An IoT device needs to send its readings to a backend server over the internet. How would you secure that communication, and how should each device prove who it is?

technical-conceptual · Junior level · software-engineering, embedded-iot

What the interviewer is really asking

Assesses whether the candidate knows the baseline for securing device-to-cloud traffic — transport encryption plus a per-device identity — and understands why a shared baked-in credential is dangerous at fleet scale.

What to say

What to avoid

Example answers

Strong: I'd run the connection over TLS 1.3 so it's encrypted and the device checks the server's certificate. Each device gets its own credential, like a per-device X.509 cert stored in a secure element, not one shared key baked into the firmware. That way if one unit is compromised I revoke just that certificate instead of being exposed to whoever extracts the shared key from a single device they bought.

Weak: I'd use HTTPS and put an API key in the firmware so the server knows the request came from one of our devices.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.