Securing IoT application



  • I'm designing an IoT product, I'm searching solutions to secure the system.

    The system's protocol is MQTT, while it's very helpful, it contains vulnerabilities.

    I've read enough to come with this proposed system:

    • Using TLS: It's important, but it depends on support.
    • Apply a client-id prefix rule: The server wont accept any client-id other than ones meets a certain prefix, e.g. device-.
    • Authorization: Creating ACL (Access Control List) to allow each device to only subscribe to topics prefixed with its device-id rx/device00001/# and only publish to topics with the same property tx/device00001/.*
    • Limit the accepted messages lengths.*
    • Use authentication that depends on MCU's MAC address and a device-name:
      Use device-id as client-id, and both device-id and MAC as password. Where MAC and device-id are securely shared to the server at flashing the firmware process.
    • Use application payload encryption.
    Comments:
    • * Server terminates the client otherwise.
    • If TLS isn't used, an encrypted password is needed to secure-out the CONNECT packet sent to the server; because credentials are sent in plaintext.
      Beside that: the password should be a function of UNIX time, to limit replay attacks. The time is used at server-side to checkout the freshness of the request.
    • If all security layers are used, Is there a need for application payload encryption?

    Can you tell whether this system is secured or it contains threats?



  • I haven't worked with MQTT myself but did some research and looks like TrendMicro have an article on that:

    https://www.trendmicro.com/vinfo/es/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols

    Some other Scanner tools are: Nessus and Tenable

    you may give it a try on their trial version before you pay for any certificate. hope it helps to some extend.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2