Security and the IoT: Public IP Addressing

As part of Stream's series on the topic of security and the IoT, I'd like to examine the security risks associated with public IP addressing. My previous post focussed on What You Need to Know About IoT Botnets, in this article I'll be explaining what public IP addressing is, why it is used and some of the risks associated with it. I'll also examine some of the mechanisms that are in place to facilitate secure communications between public networks, such as the internet, and private networks, like your home network.

What's an IP Address?

Every machine connected to the internet is assigned with an IP, or internet protocol, address. IPs are used to facilitate communications between devices that are connected to the internet. IP addresses can be thought of like street addresses. For example, when you want to order a pizza, you need to provide your postal address so the delivery driver can find your home. The same principal applies when you're sending or receiving data on the internet, in this case your device's IP address is used to route data to the right location. There's several different categories of IP addresses, which include public, private, static and dynamic addresses. In this article, we'll focus on public IPs.

What Is a Public IP Address?

Simply put, a public IP address is a publicly accessible address that can be reached from any point on the internet. Having a public IP address can be very convenient if, for example, you're on the road and you want to access a device at home. If the device is assigned with a public IP address you can easily connect to it from any location using remote desktop software, such as TeamViewer or Windows Remote Desktop. However, there are also significant security risks associated with public IPs. Since they are publicly accessible, it means that anybody in the world can access your device, if they know its public IP.

Why Are Public IPs Used?

Given that there are security vulnerabilities associated with public IP addresses, why are they still in use? Part of the reason dates to decisions that were made during the development of the internet. There are also mechanisms in place, such as NAT, that allow public networks and private networks to interact in a secure manner. I'll explain both topics, but let's start off by looking at how public IPs came to be used in the first place.

Early Networks: Trust, Accountability and Limited Access

Nowadays billions of people across the globe interact on the internet daily, however, prior to the development of the World Wide Web in the late 1980s and early 1990s, access to the internet was far more limited. Networks such as ARPANET and CYCLADES, which were the precursor to the World Wide Web, were government funded and restricted to non-commercial use. Initially access to these networks was restricted to military sites and university campuses. In fact, access to the "internet" was so limited that in 1982 you could look up the name, address and telephone number of every person who had an email address using a telephone directory size book called the ARPANET Directory.

The point here is that in the early days of the internet, when it existed on a relatively small scale, there was a spirit of trust and accountability between the people on the network. Public IP addressing was built into the design of the network because, in such a small community, security concerns were negligible and being able to connect to other devices on the network via a public IP was extremely beneficial.

WWW and the Development of Private IP

Public IP addressing was a critical element in supporting the expansion of the internet, particularly as connectivity transitioned away from relatively closed networks, such as ARPANET and CYCLADES, towards the World Wide Web. For example, the expansion of the internet required the publication of routing tables, which enable devices on the network to communicate without the requirement to be wired directly to one another. As the World Wide Web expanded, every computer was assigned a public IP and was therefore publicly accessible. However, as the boom continued ISPs realised that not every device on the internet should be publicly routable and that private IP ranges were required for reasons of privacy and security.

Network Address Translation: Reconciling Public and Private

With the development of private IP, came the necessity to facilitate communications between public and private networks. For example, on a typical home broadband network, the customer's router is assigned with a public IP address. This makes sense, because it means the router can communicate with the internet. The devices inside of the home network, such as smart phones, PCs or tablets, are assigned with private IP addresses. This also makes sense, because it means these devices cannot be publicly accessed. This invites the question, how is it possible for a device with a private IP address to send and receive data from the internet? If my tablet has a private IP, how can I use it to stream episodes of House of Cards?

The answer is NAT, otherwise known as Network Address Translation. NAT is used to map traffic between an external network, such as the internet and a private network, such as your home network. For example, traffic originating from the internet is routed to the customer's publicly accessible router, from here the NAT determines which private device in the home network the traffic needs be forwarded on to. This model allows your private devices to stay private, while still having access to external networks, such as the internet.

Remote Access: The Risks

So, what if I'm away from home and I need to access my home network? What are my options? In this situation, there are two common solutions:

  1. Assign a public IP address to the device you need access to.
  2. Use a VPN (Virtual Private Network), or similar tool, to access the device.

The option you select depends on a few factors. Option one is relatively straightforward in technical terms. However, making the device publicly accessible may be extremely risky if it has not been updated or it uses hardcoded, default or easy to guess passwords. This issue becomes magnified if the device is operating over a cellular network. If a hacker or botnet hijacks a cellular device then you may be liable for any data usage charges that the device incurs. Option two is more complicated to set up in technical terms, however, it also provides a higher level of security.

So, What Should I Do?

Thankfully there are a several options available which provide you with remote access in a secure manner. We'll be covering these in more detail in our next article, so stay tuned and be sure to follow us on:

Twitter: @StreamTechLtd
Facebook: /StreamTechUK