SlideShare a Scribd company logo

IoT Security Issues and MQTT

HiveMQ
HiveMQ

Survey after survey puts IoT security as a primary concern for enterprises. As IoT proliferation grows, vulnerabilities and attacks are also growing too. As the defacto protocol for IoT, the MQTT standard has been consistently evolving and between version 3.1.1 and version 5, it has a large repertoire of security features which, if implemented well, can thwart many kinds of attacks including denial of service and man in the middle attacks. Technical architects and IoT developers know that a solid security architecture for IoT will require encryption, authentication and authorization to run at scale. It is not an easy feat. In this webinar, we discussed the key security features of the MQTT protocol and how those are further enhanced with the HiveMQ Enterprise Security Extension. To watch the recording of this webinar, visit https://www.hivemq.com/webinars/iot-security-issues-and-mqtt/

Software
1 of 36
Download to read offline
Copyright © by HiveMQ. All Rights Reserved.
Copyright © by HiveMQ. All Rights Reserved. Speaker ● Product Marketing lead at HiveMQ ● Telecoms, Unified Comms, Networking, Software technology ● Solutions Architect and Product Manager ● Based in Ottawa, Canada gaurav.suman@hivemq.com Gaurav Suman https://www.linkedin.com/in/grvsmn/ @grvsmn Product Marketing Director @HiveMQ
Copyright © by HiveMQ. All Rights Reserved. Why is IoT Security on top-of-mind for devs and architects?
Copyright © by HiveMQ. All Rights Reserved. The Internet of Things is HUGE Copyright © by HiveMQ. All Rights Reserved.
Copyright © by HiveMQ. All Rights Reserved. The risks are clear
Copyright © by HiveMQ. All Rights Reserved. IoT security challenges are unique ● Low-power devices Copyright © by HiveMQ. All Rights Reserved. ● Spread far and wide ● Long lifecycle of devices
Copyright © by HiveMQ. All Rights Reserved. HiveMQ: Security Copyright © by HiveMQ. All Rights Reserved.
Copyright © by HiveMQ. All Rights Reserved. Multiple Security Layers Network Host Application Data Enterprise We will bankrupt ourselves in the vain search for absolute security. - D.E. Eisenhower
Copyright © by HiveMQ. All Rights Reserved. Securing the IoT connectivity stack
Copyright © by HiveMQ. All Rights Reserved. What’s special about MQTT? Confidential and Proprietary. Copyright © by HiveMQ. All Rights Reserved.
Copyright © by HiveMQ. All Rights Reserved. What Is MQTT? • Easy on the device side, pushes all implementation complexity to the server • Publish/Subscribe based architecture • Created for extreme scale and instant data exchange • (I)IoT Messaging Protocol • Built for machines and constrained devices (binary, data agnostic) • Designed for reliable communication over unreliable channels
Copyright © by HiveMQ. All Rights Reserved. Connected Car IIoT / Industry 4.0 Logistics Telecommunication IoT Messaging Middleware MQTT Use Cases
Copyright © by HiveMQ. All Rights Reserved. The MQTT specification ‘specifies’ MQTT solutions are often deployed in hostile communication environments. In such cases, implementations will often need to provide mechanisms for: ● Authentication of users and devices ● Authorization of access to Server resources ● Integrity of MQTT Control Packets and application data contained therein ● Privacy of MQTT Control Packets and application data contained therein
Copyright © by HiveMQ. All Rights Reserved. MQTT Broker • Conserve • Decouple • Centralize Policy
Copyright © by HiveMQ. All Rights Reserved. Transport Encryption ● MQTT is based on TCP / IP Stack ● Port 1883: MQTT over TCP / TLS ● TCP connection can be secured by TLS ● Port 8883: MQTT over TLS
Copyright © by HiveMQ. All Rights Reserved. How MQTT helps secure IoT
Copyright © by HiveMQ. All Rights Reserved. Authentication and Authorization
Copyright © by HiveMQ. All Rights Reserved. ● Client ID ● Username ● Password ● Digital Certificates ● OAuth, JWT Copyright © by HiveMQ. All Rights Reserved. Authentication
Copyright © by HiveMQ. All Rights Reserved. ● Digital Certificates ● Wire the broker and the auth store Copyright © by HiveMQ. All Rights Reserved. Advanced Authentication Options
Copyright © by HiveMQ. All Rights Reserved. ● Typically relies on a public certificate authority ● Can also work with private certificates ○ Only for closed networks Using certificates for TLS
Copyright © by HiveMQ. All Rights Reserved. ● You need control over the MQTT client ● Managing the Certificate lifecycle ○ Certification Revocation Lists (CRLs) ○ Online Certificate Status Protocol Copyright © by HiveMQ. All Rights Reserved. Consider these when using X.509 based Authentication
Copyright © by HiveMQ. All Rights Reserved. OCSP Stapling: Authentication at Scale
Copyright © by HiveMQ. All Rights Reserved. Client Authentication (Identity and Access Management Systems) ● Different external systems can be used to authenticate clients at a broker ● Client provides authentication data in the CONNECT packet ● Broker looks up the authentication data in the connected external systems ● External authentication systems: ○ LDAP ○ OAuth2.0 ○ Databases ○ ACL ○ ... Caution: Not all brokers support a pluggable authentication and authorization system!
Copyright © by HiveMQ. All Rights Reserved. Creating Custom Authentication Logic
Copyright © by HiveMQ. All Rights Reserved. ● Publisher and Subscriber Authorization ○ Whether they can publish/subscribe ○ Which QoS level ○ Operations (read, write) Copyright © by HiveMQ. All Rights Reserved. Authorization
Copyright © by HiveMQ. All Rights Reserved. Permissions
Copyright © by HiveMQ. All Rights Reserved. Encryption
Copyright © by HiveMQ. All Rights Reserved. Transport Encryption - Best Practices • Use transport encryption (TLS) • Use certificates from trusted CAs • Use highest TLS version and secure cipher suites
Copyright © by HiveMQ. All Rights Reserved. Payload Encryption ● Use payload encryption instead ● Every clients needs to have key & secret ● BUT!: It leaks metadata On very constrained devices transport encryption may be not possible!
Copyright © by HiveMQ. All Rights Reserved. DoS and Overload Protection ● Limit Connections and Connection Idle times ● Throttle Connection Rates including Burst Rates ● Throttle SSL Handshakes ● Throttle Network Bandwidth ● Cluster Overload Protection throttles overactive publishing clients to prevent cluster overload ● Limit ClientID and topic length to prevent malfunctioning IoT access
Copyright © by HiveMQ. All Rights Reserved. Criteria for selecting the right MQTT Broker • Performant, scalable and high available broker • Compliance to the entire MQTT specification • Monitoring of broker and tracing of devices • Pluggable authentication & authorization system • Overload Protection • Supports TLS • Professional support
Copyright © by HiveMQ. All Rights Reserved. HiveMQ Security Architecture ● Pluggable Authentication and Authorization System ● Prebuilt Security Extension ● TLS secured communication ● Overload Protection and (D)DOS detection ● Fine grained permission system for MQTT clients and HiveMQ Control Center users ● Chaining of auth mechanisms ● Default Deny-All behaviour ● Integrated monitoring system and over 1500 metrics ● 24/7 professional support
Copyright © by HiveMQ. All Rights Reserved. HiveMQ Enterprise Security Extension • Central management for IoT device and HiveMQ Control Center authentication and authorization • Flexible and easy integration with multiple external authentication systems and data sources (e.g. databases, LDAP, OAuth 2.0) • High Scalability and reliability • Default Whitelisting Concept • Access log (rolling on daily basis) • Provides maximum flexibility in defining authorization rules
Copyright © by HiveMQ. All Rights Reserved. Resources Evaluate HiveMQ Try HiveMQ Cloud Get Started with MQTT HiveMQ Enterprise Security Extension Blog Series | MQTT Security Fundamentals Watch Our Previous Security Webinar Recording
ANY QUESTIONS? Reach out to community.hivemq.com
THANK YOU Contact Details Gaurav Suman gaurav.suman@hivemq.com https://www.linkedin.com/in/grvsmn/

Recommended

Implementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTTImplementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTT
HiveMQ
 
Debugging MQTT Client Communications With MQTT.fx and HiveMQ Cloud
Debugging MQTT Client Communications With MQTT.fx and HiveMQ CloudDebugging MQTT Client Communications With MQTT.fx and HiveMQ Cloud
Debugging MQTT Client Communications With MQTT.fx and HiveMQ Cloud
HiveMQ
 
HiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ Cloud Webinar
HiveMQ Cloud Webinar
HiveMQ
 
Inntroduction to MQTT Sparkplug with HiveMQ and Opto22
Inntroduction to MQTT Sparkplug with HiveMQ and Opto22Inntroduction to MQTT Sparkplug with HiveMQ and Opto22
Inntroduction to MQTT Sparkplug with HiveMQ and Opto22
Dominik Obermaier
 
Introduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoT
Introduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoTIntroduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoT
Introduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoT
HiveMQ
 
Io t meetup-detroit-mqtt-5
Io t meetup-detroit-mqtt-5Io t meetup-detroit-mqtt-5
Io t meetup-detroit-mqtt-5
Florian Raschbichler
 
MQTT 5 - Why You Need It and Potential Pitfalls
MQTT 5 - Why You Need It and Potential PitfallsMQTT 5 - Why You Need It and Potential Pitfalls
MQTT 5 - Why You Need It and Potential Pitfalls
HiveMQ
 
Mqtt.fx on hive mq cloud
Mqtt.fx on hive mq cloudMqtt.fx on hive mq cloud
Mqtt.fx on hive mq cloud
MargarethaErber
 

Recommended

Implementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTTImplementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTT
HiveMQ
 
Debugging MQTT Client Communications With MQTT.fx and HiveMQ Cloud
Debugging MQTT Client Communications With MQTT.fx and HiveMQ CloudDebugging MQTT Client Communications With MQTT.fx and HiveMQ Cloud
Debugging MQTT Client Communications With MQTT.fx and HiveMQ Cloud
HiveMQ
 
HiveMQ Cloud Webinar
HiveMQ Cloud WebinarHiveMQ Cloud Webinar
HiveMQ Cloud Webinar
HiveMQ
 
Inntroduction to MQTT Sparkplug with HiveMQ and Opto22
Inntroduction to MQTT Sparkplug with HiveMQ and Opto22Inntroduction to MQTT Sparkplug with HiveMQ and Opto22
Inntroduction to MQTT Sparkplug with HiveMQ and Opto22
Dominik Obermaier
 
Introduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoT
Introduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoTIntroduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoT
Introduction to MQTT Sparkplug: Plug 'n Play Interoperability for IIoT
HiveMQ
 
Io t meetup-detroit-mqtt-5
Io t meetup-detroit-mqtt-5Io t meetup-detroit-mqtt-5
Io t meetup-detroit-mqtt-5
Florian Raschbichler
 
MQTT 5 - Why You Need It and Potential Pitfalls
MQTT 5 - Why You Need It and Potential PitfallsMQTT 5 - Why You Need It and Potential Pitfalls
MQTT 5 - Why You Need It and Potential Pitfalls
HiveMQ
 
Mqtt.fx on hive mq cloud
Mqtt.fx on hive mq cloudMqtt.fx on hive mq cloud
Mqtt.fx on hive mq cloud
MargarethaErber
 
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Dominik Obermaier
 
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQMachine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
HiveMQ
 
MQTT 5: Why you need it and potential pitfalls
MQTT 5: Why you need it and potential pitfallsMQTT 5: Why you need it and potential pitfalls
MQTT 5: Why you need it and potential pitfalls
Dominik Obermaier
 
MQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
MQTT.fx on HiveMQ Cloud Testing MQTT in the CloudMQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
MQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
HiveMQ
 
Simplified IoT Operations With HiveMQ and Datadog
Simplified IoT Operations With HiveMQ and DatadogSimplified IoT Operations With HiveMQ and Datadog
Simplified IoT Operations With HiveMQ and Datadog
HiveMQ
 
Modernizing the Manufacturing Industry with Kafka and MQTT
Modernizing the Manufacturing Industry with Kafka and MQTT Modernizing the Manufacturing Industry with Kafka and MQTT
Modernizing the Manufacturing Industry with Kafka and MQTT
Dominik Obermaier
 
Best Practices for Streaming Connected Car Data with MQTT & Kafka
Best Practices for Streaming Connected Car Data with MQTT & KafkaBest Practices for Streaming Connected Car Data with MQTT & Kafka
Best Practices for Streaming Connected Car Data with MQTT & Kafka
HiveMQ
 
HiveMQ Cloud - The Cloud Native IoT Messaging Layer
HiveMQ Cloud - The Cloud Native IoT Messaging LayerHiveMQ Cloud - The Cloud Native IoT Messaging Layer
HiveMQ Cloud - The Cloud Native IoT Messaging Layer
Dominik Obermaier
 
Introducing HiveMQ Cloud
Introducing HiveMQ CloudIntroducing HiveMQ Cloud
Introducing HiveMQ Cloud
MargarethaErber
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
HiveMQ
 
Lightweight and Scalable IoT Messaging with MQTT
Lightweight and Scalable IoT Messaging with MQTTLightweight and Scalable IoT Messaging with MQTT
Lightweight and Scalable IoT Messaging with MQTT
HiveMQ
 
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data IntegrationHiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ
 
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTTHiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
Dominik Obermaier
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
Inductive Automation
 
Iot in-production
Iot in-productionIot in-production
Iot in-production
Florian Raschbichler
 
MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT
MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT
MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT
Dominik Obermaier
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slides
Dominik Obermaier
 
HiveMQ + Kafka: The ideal solution for IoT MQTT data integration
HiveMQ + Kafka: The ideal solution for IoT MQTT data integrationHiveMQ + Kafka: The ideal solution for IoT MQTT data integration
HiveMQ + Kafka: The ideal solution for IoT MQTT data integration
MargarethaErber
 
Back to Basics: An Introduction to MQTT
Back to Basics: An Introduction to MQTTBack to Basics: An Introduction to MQTT
Back to Basics: An Introduction to MQTT
HiveMQ
 
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT SystemHow to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
InfluxData
 
Testing the Scalability of a Robust IoT System with Confidence
Testing the Scalability of a Robust IoT System with ConfidenceTesting the Scalability of a Robust IoT System with Confidence
Testing the Scalability of a Robust IoT System with Confidence
HiveMQ
 
Designing an Edge to Cloud Architecture for IIoT
Designing an Edge to Cloud Architecture for IIoTDesigning an Edge to Cloud Architecture for IIoT
Designing an Edge to Cloud Architecture for IIoT
HiveMQ
 

More Related Content

Similar to IoT Security Issues and MQTT

Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Dominik Obermaier
 
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQMachine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
HiveMQ
 
MQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
MQTT.fx on HiveMQ Cloud Testing MQTT in the CloudMQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
MQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
HiveMQ
 
Simplified IoT Operations With HiveMQ and Datadog
Simplified IoT Operations With HiveMQ and DatadogSimplified IoT Operations With HiveMQ and Datadog
Simplified IoT Operations With HiveMQ and Datadog
HiveMQ
 
Modernizing the Manufacturing Industry with Kafka and MQTT
Modernizing the Manufacturing Industry with Kafka and MQTT Modernizing the Manufacturing Industry with Kafka and MQTT
Modernizing the Manufacturing Industry with Kafka and MQTT
Dominik Obermaier
 
Best Practices for Streaming Connected Car Data with MQTT & Kafka
Best Practices for Streaming Connected Car Data with MQTT & KafkaBest Practices for Streaming Connected Car Data with MQTT & Kafka
Best Practices for Streaming Connected Car Data with MQTT & Kafka
HiveMQ
 
HiveMQ Cloud - The Cloud Native IoT Messaging Layer
HiveMQ Cloud - The Cloud Native IoT Messaging LayerHiveMQ Cloud - The Cloud Native IoT Messaging Layer
HiveMQ Cloud - The Cloud Native IoT Messaging Layer
Dominik Obermaier
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
HiveMQ
 
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data IntegrationHiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ
 
Back to Basics: An Introduction to MQTT
Back to Basics: An Introduction to MQTTBack to Basics: An Introduction to MQTT
Back to Basics: An Introduction to MQTT
HiveMQ
 

Similar to IoT Security Issues and MQTT (20)

Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
Software-Infrastrukturen modernisieren in der Produktion - Digitale Transform...
 
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQMachine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQ
 
MQTT 5: Why you need it and potential pitfalls
MQTT 5: Why you need it and potential pitfallsMQTT 5: Why you need it and potential pitfalls
MQTT 5: Why you need it and potential pitfalls
 
MQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
MQTT.fx on HiveMQ Cloud Testing MQTT in the CloudMQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
MQTT.fx on HiveMQ Cloud Testing MQTT in the Cloud
 
Simplified IoT Operations With HiveMQ and Datadog
Simplified IoT Operations With HiveMQ and DatadogSimplified IoT Operations With HiveMQ and Datadog
Simplified IoT Operations With HiveMQ and Datadog
 
Modernizing the Manufacturing Industry with Kafka and MQTT
Modernizing the Manufacturing Industry with Kafka and MQTT Modernizing the Manufacturing Industry with Kafka and MQTT
Modernizing the Manufacturing Industry with Kafka and MQTT
 
Best Practices for Streaming Connected Car Data with MQTT & Kafka
Best Practices for Streaming Connected Car Data with MQTT & KafkaBest Practices for Streaming Connected Car Data with MQTT & Kafka
Best Practices for Streaming Connected Car Data with MQTT & Kafka
 
HiveMQ Cloud - The Cloud Native IoT Messaging Layer
HiveMQ Cloud - The Cloud Native IoT Messaging LayerHiveMQ Cloud - The Cloud Native IoT Messaging Layer
HiveMQ Cloud - The Cloud Native IoT Messaging Layer
 
Introducing HiveMQ Cloud
Introducing HiveMQ CloudIntroducing HiveMQ Cloud
Introducing HiveMQ Cloud
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
 
Lightweight and Scalable IoT Messaging with MQTT
Lightweight and Scalable IoT Messaging with MQTTLightweight and Scalable IoT Messaging with MQTT
Lightweight and Scalable IoT Messaging with MQTT
 
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data IntegrationHiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
HiveMQ + Kafka - The Ideal Solution for IoT MQTT Data Integration
 
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTTHiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
HiveMQ Webinar: Lightweight and scalable IoT Messaging with MQTT
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Iot in-production
Iot in-productionIot in-production
Iot in-production
 
MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT
MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT
MQTT AS A KEY TECHNOLOGY FOR INDUSTRY 4.0 & IIoT
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slides
 
HiveMQ + Kafka: The ideal solution for IoT MQTT data integration
HiveMQ + Kafka: The ideal solution for IoT MQTT data integrationHiveMQ + Kafka: The ideal solution for IoT MQTT data integration
HiveMQ + Kafka: The ideal solution for IoT MQTT data integration
 
Back to Basics: An Introduction to MQTT
Back to Basics: An Introduction to MQTTBack to Basics: An Introduction to MQTT
Back to Basics: An Introduction to MQTT
 
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT SystemHow to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
How to Use InfluxDB to Visualize and Monitor MQTT Messages in an IIoT System
 

More from HiveMQ

Testing the Scalability of a Robust IoT System with Confidence
Testing the Scalability of a Robust IoT System with ConfidenceTesting the Scalability of a Robust IoT System with Confidence
Testing the Scalability of a Robust IoT System with Confidence
HiveMQ
 
Designing an Edge to Cloud Architecture for IIoT
Designing an Edge to Cloud Architecture for IIoTDesigning an Edge to Cloud Architecture for IIoT
Designing an Edge to Cloud Architecture for IIoT
HiveMQ
 
What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]
What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]
What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]
HiveMQ
 
HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...
HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...
HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...
HiveMQ
 
How MQTT 5 Makes Difficult IoT Use Cases Possible
How MQTT 5 Makes Difficult IoT Use Cases PossibleHow MQTT 5 Makes Difficult IoT Use Cases Possible
How MQTT 5 Makes Difficult IoT Use Cases Possible
HiveMQ
 
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
HiveMQ
 
Connecting the Smart Factory to the Cloud
Connecting the Smart Factory to the CloudConnecting the Smart Factory to the Cloud
Connecting the Smart Factory to the Cloud
HiveMQ
 
Free Your Manufacturing Data with Apache PLC4X & MQTT
Free Your Manufacturing Data with Apache PLC4X & MQTTFree Your Manufacturing Data with Apache PLC4X & MQTT
Free Your Manufacturing Data with Apache PLC4X & MQTT
HiveMQ
 
Build Your Own HiveMQ Extension
Build Your Own HiveMQ ExtensionBuild Your Own HiveMQ Extension
Build Your Own HiveMQ Extension
HiveMQ
 
How to Set up, Run and Scale a Secure MQTT Broker on Kubernetes
How to Set up, Run and Scale a Secure MQTT Broker on KubernetesHow to Set up, Run and Scale a Secure MQTT Broker on Kubernetes
How to Set up, Run and Scale a Secure MQTT Broker on Kubernetes
HiveMQ
 
MQTT - The Key to Scalable Reliable Connected Car Platforms
MQTT - The Key to Scalable Reliable Connected Car PlatformsMQTT - The Key to Scalable Reliable Connected Car Platforms
MQTT - The Key to Scalable Reliable Connected Car Platforms
HiveMQ
 
Modernizing the Manufacturing Industry with MQTT and Kafka
Modernizing the Manufacturing Industry with MQTT and KafkaModernizing the Manufacturing Industry with MQTT and Kafka
Modernizing the Manufacturing Industry with MQTT and Kafka
HiveMQ
 
4 Paradigm Shifts for the Connected Car of the Future
4 Paradigm Shifts for the Connected Car of the Future4 Paradigm Shifts for the Connected Car of the Future
4 Paradigm Shifts for the Connected Car of the Future
HiveMQ
 
Building Scalable & Reliable MQTT Clients for Enterprise Computing
Building Scalable & Reliable MQTT Clients for Enterprise ComputingBuilding Scalable & Reliable MQTT Clients for Enterprise Computing
Building Scalable & Reliable MQTT Clients for Enterprise Computing
HiveMQ
 
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs ServiceHow to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
HiveMQ
 

More from HiveMQ (15)

Testing the Scalability of a Robust IoT System with Confidence
Testing the Scalability of a Robust IoT System with ConfidenceTesting the Scalability of a Robust IoT System with Confidence
Testing the Scalability of a Robust IoT System with Confidence
 
Designing an Edge to Cloud Architecture for IIoT
Designing an Edge to Cloud Architecture for IIoTDesigning an Edge to Cloud Architecture for IIoT
Designing an Edge to Cloud Architecture for IIoT
 
What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]
What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]
What's New in HiveMQ [Inside the Upcoming HiveMQ 4.7 Release]
 
HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...
HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...
HiveMQ & HighByte Presents: Building an Enterprise Unified Namespace (UNS) to...
 
How MQTT 5 Makes Difficult IoT Use Cases Possible
How MQTT 5 Makes Difficult IoT Use Cases PossibleHow MQTT 5 Makes Difficult IoT Use Cases Possible
How MQTT 5 Makes Difficult IoT Use Cases Possible
 
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ How to Monitor and Observe IoT and MQTT Applications with HiveMQ
How to Monitor and Observe IoT and MQTT Applications with HiveMQ
 
Connecting the Smart Factory to the Cloud
Connecting the Smart Factory to the CloudConnecting the Smart Factory to the Cloud
Connecting the Smart Factory to the Cloud
 
Free Your Manufacturing Data with Apache PLC4X & MQTT
Free Your Manufacturing Data with Apache PLC4X & MQTTFree Your Manufacturing Data with Apache PLC4X & MQTT
Free Your Manufacturing Data with Apache PLC4X & MQTT
 
Build Your Own HiveMQ Extension
Build Your Own HiveMQ ExtensionBuild Your Own HiveMQ Extension
Build Your Own HiveMQ Extension
 
How to Set up, Run and Scale a Secure MQTT Broker on Kubernetes
How to Set up, Run and Scale a Secure MQTT Broker on KubernetesHow to Set up, Run and Scale a Secure MQTT Broker on Kubernetes
How to Set up, Run and Scale a Secure MQTT Broker on Kubernetes
 
MQTT - The Key to Scalable Reliable Connected Car Platforms
MQTT - The Key to Scalable Reliable Connected Car PlatformsMQTT - The Key to Scalable Reliable Connected Car Platforms
MQTT - The Key to Scalable Reliable Connected Car Platforms
 
Modernizing the Manufacturing Industry with MQTT and Kafka
Modernizing the Manufacturing Industry with MQTT and KafkaModernizing the Manufacturing Industry with MQTT and Kafka
Modernizing the Manufacturing Industry with MQTT and Kafka
 
4 Paradigm Shifts for the Connected Car of the Future
4 Paradigm Shifts for the Connected Car of the Future4 Paradigm Shifts for the Connected Car of the Future
4 Paradigm Shifts for the Connected Car of the Future
 
Building Scalable & Reliable MQTT Clients for Enterprise Computing
Building Scalable & Reliable MQTT Clients for Enterprise ComputingBuilding Scalable & Reliable MQTT Clients for Enterprise Computing
Building Scalable & Reliable MQTT Clients for Enterprise Computing
 
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs ServiceHow to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
 

Recently uploaded

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Andrea Goulet
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Q-Advise
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
Alluxio, Inc.
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Gáspár Nagy
 

Recently uploaded (20)

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 

IoT Security Issues and MQTT

  • 1. Copyright © by HiveMQ. All Rights Reserved.
  • 2. Copyright © by HiveMQ. All Rights Reserved. Speaker ● Product Marketing lead at HiveMQ ● Telecoms, Unified Comms, Networking, Software technology ● Solutions Architect and Product Manager ● Based in Ottawa, Canada gaurav.suman@hivemq.com Gaurav Suman https://www.linkedin.com/in/grvsmn/ @grvsmn Product Marketing Director @HiveMQ
  • 3. Copyright © by HiveMQ. All Rights Reserved. Why is IoT Security on top-of-mind for devs and architects?
  • 4. Copyright © by HiveMQ. All Rights Reserved. The Internet of Things is HUGE Copyright © by HiveMQ. All Rights Reserved.
  • 5. Copyright © by HiveMQ. All Rights Reserved. The risks are clear
  • 6. Copyright © by HiveMQ. All Rights Reserved. IoT security challenges are unique ● Low-power devices Copyright © by HiveMQ. All Rights Reserved. ● Spread far and wide ● Long lifecycle of devices
  • 7. Copyright © by HiveMQ. All Rights Reserved. HiveMQ: Security Copyright © by HiveMQ. All Rights Reserved.
  • 8. Copyright © by HiveMQ. All Rights Reserved. Multiple Security Layers Network Host Application Data Enterprise We will bankrupt ourselves in the vain search for absolute security. - D.E. Eisenhower
  • 9. Copyright © by HiveMQ. All Rights Reserved. Securing the IoT connectivity stack
  • 10. Copyright © by HiveMQ. All Rights Reserved. What’s special about MQTT? Confidential and Proprietary. Copyright © by HiveMQ. All Rights Reserved.
  • 11. Copyright © by HiveMQ. All Rights Reserved. What Is MQTT? • Easy on the device side, pushes all implementation complexity to the server • Publish/Subscribe based architecture • Created for extreme scale and instant data exchange • (I)IoT Messaging Protocol • Built for machines and constrained devices (binary, data agnostic) • Designed for reliable communication over unreliable channels
  • 12. Copyright © by HiveMQ. All Rights Reserved. Connected Car IIoT / Industry 4.0 Logistics Telecommunication IoT Messaging Middleware MQTT Use Cases
  • 13. Copyright © by HiveMQ. All Rights Reserved. The MQTT specification ‘specifies’ MQTT solutions are often deployed in hostile communication environments. In such cases, implementations will often need to provide mechanisms for: ● Authentication of users and devices ● Authorization of access to Server resources ● Integrity of MQTT Control Packets and application data contained therein ● Privacy of MQTT Control Packets and application data contained therein
  • 14. Copyright © by HiveMQ. All Rights Reserved. MQTT Broker • Conserve • Decouple • Centralize Policy
  • 15. Copyright © by HiveMQ. All Rights Reserved. Transport Encryption ● MQTT is based on TCP / IP Stack ● Port 1883: MQTT over TCP / TLS ● TCP connection can be secured by TLS ● Port 8883: MQTT over TLS
  • 16. Copyright © by HiveMQ. All Rights Reserved. How MQTT helps secure IoT
  • 17. Copyright © by HiveMQ. All Rights Reserved. Authentication and Authorization
  • 18. Copyright © by HiveMQ. All Rights Reserved. ● Client ID ● Username ● Password ● Digital Certificates ● OAuth, JWT Copyright © by HiveMQ. All Rights Reserved. Authentication
  • 19. Copyright © by HiveMQ. All Rights Reserved. ● Digital Certificates ● Wire the broker and the auth store Copyright © by HiveMQ. All Rights Reserved. Advanced Authentication Options
  • 20. Copyright © by HiveMQ. All Rights Reserved. ● Typically relies on a public certificate authority ● Can also work with private certificates ○ Only for closed networks Using certificates for TLS
  • 21. Copyright © by HiveMQ. All Rights Reserved. ● You need control over the MQTT client ● Managing the Certificate lifecycle ○ Certification Revocation Lists (CRLs) ○ Online Certificate Status Protocol Copyright © by HiveMQ. All Rights Reserved. Consider these when using X.509 based Authentication
  • 22. Copyright © by HiveMQ. All Rights Reserved. OCSP Stapling: Authentication at Scale
  • 23. Copyright © by HiveMQ. All Rights Reserved. Client Authentication (Identity and Access Management Systems) ● Different external systems can be used to authenticate clients at a broker ● Client provides authentication data in the CONNECT packet ● Broker looks up the authentication data in the connected external systems ● External authentication systems: ○ LDAP ○ OAuth2.0 ○ Databases ○ ACL ○ ... Caution: Not all brokers support a pluggable authentication and authorization system!
  • 24. Copyright © by HiveMQ. All Rights Reserved. Creating Custom Authentication Logic
  • 25. Copyright © by HiveMQ. All Rights Reserved. ● Publisher and Subscriber Authorization ○ Whether they can publish/subscribe ○ Which QoS level ○ Operations (read, write) Copyright © by HiveMQ. All Rights Reserved. Authorization
  • 26. Copyright © by HiveMQ. All Rights Reserved. Permissions
  • 27. Copyright © by HiveMQ. All Rights Reserved. Encryption
  • 28. Copyright © by HiveMQ. All Rights Reserved. Transport Encryption - Best Practices • Use transport encryption (TLS) • Use certificates from trusted CAs • Use highest TLS version and secure cipher suites
  • 29. Copyright © by HiveMQ. All Rights Reserved. Payload Encryption ● Use payload encryption instead ● Every clients needs to have key & secret ● BUT!: It leaks metadata On very constrained devices transport encryption may be not possible!
  • 30. Copyright © by HiveMQ. All Rights Reserved. DoS and Overload Protection ● Limit Connections and Connection Idle times ● Throttle Connection Rates including Burst Rates ● Throttle SSL Handshakes ● Throttle Network Bandwidth ● Cluster Overload Protection throttles overactive publishing clients to prevent cluster overload ● Limit ClientID and topic length to prevent malfunctioning IoT access
  • 31. Copyright © by HiveMQ. All Rights Reserved. Criteria for selecting the right MQTT Broker • Performant, scalable and high available broker • Compliance to the entire MQTT specification • Monitoring of broker and tracing of devices • Pluggable authentication & authorization system • Overload Protection • Supports TLS • Professional support
  • 32. Copyright © by HiveMQ. All Rights Reserved. HiveMQ Security Architecture ● Pluggable Authentication and Authorization System ● Prebuilt Security Extension ● TLS secured communication ● Overload Protection and (D)DOS detection ● Fine grained permission system for MQTT clients and HiveMQ Control Center users ● Chaining of auth mechanisms ● Default Deny-All behaviour ● Integrated monitoring system and over 1500 metrics ● 24/7 professional support
  • 33. Copyright © by HiveMQ. All Rights Reserved. HiveMQ Enterprise Security Extension • Central management for IoT device and HiveMQ Control Center authentication and authorization • Flexible and easy integration with multiple external authentication systems and data sources (e.g. databases, LDAP, OAuth 2.0) • High Scalability and reliability • Default Whitelisting Concept • Access log (rolling on daily basis) • Provides maximum flexibility in defining authorization rules
  • 34. Copyright © by HiveMQ. All Rights Reserved. Resources Evaluate HiveMQ Try HiveMQ Cloud Get Started with MQTT HiveMQ Enterprise Security Extension Blog Series | MQTT Security Fundamentals Watch Our Previous Security Webinar Recording
  • 35. ANY QUESTIONS? Reach out to community.hivemq.com
  • 36. THANK YOU Contact Details Gaurav Suman gaurav.suman@hivemq.com https://www.linkedin.com/in/grvsmn/