Is TLS/SSL always required?


I have just been reading an article on TLS and it suggests that TLS uses up a significant amount of bandwidth so, in the interest of reducing the data to & from I was wondering if TLS is actually required when using Arduino, ESP8266 or ESP32?

I am fairly new to IOT so I was wondering if anyone could explain why TLS/SSL might be required for an IOT device with Embedded F/W, which presumably couldn’t be hacked (right)?



If you are fine with you data potentially been disclosed / compromised, you might compile with the directive:

#define _DISABLE_TLS_

and work without TLS

Is not always required, but it gives a better grade of security.

A dataphone is the same thing (a electronic device with embedded fw that communicates with a platform), but of course the information is highly sensitive to be hacked (and bad people that may be interested in hack that).

It depends if you want to protect the info or not.

Hope this helps.

So TLS/SSL does not protect the device itself from being hacked, it just prevents the data from being intercepted? Right?

I am concerned about the security of the IOT devices that I am preparing to deploy, has anyone every heard of a simple IOT device being hacked? Is that even possible considering that (in theory) it is not possible to install any additional F/W on the device without loading it via the bootloader. Is there a greater risk of hacking if OTA is enabled in the FW?



Frankly, I do not believe that your self-built IOT device is an interesting target to hack.

  1. it runs a code that you can reload at any time, overwriting the hack
  2. it runs a code that only a few persons know and can change anytime.

Consumer IOT devices are the golden target for hackers: they run to millions with the same code and their owners have basically no clue and no control of the code they run.