An IoT device needs to send its readings to a backend server over the internet. How would you secure that communication, and how should each device prove who it is?
technical-conceptual · Junior level · software-engineering, embedded-iot
What the interviewer is really asking
Assesses whether the candidate knows the baseline for securing device-to-cloud traffic — transport encryption plus a per-device identity — and understands why a shared baked-in credential is dangerous at fleet scale.
What to say
- Start with transport security: the connection should run over TLS (1.3 today) so traffic is encrypted in transit, and the device must verify the server's certificate rather than accepting any certificate.
- Give each device its own identity, such as a per-device X.509 certificate or key, ideally held in a secure element so the key can't be trivially read off the flash, rather than one shared secret across the whole fleet.
- Explain why per-device identity matters: if one device is compromised you can revoke just that device's credential, whereas a single shared key means cracking one unit compromises every device you ever shipped.
What to avoid
- Hard-coding one API key or password into the firmware for the entire product line — extracting it from one device breaks all of them.
- Sending readings over plain HTTP or MQTT without TLS, or 'turning off certificate verification' to make it connect, which defeats the encryption.
- Treating security as only encryption and forgetting authentication and the ability to revoke a single compromised device.
Example answers
Strong: I'd run the connection over TLS 1.3 so it's encrypted and the device checks the server's certificate. Each device gets its own credential, like a per-device X.509 cert stored in a secure element, not one shared key baked into the firmware. That way if one unit is compromised I revoke just that certificate instead of being exposed to whoever extracts the shared key from a single device they bought.
Weak: I'd use HTTPS and put an API key in the firmware so the server knows the request came from one of our devices.