How secure is HTTP POST over 4G/NB-IOT?

Question

I am not really a true developer, so I apologize in advance for the naivety. How secure is HTTP POST over 4G LTE/NB-IOT? We aren't sending any sensitive data (the data ends up going to a publicly viewable endpoint anyway), but I am concerned that if someone was able to see a POST request they could mimic it and send erroneous data to the server. The data is basically a timestamp and water level to monitor rivers for a government flood monitoring system. I know that 4g and NB-IOT is generally encrypted, but is this enough? HTTPS is giving us issues with the small IOT boards, so we are looking at using HTTP if it doesn't pose a huge security risk.

Answer 1

It's as safe as any HTTP, which is to say you're passing plaintext around and if you don't want it intercepted or tampered with then don't use HTTP. Your default posture should be to not trust anyone in the transit path.

With NB-IoT the bandwidth is so low and latency so high that TLS won't work reliably. That's the root of the issue and is why operators that have deployed NB-IoT mostly are either shutting it down, or deploying things like LTE CatM1 or LTE Cat1 alongside.

NB-IoT's place is for scenarios in which technical security measures, such as encryption, are simply not required. Whether there are sensible IoT use cases today that don't need technical security measures is another matter (I vote 'no'). Given that you're concerned with something important (water) and are concerned about "fake" data you seem to have arrived at an answer regarding whether security matters.

The security used for the cellular network is irrelevant if you want end-to-end encryption. You could consider schemes that are not based on TLS, but be prepared for your customers or users to not 'trust' such mechanisms if they're not established and proven in the field. You could employ symmetric encryption on both endpoints - it'll affect your power budget and would require sufficient computational power in the devices - or look at the numerous research articles claiming to have found lightweight asymmetric mechanisms.

Alternatively, your carrier may offer to host a 'broker' so you rely on the encryption across radio and core interfaces, then a separate method of securing transport from the broker service to your endpoint. This isn't end-to-end but it could work for you.

One assumes that you've found a solution to the issue after this length of time since OP. We can only hope that it involved the recognition that NB-IoT was probably not a suitable approach and that another communications system was used. I'd love to hear what your solution was.