for clusters of devices
But in contrast to the bandwidth-heavy applications of a roaming office worker, IoT VPNs work well with low-power, small-scale, single-purpose devices (like temperature sensors, humidity monitors, and asset trackers). And if you’re designing IoT devices for massive deployments, you probably have a requirement to keep your product small-sized and low-powered – so IoT cybersecurity often takes place off the device.
While consumer VPNs are generally used with a fast WiFi connection, VPNs for IoT are often connected via mobile networks like 2G, 3G, 4G, 5G, NB-IoT, and LTE-M. Bandwidth on these networks is slower – and patchier. If a mobile connection drops, the device needs to reconnect without a hole appearing that a bad actor could squeeze through. Same if the device powers down by design, or switches mobile networks as it moves around. Which means IoT VPNs generally need to happen at a lower level of the OSI model than the application layer.
The OSI model:
7 – Application Layer
6 – Presentation Layer
5 – Session Layer
4 – Transport Layer
3 – Network Layer
2 – Data Link Layer
1 – Physical Layer
So that’s VPN for IoT in essence: encrypting, authenticating, accessing, and de-risking. So far, so sensible.
Why are IoT VPNs important?
Look at a single IoT device – a sensor in an agribusiness polytunnel, or a lightswitch in an industrial warehouse – and you might question why privacy matters. But together with the millions of other data points from other IoT devices, over time, that dataset represents confidential business information that you don’t want to see in the wild.
So the first concern is all business: private data should stay private.
But safety and privacy aren’t the same – and another plus is safety of the device. All internet-connected devices have an IP address, a unique identifier; there are scenarios where bad actors can use a device’s IP address as an attack vector. (Think of botnets, where a multitude of compromised computers act in concert to choke off your device’s connectivity.) By concealing it within its encrypted tunnels, VPNs mask the IP of an IoT device, making it a lot safer.
So that VPN has to be end-to-end, with no window for your IoT device’s data to ever see the light of day. Perhaps because IoT devices are often not treated as personal property, it’s common to see administrator passwords for technician access unchanged from factory defaults; the oldest vector for MITM (man-in-the-middle) attacks, where someone simply gets control of your system via an insecure password, is still a big thing in IoT.
And when they’re provided as a network service rather than an app on the device, VPNs help a cluster of IoT devices to scale – which creates challenges if you have to secure each connection one-by-one. By connecting to a VPN server, many devices can join the virtual network without pain – letting your business scale up without security costs scaling at the same time.
But there’s a final positive that’s a must-have for any growing business: legal compliance. IoT devices cross borders; a single company may have to look after devices spread worldwide. A secure IoT VPN answers many of the obligations surrounding data privacy around the world, with a single solution.
So that’s our ideal case: authentication that stops MITM posturing, end-to-end encryption without leaving gaps for snooping and spoofing, and IP address security that keeps your private IoT network ghostlike to everybody outside your organization.
How do IoT VPNs work?
A VPN tunnel for IoT is a secure pathway through the internet that protects data as it is transmitted between IoT devices and the cloud or systems that process IoT data. VPN tunnels create this secure, encrypted pathway through the internet with cryptography.
In brief, Public Key Cryptography (PKC), a method of scrambling data that’s been around since the 1970s, relies on two software “keys” to unlock access to hashed data. The keys are generated together; each party to a transaction owns a private key and uses it with a public one to decrypt the data.
(We’ll spare you the details of how, but it’s all based on multiplying large prime numbers together. Multiplication is easy, but working back to the prime numbers that led to it – as anyone decrypting your data without the keys would need to do – is hard.)
Potential trouble:
- If the VPN is separate to the device, there’s a brief moment where the data is unencrypted between device and VPN – a security hole if done incorrectly.
- If every device uses the same encryption key, a successful attack on one device opens up access to all. Again, not good.
- If the same keys are used for extended periods, it gives attackers time to brute-force attacks, “hammering” your network with random keys to try and find one that works. Far from ideal.
So truly secure IoT devices and maximum IoT cybersecurity means end-to-end security, with no gap between device and VPN. It means a different key for each device, to limit the value of an attack. And it means regular key changes to make life ever more difficult for the black hats while making it easier for the white variety to get their jobs done.
Options for your IoT VPN
Onomondo OpenVPN IoT and IPSec as IoT VPNs to users.
The difference, at least in how we use it, is that OpenVPN is for connecting one endpoint to a network (e.g. a laptop to Onomondo SIMs), where IPSec is connecting a network to another network (e.g. a customer datacenter to our SIMs).
OpenVPN: trusted, flexible, and rightsized for IoT
This is an open source protocol for building VPNs, which means its code is open for inspection and improvement, making it a tried-and-tested solution. There’s a choice of encryption levels, although most people today choose the 256-bit key length standard in preference to the older 128-bit.
Importantly, as a service provided to your device from the cloud, it works worldwide, encrypting data between all your devices by means of secure digital certificates that authenticate each device automatically. And it’s end-to-end – there’s no point where your data is exposed to the world.
It’s also highly flexible. You can set up a single VPN for all your devices, or separate them into clusters, or even connect different networks of devices together for easier management. And if IP addresses overlap (this happens more and more, as billions of new devices “exhaust” the list of available IP addresses) it’s not a problem; IP addresses are assigned virtually, and can be reused on separate networks.
IPSec: well established and more secure than SSL
Another protocol for IoT Security is IPSec, which has largely replaced the Secure Sockets Layer (SSL) used for years on the broader web (and by OpenVPN above). It encrypts data end-to-end, adding authentication headers to each data packet at source; it negotiates the keys and checks their veracity automatically; and it can update keys from various approved sources regularly.
IPSec can encrypt your data with a wide variety of hashing (scrambling) methods, giving you a choice of strengths; it also offers features like whole-packet encryption (giving a very secure VPN) or payload-only encryption (which keeps the header data “about” the packet unencrypted, which is useful in some use cases.)
OpenVPN and IPSec, however, are different designs. And they’re useful for different purposes. That’s why network providers like Onomondo offer both.
Learn more:
VPN security: make the right choice
And that’s VPNs for IoT. The options can seem overwhelming. But if you focus on the basics – VPN as a service off the device, end-to-end encryption of data, key management and renewal, and policies for what devices appear in which VPN – you’ve got everything you need to make decisions about your IoT private network and IoT data protection that are right for your business.
