IoT apps benefit from MQ telemetry transport security
The MQ telemetry transport (MQTT) protocol, which was originally developed in the 1990s for machine-to-machine communication in the oil and gas industry, has recently found new life with the emergence of the IoT. The lightweight publish-subscribe-based protocol was designed to work with unstable network conditions, multiple client operating systems and devices with limited memory and central processing unit capacity. As such, MQTT is already at the heart of a majority of IoT apps.
Security challenges when building IoT apps
Though security is an essential component of any digital environment, the IoT and the massive amounts of data generated by connected devices create new implications when it comes to mobile security. Devices used in IoT environments often have limited memory and power, which makes them difficult to secure with heavier cryptographic algorithms. Additionally, the sheer number of devices in IoT environments — many of which often connect from unstable networks — makes it difficult to update them with more traditional patching systems. As in any cloud-based environment, usability and experience is also paramount, so any changes or installations must be intuitive and performed behind the scenes without performance degradation or security compromises.
MQTT security fundamentals
MQTT, a publish-subscribe-based protocol, is often chosen for IoT apps because it is simpler to use and has much lower overhead than client/server protocols such as HTTP. At a basic level, an MQTT broker facilitates communication between the publisher (those sending messages) and the subscriber (those receiving messages).
Core security tenants of the MQTT include the following concepts:
- Identity: This entails naming the client that is authorized to access a system by a client identifier, user ID and password or digital certificate. The MQTT server can then authenticate one of these attributes over a secure SSL connection and control which resources the user or devices can access.
- Authentication: This involves proving the identity of the client or server at the transport or application level. Clients authenticate servers with SSL, and servers authenticate clients with an SSL certificate, password or both.
- Authorization: Finally, this entails managing the rights of groups of clients through an MQTT broker. The authorization process controls which users or devices can access specific resources or data through an access control list or role-based access control policies.
As connected devices become more ubiquitous, developers need to make security a top priority when building IoT apps. This can be done by harnessing the inherent security features in the underlying MQTT protocol and related service brokers.