I am testing the Embedded API using the TCP socket interface. It appears that the only thing securing the connection is the 8byte Device Key. I was hoping that only a message from the device with that SIM card and Device Key would be able to pass traffic. It appears that it doesn’t matter where the traffic originates from, as long as the Device Key is valid it accepts and processes the data. This would allow the device to very easily be spoofed if they have the 8byte key.
Is my assessment of the Embedded API correct or have I missed something? If that is the case what do others use to harden or secure their device to cloud communications when the device doesn’t have higher-end encryption capabilities? Or at least have some assurance that the traffic originated with the device?