IT Phone Home

The Challenge of Connecting Mobile Apps to IoT Devices in Homes

A challenge for home automation developers is how can something sitting in your home network, which is presumably on a private network behind a firewall hidden from hackers, be readily available to a mobile app which could be potentially anywhere in the world.

When you receive the little plastic Internet box from your ISP, what you’re generally getting is a modem, router and firewall in one. The combination of these means you can be connected to the Internet, safely hidden from view. You can open a browser and request a page from a web server on the Internet, but someone on the Internet can’t access your home devices.

The principal behind how this is done is pretty simple and it’s all about the direction of connection. It rhymes as well so it’s easy to remember.

Say you’re at home, and open up a browser and type in because you want to look at my really bad blog site. Your ISP router knows that it should pass network packets onto the Internet and to my hosted web server and allow responses from that server back in. The direction of connection is outbound from my home network and the firewall only allows the responses back in.

And that’s exactly what a home firewall’s main job is, to keep track of those outbound networks packets and only allows responses to those packets back in from the Internet.

If a hacker sitting on the web starts throwing connections at your ISP plastic box, the firewall knows to drop them as it did see the request go out to begin with.


So now we know how the basics of firewalls work, and you might be able to see the issue with IoT and home automation. How do we get an app running on our cell phone connected to the Internet to communicate with our IoT toaster, so that we can get our bread toasted before we get home?

There have been various solutions to resolve this issue including additional edge routers and punching inbound holes in firewalls, but the nicest I’ve found is the mouthful “MQTT over WebSockets”. I just want to add here that this is a great solution for devices which don’t need to worry about power too much like home automation. In our example an IoT toaster which is plugged into the mains power.

MQTT is a lightweight messaging protocol which is being taken up by IoT vendors. We don’t need to get into the details here. It basically sends and receives information from IoT devices to a central server, or cloud system. In our example sending a message “Put some toast on”.

WebSockets is really the killer protocol here. Yes, I get excited about protocols. WebSockets is designed to get around our direction of connection issue.

Going back to our example earlier, you’re browsing my blog site. What’s happening is your browser’s requesting a web page which is a bunch of HTML, JavaScript and images. Each of those elements is requested and once the responses are completed the firewall knows the connection to that server is complete.

With WebSockets that connection isn’t closed, instead network packets are passed backward and forward to keep the connection alive so the firewall is expecting more traffic in. In fact, to make sure the connection stays alive WebSocket’s pass PING/PONG packets back and forth. Yes, they are really called PING/PONG.

So when you pull out your phone and hit the toast button on your toaster app. The app sends a command to the IoT cloud system, the cloud system is then able to pass that command through your firewall as the connection is open and the IoT toaster gets the toast command.


So will this take a lot of my home bandwidth up? No these packets are very small and modern home broadband connections are generally very fast. If you put a tool called a packet sniffer onto a home network you’d be able to see the network traffic flying around. You’ll see almost continuous traffic from your phones, tablets, computers checking in for updates.

Is this secure? Well, yes and no. If unsecured there’s a potential for a ‘man in the middle’ style attack. Like any system, steps need to be taken to secure it. I’ve been using Amazon’s IoT implementation. They provide TLS encryption and certificate based authentication to make sure a hacker can’t jump into the WebSockets stream and set your toast to burn.

This is a toe deep look at IoT security, if you’d like to chat some more about any of this, mail Rob Pope on linked-in or reach out via our contact form. Rob is a co-founder of Tiro Security, with experience on the technical side of cybersecurity.

Posted in ,