We explore TCP tunneling and why it is an important concept for modern IoT, especially in terms of enabling IoT device security.
We’ve all seen the classic movie scene. Police have tracked the bad guy’s phone call and they are ready to burst into the room. Guns ready and tension high, law enforcement breaks down the door – only to find two phones connected, microphone-to-speaker and speaker-to-microphone, relaying the criminal’s demands.
Not only is this a classic film trope, but it is also a simplistic example of TCP tunneling. Let’s explore what this is and why it is an important concept to modern IoT.
Back to basics
Let’s take a step back and explain what is happening here. First, most services on the internet use Transmission Control Protocol (TCP) connections as the way to communicate between clients and server programs. A TCP connection is just like a telephone connection in the sense that once the “call” is connected, it is possible to transmit by speaking into the microphone (the input channel of the phone) and activate the speaker on the other end (the output channel of the receiver’s end). Likewise, the opposite is true.
To complete the phone analogy, consider that TCP connections can be created just like phone calls using extension numbers. Like a phone number, TCP connections use IP addresses and extension numbers to connect to the IP address (phone number) of the server and the correct port (the extension). For example, when someone requests a webpage, the browser opens up a TCP connection to the webserver specified by the IP address. Again, considering it as a phone conversation, then the browser “speaks” into the TCP “microphone” to request a specific page, which is then transmitted to the receiver on the webserver end. The webserver then locates the webpage and transmits it back for the browser to “hear,” meaning it shows the user’s data. Simple, right? This is why TCP is used in so many client/server applications to request and receive data.
The connection problem with firewalls
But there’s a catch. Say you want to use TCP tunneling to make a client/server application in IoT, something like a smartphone app (client) that connects to an IoT device (server). Unfortunately, achieving this is easier said than done.
Why? Well, if the smartphone and the IoT device are located on the same local area network manifested by WIFI, then there should be no issue since making the connection will simply be a question of the smartphone locating the IP address of the IoT device. But this is not all that useful as if you are located in the same building as your IoT device, you can just physically go to the device and interact with it.
On the other hand, if you are operating remotely, your smartphone (and you) will be outside of your local area network, meaning that it is more difficult to establish a connection since your home network firewall will block connections coming from outside of the network. Of course, you could either open up your firewall for such connections or place your IoT device outside of your firewall on a publicly accessible IP address. This is not recommended, however, since your IoT device will be potentially vulnerable to attacks from the entirety of the internet.
Finding the way through with TCP tunneling
The question for IoT developers then becomes: how do we make it possible to connect through the firewall and to the outside world? And how do we do so in a safe manner? The answer to both of these questions is TCP tunneling with an embedded relay. This solution allows the device to remain behind a firewall yet safely communicate across public channels. Moreover, with a relay in the middle, these communications can be encrypted and authenticated as an extra precaution. TCP tunneling works by running a small program on the client-side which is open for TCP connects/request. It looks like this. The tunnel-receiver side reaches out to a tunnel-dispatcher side program that runs on the IoT device. Once the tunnel-dispatcher receives such a “reach-out,” it will create a TCP connection to the data-application IoT device and the tunnel-receiver and tunnel-dispatcher will receive and forward data between the two connections. To the TCP client side, it will look as if the TCP server side is running locally, and to the TCP server-side application, it will look like a client is connected locally.
Another feature is that the tunnels can be made very secure if you consider local connections secure, like the connections happening inside of your phone or IoT device between programs. The connection between the tunnel-receiver and tunnel-dispatcher can be strongly authenticated using certificates and, likewise, privacy can be secured with encryption. This is especially important for devices that carry sensitive or private data, such as webcams or wearables.
For example, in video devices, TCP tunneling is often used to send and receive imagery between an existing video player client and a TCP video streaming service such as an RTSP server on an IP camera. Meanwhile, secure remote access to existing HTTP services is popular in providing remote access to admin applications. I’m personally a big fan of this solution and its simplicity. Nothing has to be adjusted on either the client side or the server side – rather, the client is made to believe that it is communicating with the server locally when it is actually communicating with a tunnel dispatcher. In reality, this simple ‘magic’ of TCP tunneling permits IoT devices to connect with the outside world from a safe location.
This article was originally published on Embedded.
Carsten Rhod Gregersen is CEO and founder of Nabto, a P2P IoT connectivity platform that enables remote control of devices via secure end-to-end encryption for smart industrial solutions.