remote access to iot devices: common needs and approaches
TRANSCRIPT
![Page 1: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/1.jpg)
Remote Access to IoT Devices:Common Needs and Approaches
Eystein Måløy Stenberg
December 2nd, 2021
![Page 2: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/2.jpg)
Eystein Stenberg Dec. 2nd, 2021
About me
● Eystein Stenberg○ Co-founder of
Mender.io
○ 10 years in systems security management
○ M. Sc., Computer Science, Cryptography
● Mender.io○ Remote software
management for connected devices (OTA updates)
○ Open source core (ASLv2)
○ Add-ons for device management use cases
![Page 3: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/3.jpg)
Eystein Stenberg Dec. 2nd, 2021
Motivation
● Remote access is a common need in IoT
● Mender recently researched user needs and technology○ 30+ interviews + surveys
● Share findings to save you time and pain in the future
![Page 4: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/4.jpg)
Eystein Stenberg Dec. 2nd, 2021
Agenda
● What is Remote access ?
● Requirements for Remote access in IoT
● Solutions and comparison of technologies
![Page 5: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/5.jpg)
Eystein Stenberg Dec. 2nd, 2021
Has this ever happened to you?
Vendor Customer
Your product doesn’t work!
Hmm.. What is wrong?
The UI hangs!
It works for me. Did you follow the documentation?
Yes!
Hmm.. Can you run this and email it to me? “tar cvzf /var/… ps auxw | grep … telnet ..”..
What??
...
Downtime, with increasing:- Time / cost of support- Customer dissatisfaction
![Page 6: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/6.jpg)
Eystein Stenberg Dec. 2nd, 2021
Remote access is used to
● Troubleshoot & hotfix issues surfacing from:○ Customer support○ Monitoring / Alerts
● Make ad-hoc changes to development / pilot environments
● Typically about a single device at the time○ You already know which device needs attention
![Page 7: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/7.jpg)
Eystein Stenberg Dec. 2nd, 2021
Remote access is part of Device Management
Monitor
“Detect and analyze health issues of devices, services and applications.”
Remote access
“Resolve [support] issues real-time, in a secure way.”
Configure
“Customize each device to its environment.”
OTA/Software updates
“Quickly and safely improve product.”
![Page 8: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/8.jpg)
Eystein Stenberg Dec. 2nd, 2021
Agenda
● What is Remote access ?
● Requirements for Remote access in IoT
● Solutions and comparison of technologies
![Page 9: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/9.jpg)
Eystein Stenberg Dec. 2nd, 2021
Typical Remote access use cases
● Restart application / device
● Run diagnostics tools (e.g. debuggers)
● Analyze application / system log file
● Access local services on device○ “Device admin portal” (like your WiFi router)○ Test connectivity / responses as seen from device
Terminal
File transfer
Port forward
![Page 10: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/10.jpg)
Eystein Stenberg Dec. 2nd, 2021
Remote access requirements: Use cases
1. Terminal
2. File transfera. Bidirectionally
3. Port forward
![Page 11: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/11.jpg)
Eystein Stenberg Dec. 2nd, 2021
The analogy to ssh and scp in cloud infrastructure
● Well understood use cases, very feature rich
● Cover all the use cases:○ Terminal: ssh○ File transfer: scp○ Port forward: ssh
![Page 12: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/12.jpg)
Eystein Stenberg Dec. 2nd, 2021
The IoT environment
Remote○ Expensive to reach physically
Long expected lifetime○ 5 - 10 years
Remote access becomes more important
Remote access becomes difficult
Unreliable network○ Intermittent connectivity○ Only outbound connections○ Insecure○ Low bandwidth
Unreliable power○ Battery○ Suddenly unplugged
![Page 13: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/13.jpg)
Eystein Stenberg Dec. 2nd, 2021
Remote access requirements: Network
1. Only outbound connections (from device)○ (for connectivity)
2. Secure end-to-end○ Authenticated and encrypted○ Bi-directionally○ Zero open ports on device
3. Low network overhead
![Page 14: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/14.jpg)
Eystein Stenberg Dec. 2nd, 2021
One more problem: Remote access grants wide control
VendorCustomer
Your product doesn’t work!
Hmm.. What is wrong?
The UI hangs!
OK, let me look into this for you with remote access.
Oooh, lots of credit card numbers here… Maybe I can copy those, just in case...
![Page 15: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/15.jpg)
Eystein Stenberg Dec. 2nd, 2021
Remote access requirements: Operator security
1. Audit logs○ Who did what, when & to which device?○ Terminal session log
2. Approval of access on demand (not “always on”)
3. Role Based Access Control (not “all users, all devices”)
4. Device-side user restrictions (not “root”)
![Page 16: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/16.jpg)
Eystein Stenberg Dec. 2nd, 2021
Summary of requirements for Remote access in IoT
● Terminal● File transfer● Port forward
● Audit logs● Access approval● RBAC● Device-side restrictions
● Outbound connections● End-to-end secure● Low bandwidth
![Page 17: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/17.jpg)
Eystein Stenberg Dec. 2nd, 2021
Agenda
● What is Remote access ?
● Requirements for Remote access in IoT
● Solutions and comparison of technologies
![Page 18: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/18.jpg)
Eystein Stenberg Dec. 2nd, 2021
Narrow the options: Two most restrictive requirements
● Terminal● File transfer● Port forward
● Audit logs● Access approval● RBAC● Device-side restrictions
● Outbound connections● End-to-end secure● Low bandwidth
How to access the terminal on a device having only outbound connections?
![Page 19: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/19.jpg)
Eystein Stenberg Dec. 2nd, 2021
User interviews - how is terminal access provided today?
![Page 20: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/20.jpg)
Eystein Stenberg Dec. 2nd, 2021
Option 1: VPN
● Allows for inbound connections on overlay network○ I.e. eliminates the “outbound connections”
requirement
● Used heavily in cloud & desktop environments
● Several open source implementations○ Wireguard○ OpenVPN
![Page 21: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/21.jpg)
Eystein Stenberg Dec. 2nd, 2021
Option 2: Reverse SSH
● Exposes a port on a public server for access to a specific device
● Compared to VPN○ Easier to set up○ Harder to maintain
Would only use in PoC / Pilot
![Page 22: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/22.jpg)
Eystein Stenberg Dec. 2nd, 2021
Option 3: Raw socket
● Persistent TCP connection initiated from device
● Server side keeps connections alive and lets users use them as needed for terminal access
● Must go through a secure channel○ TLS
● Custom, homegrown implementation
Would not do this today because <NEXT SLIDE>
![Page 23: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/23.jpg)
Eystein Stenberg Dec. 2nd, 2021
Option 4: WebSocket
● Specified in 2011 (IETF)○ Wide client & server support
● Built on HTTPs (“Connection upgrade”)○ Bi-directional & full duplex○ Traverses firewalls more easily○ Support for HTTP proxy & reverse proxies
● Takes care of connection management○ Health check○ Keepalive
![Page 24: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/24.jpg)
Eystein Stenberg Dec. 2nd, 2021
Option 5: Off-the-shelf solutions
● Generally good use case coverage
● …typically covers more than these use cases as well
● Some examples○ Remote.it (Proprietary SaaS, $72 / user year)○ Mender Troubleshoot add-on package (Open source core)○ Many more...
![Page 25: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/25.jpg)
Eystein Stenberg Dec. 2nd, 2021
What about MQTT?
● From mqtt.org:○ “MQTT is an OASIS standard messaging protocol for the Internet of Things
(IoT).”○ “It is designed as an extremely lightweight publish/subscribe messaging
transport that is ideal for connecting remote devices with a small code footprint and minimal network bandwidth.”
● MQTT is a messaging and pub/sub protocol, WebSocket is a transport.○ Do you need pub/sub for Terminal?
![Page 26: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/26.jpg)
Eystein Stenberg Dec. 2nd, 2021
Now, take a step back...
● Terminal● File transfer● Port forward
● Audit logs● Access approval● RBAC● Device-side restrictions
● Outbound connections● End-to-end secure● Low bandwidth
What about the rest of the requirements?
![Page 27: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/27.jpg)
Eystein Stenberg Dec. 2nd, 2021
What are the remaining options?
1. VPN
2. Reverse SSH
3. Raw socket
4. Websocket
5. Off-the-shelf
![Page 28: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/28.jpg)
Eystein Stenberg Dec. 2nd, 2021
VPN + SSH
Terminal
File Transfer
Port forward
Outbound connections
End-to-end secure Open port on device, more credential mng.
Low bandwidth Tunnel in tunnel (+higher infra complexity)
Audit logs Can be built on top, but need to auth. user.
Access approval
RBAC Very difficult to build on top
Device-side restrictions Only use restricted user account (AllowUsers)
![Page 29: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/29.jpg)
Eystein Stenberg Dec. 2nd, 2021
Terminal
File Transfer
Port forward
Outbound connections
End-to-end secure Zero open ports, using Mender OTA creds.
Low bandwidth Simple character piping via WebSocket
Audit logs Available in commercial version
Access approval
RBAC Available in commercial version
Device-side restrictions Can configure which user to use on device
WebSocket based (used in Mender Troubleshoot)
![Page 30: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/30.jpg)
Eystein Stenberg Dec. 2nd, 2021
Example WebSocket-based architecture (used in Mender)
API Gateway (Traefik)
Device Authentication
Device ConnectMessage Queue(NATS)
https
WebSocket(Outbound https+ Upgrade)
Web UILaptop
User Authentication
Audit logging
Server
Connect
![Page 31: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/31.jpg)
Eystein Stenberg Dec. 2nd, 2021
Do you have infrastructure on you device you can reuse?
● VPN connection?○ Can add SSHd○ NB! Open ports (to where?) and credentials used (shared?).
● MQTT (over TLS)?○ Can build Terminal on top (not sure about Port forwarding)
● TLS keys?○ Websocket, or off-the-shelf solution
● Nothing?○ Off-the-shelf solution
![Page 32: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/32.jpg)
Eystein Stenberg Dec. 2nd, 2021
Reuse an existing solution for Remote access
● Building & maintaining Remote access takes more time than you think
● Consider infrastructure already in place on your devices
● Consider an off-the-shelf solution built for IoT
● Focus on developing your product instead
![Page 33: Remote Access to IoT Devices: Common Needs and Approaches](https://reader033.vdocuments.net/reader033/viewer/2022050119/626d42af5291a70ae0702cc3/html5/thumbnails/33.jpg)
Eystein Stenberg Dec. 2nd, 2021
Thank You
Q & A