Practical Security with MQTT and Mosquitto

Practical Security with MQTT and MosquittoNick Barendt

• Wayward Electrical Engineer (EE)• Embedded Systems & Scalable Cloud Computing• LeanDog Studio• Case Western Reserve Univ. EECS Adjunct Faculty

Nick Barendt

Helping companies improve their culture and their productsDesign and Delivery Studio: Web, Mobile, Cloud, integrated with

UX

I.T. Infrastructure AND Security- tell me more!

Talking about MQTT and Security

How it all started…

Opportunity teach a Junior/Senior engineering course on Connected Devices

CWRU, Cleveland, Ohio - Fall 2015

IoT - Embedded, Web, Mobile, UX - enormous breadth of technology

Why teach a course?

Course Goals

Expose students to broader systems viewDemonstrate evolutionary system designProvide intense, hands-on experiencePresent both functional and nonfunctional requirementsAvoid black boxes and vendor lock-in

Weekly Course Syllabus

Introduction to Connected Devices / Internet of ThingsUser Experience and User InterfacesPublish/Subscribe and Message Queues for IntegrationIntroduction to the CloudWeb User InterfacesIntro Web FrameworksIntroduction to Native Mobile DevelopmentIntroduction to Bluetooth Classic and Bluetooth Low EnergyIntroduction to AnalyticsIntroduction to Load TestingUpdating Firmware in the FieldEssential SecurityIoT Platforms and Final Projects AssignedFinal Projects Presentations

Non-Functional - IoT Security Issues (a partial list :-)

IoT vastly expands surface area for attack - same problems, but enormous scaleTypically, physical access implies full access and authorizationYou distribute thousands or millions of devices - ridiculous physical access!Protect device and owner’s usageProtect against DoS attacks, hackers, etc.Must also protect your infrastructure from compromised devices

Goal: provide students with a recipe for building a baseline secure IoT system2 weeks of 14 week course

What do we mean by IoT?

Connected Devices / Internet of Things (IoT)

How do we connect these devices to the cloud?

MQTT

Publish/Subscribe (Pub/Sub) for Connected Devices

Broker

Clients Publish Messages to TopicsClients Subscribe to Topics

Messages are arbitrary byte strings (frequently JSON, XML snippets)

Topics are UTF-8 Strings, with “/“ to indicate levels

What can you do with it?

Boat of Things

Fun, useful, and hackable demoLearning and experimentation platformPromotes a “What If?” mindset

It all started because someone wanted to control our Pandora station from a command-line…

It has a grown a bit since then…

Amazon Dash Buttons - automated product re-orderingNow developer kit - AWS IoT Button

Every Friday after all-hands standup we have Friday Cleanup, traditionally accompanied by polka music (for reasons lost to history)

Someone would manually change Pandora channel to polka…

We felt the need to automate Polka Friday (and learn about AWS IoT Button)

Video Link

Paho Libraries

Open Source MQTT Client Libraries (Eclipse Foundation)

Java, C, C++, JavaScript, Python, C#.NET, Go

Basic Python Paho Example - Subscribe to all Topics

1 import paho.mqtt.client 2 3 def on_connect(client, userdata, flags, rc): 4 client.subscribe(“#") 5 6 def on_message(client, userdata, msg): 7 print(msg.topic + " | " + str(msg.payload)) 8 9 c = paho.mqtt.client.Client() 10 c.on_connect = on_connect 11 c.on_message = on_message 12 13 c.connect("otis.leandog.com") 14 15 c.loop_forever()

Mosquitto

Open Source MQTT Broker (Eclipse Foundation)

MQTT 3.1.1

Linux, Mac, Windows

Under rapid developmenthttps://github.com/eclipse/mosquitto

Mosquitto ConfigurationTypically stored in /etc/mosquitto/mosquitto.conf

Typical Unix text file configuration syntax

Security settings on a per listener basis - bind address/host, port, protocol (mqtt, web sockets), security

Note: can include configuration files - convenient way to keep somewhat modular

include_dir dir

Mosquitto - Default Listener Configuration

default-listener.conf# IANA assigned MQTT portlistener 1883 # use MQTT protocol (could be websockets)protocol mqtt

The Thing

Security: Authentication vs. Authorization

Authentication - Prove you are who you say you are

1 or more of:- something you have- something you know- something you can do

House key - something you have

Passwords - something you know

ATM + PIN - 2 factor - something you have + something you know

SSL/TLS - something you can do (challenge computation w/ PKI X.509 certificate)

Mosquitto Username / Password Configuration

use the mosquitto_passwd CLI tool to generate/edit file

file format:username:<salted hashed password>

equivalent to HTTP Basic Auth (basically insecure, w/o encryption)

password.conflistener 2883protocol mqttpassword_file /usr/local/etc/mosquitto/conf.d/mosquitto.passwd

Username/Password is almost certainly a bad idea. Clear text passwords

What to do?

SSL/TLS - Encryption and Authentication

Public Key Infrastructure (PKI)Asymmetric Encryption - Public/Private KeysX.509 Certificate - Public Key + Authentication via a Trusted Certificate Authority (CA)

Mosquitto TLS Configuration

tls-broker.conf

listener 8883protocol mqttcafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2

TLS on broker a good start - traffic encrypted- clients can use the CA to authenticate broker

How does the broker authenticate clients?

Provision the clients (devices) with certificates

Sometimes referred to as “Two-Way TLS”

Mosquitto TLS Configuration w/ Client Authentication

tls-broker.conflistener 8883protocol mqttcafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2

require_certificate trueuse_identity_as_username true

Mosquitto TLS Bridge Configuration (Device)

tls-bridge.confconnection b827eb74663e_brokeraddress ec2-52-20-29-213.compute-1.amazonaws.com:8883remote_clientid b827eb74663e_broker

bridge_cafile /etc/mosquitto/ca_certificates/ca.crtbridge_certfile /etc/mosquitto/certs/b827eb74663e_broker.crtbridge_keyfile /etc/mosquitto/certs/b827eb74663e_broker.keybridge_tls_version tlsv1.2

topic lamp/set_config in 1 "" devices/b827eb74663e/topic lamp/changed out 1 "" devices/b827eb74663e/topic lamp/connection/+/state out 2 "" devices/b827eb74663e/

Mosquitto TLS Configuration for Websockets

tls-websockets.conf

listener 52111protocol websocketscafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2

Authorization - What actions am I permitted to take?

Access Control List (ACL)

Mosquitto supports a file-based ACL mechanism:

acl_file filepath

with a format:

user <username>pattern [read | write | readwrite] <topic>

This works, but is laborious to maintain as users and devices are added & removed

Mosquitto Auth Plugin

Mosquitto supports an authentication plugin - effectively a shared-object library (DLL)

Very flexible - Authentication and ACL

mosquitto-auth-plug Open Source Plugin supporting various backends (MySQL, PostgreSQL, Redis, LDAP, HTTP)

@nickbarendtnick.barendt@leandog.com

MQTThttp://www.eclipse.org/paho/http://www.hivemq.com/resources/

LeanDog IoT Blog Articleshttp://blog.leandog.com/internet-of-things/

Today’s PSA If you’re going to connect it,

you’ve got to protect it.