Practical Security with MQTT and Mosquitto
Transcript of Practical Security with MQTT and Mosquitto
![Page 1: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/1.jpg)
Practical Security with MQTT and MosquittoNick Barendt
![Page 2: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/2.jpg)
• Wayward Electrical Engineer (EE)• Embedded Systems & Scalable Cloud Computing• LeanDog Studio• Case Western Reserve Univ. EECS Adjunct Faculty
Nick Barendt
![Page 3: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/3.jpg)
Helping companies improve their culture and their productsDesign and Delivery Studio: Web, Mobile, Cloud, integrated with
UX
![Page 4: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/4.jpg)
I.T. Infrastructure AND Security- tell me more!
Talking about MQTT and Security
![Page 5: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/5.jpg)
How it all started…
![Page 6: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/6.jpg)
Opportunity teach a Junior/Senior engineering course on Connected Devices
CWRU, Cleveland, Ohio - Fall 2015
IoT - Embedded, Web, Mobile, UX - enormous breadth of technology
Why teach a course?
![Page 7: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/7.jpg)
Course Goals
Expose students to broader systems viewDemonstrate evolutionary system designProvide intense, hands-on experiencePresent both functional and nonfunctional requirementsAvoid black boxes and vendor lock-in
![Page 8: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/8.jpg)
Weekly Course Syllabus
Introduction to Connected Devices / Internet of ThingsUser Experience and User InterfacesPublish/Subscribe and Message Queues for IntegrationIntroduction to the CloudWeb User InterfacesIntro Web FrameworksIntroduction to Native Mobile DevelopmentIntroduction to Bluetooth Classic and Bluetooth Low EnergyIntroduction to AnalyticsIntroduction to Load TestingUpdating Firmware in the FieldEssential SecurityIoT Platforms and Final Projects AssignedFinal Projects Presentations
![Page 9: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/9.jpg)
Non-Functional - IoT Security Issues (a partial list :-)
IoT vastly expands surface area for attack - same problems, but enormous scaleTypically, physical access implies full access and authorizationYou distribute thousands or millions of devices - ridiculous physical access!Protect device and owner’s usageProtect against DoS attacks, hackers, etc.Must also protect your infrastructure from compromised devices
Goal: provide students with a recipe for building a baseline secure IoT system2 weeks of 14 week course
![Page 10: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/10.jpg)
What do we mean by IoT?
![Page 11: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/11.jpg)
![Page 12: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/12.jpg)
Connected Devices / Internet of Things (IoT)
![Page 13: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/13.jpg)
How do we connect these devices to the cloud?
![Page 14: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/14.jpg)
MQTT
![Page 15: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/15.jpg)
Publish/Subscribe (Pub/Sub) for Connected Devices
Broker
Clients Publish Messages to TopicsClients Subscribe to Topics
Messages are arbitrary byte strings (frequently JSON, XML snippets)
Topics are UTF-8 Strings, with “/“ to indicate levels
![Page 16: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/16.jpg)
What can you do with it?
![Page 17: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/17.jpg)
Boat of Things
Fun, useful, and hackable demoLearning and experimentation platformPromotes a “What If?” mindset
![Page 18: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/18.jpg)
It all started because someone wanted to control our Pandora station from a command-line…
![Page 19: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/19.jpg)
It has a grown a bit since then…
![Page 20: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/20.jpg)
Amazon Dash Buttons - automated product re-orderingNow developer kit - AWS IoT Button
![Page 21: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/21.jpg)
Every Friday after all-hands standup we have Friday Cleanup, traditionally accompanied by polka music (for reasons lost to history)
Someone would manually change Pandora channel to polka…
![Page 22: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/22.jpg)
We felt the need to automate Polka Friday (and learn about AWS IoT Button)
Video Link
![Page 23: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/23.jpg)
![Page 24: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/24.jpg)
Paho Libraries
Open Source MQTT Client Libraries (Eclipse Foundation)
Java, C, C++, JavaScript, Python, C#.NET, Go
![Page 25: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/25.jpg)
Basic Python Paho Example - Subscribe to all Topics
1 import paho.mqtt.client 2 3 def on_connect(client, userdata, flags, rc): 4 client.subscribe(“#") 5 6 def on_message(client, userdata, msg): 7 print(msg.topic + " | " + str(msg.payload)) 8 9 c = paho.mqtt.client.Client() 10 c.on_connect = on_connect 11 c.on_message = on_message 12 13 c.connect("otis.leandog.com") 14 15 c.loop_forever()
![Page 26: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/26.jpg)
Mosquitto
Open Source MQTT Broker (Eclipse Foundation)
MQTT 3.1.1
Linux, Mac, Windows
Under rapid developmenthttps://github.com/eclipse/mosquitto
![Page 27: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/27.jpg)
Mosquitto ConfigurationTypically stored in /etc/mosquitto/mosquitto.conf
Typical Unix text file configuration syntax
Security settings on a per listener basis - bind address/host, port, protocol (mqtt, web sockets), security
Note: can include configuration files - convenient way to keep somewhat modular
include_dir dir
![Page 28: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/28.jpg)
Mosquitto - Default Listener Configuration
default-listener.conf# IANA assigned MQTT portlistener 1883 # use MQTT protocol (could be websockets)protocol mqtt
![Page 29: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/29.jpg)
The Thing
![Page 30: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/30.jpg)
![Page 31: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/31.jpg)
Security: Authentication vs. Authorization
![Page 32: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/32.jpg)
Authentication - Prove you are who you say you are
1 or more of:- something you have- something you know- something you can do
House key - something you have
Passwords - something you know
ATM + PIN - 2 factor - something you have + something you know
SSL/TLS - something you can do (challenge computation w/ PKI X.509 certificate)
![Page 33: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/33.jpg)
Mosquitto Username / Password Configuration
use the mosquitto_passwd CLI tool to generate/edit file
file format:username:<salted hashed password>
equivalent to HTTP Basic Auth (basically insecure, w/o encryption)
password.conflistener 2883protocol mqttpassword_file /usr/local/etc/mosquitto/conf.d/mosquitto.passwd
![Page 34: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/34.jpg)
Username/Password is almost certainly a bad idea. Clear text passwords
What to do?
![Page 35: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/35.jpg)
SSL/TLS - Encryption and Authentication
Public Key Infrastructure (PKI)Asymmetric Encryption - Public/Private KeysX.509 Certificate - Public Key + Authentication via a Trusted Certificate Authority (CA)
![Page 36: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/36.jpg)
Mosquitto TLS Configuration
tls-broker.conf
listener 8883protocol mqttcafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2
![Page 37: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/37.jpg)
TLS on broker a good start - traffic encrypted- clients can use the CA to authenticate broker
How does the broker authenticate clients?
![Page 38: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/38.jpg)
Provision the clients (devices) with certificates
Sometimes referred to as “Two-Way TLS”
![Page 39: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/39.jpg)
Mosquitto TLS Configuration w/ Client Authentication
tls-broker.conflistener 8883protocol mqttcafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2
require_certificate trueuse_identity_as_username true
![Page 40: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/40.jpg)
Mosquitto TLS Bridge Configuration (Device)
tls-bridge.confconnection b827eb74663e_brokeraddress ec2-52-20-29-213.compute-1.amazonaws.com:8883remote_clientid b827eb74663e_broker
bridge_cafile /etc/mosquitto/ca_certificates/ca.crtbridge_certfile /etc/mosquitto/certs/b827eb74663e_broker.crtbridge_keyfile /etc/mosquitto/certs/b827eb74663e_broker.keybridge_tls_version tlsv1.2
topic lamp/set_config in 1 "" devices/b827eb74663e/topic lamp/changed out 1 "" devices/b827eb74663e/topic lamp/connection/+/state out 2 "" devices/b827eb74663e/
![Page 41: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/41.jpg)
Mosquitto TLS Configuration for Websockets
tls-websockets.conf
listener 52111protocol websocketscafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2
![Page 42: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/42.jpg)
![Page 43: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/43.jpg)
Authorization - What actions am I permitted to take?
Access Control List (ACL)
Mosquitto supports a file-based ACL mechanism:
acl_file filepath
with a format:
user <username>pattern [read | write | readwrite] <topic>
This works, but is laborious to maintain as users and devices are added & removed
![Page 44: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/44.jpg)
Mosquitto Auth Plugin
Mosquitto supports an authentication plugin - effectively a shared-object library (DLL)
Very flexible - Authentication and ACL
mosquitto-auth-plug Open Source Plugin supporting various backends (MySQL, PostgreSQL, Redis, LDAP, HTTP)
![Page 45: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/45.jpg)
![Page 46: Practical Security with MQTT and Mosquitto](https://reader033.fdocuments.net/reader033/viewer/2022061613/587dcf721a28ab5b5b8b5261/html5/thumbnails/46.jpg)
MQTThttp://www.eclipse.org/paho/http://www.hivemq.com/resources/
LeanDog IoT Blog Articleshttp://blog.leandog.com/internet-of-things/
Today’s PSA If you’re going to connect it,
you’ve got to protect it.