Upload
nbarendt
View
816
Download
6
Embed Size (px)
Citation preview
Practical Security with MQTT and MosquittoNick Barendt
• Wayward Electrical Engineer (EE)• Embedded Systems & Scalable Cloud Computing• LeanDog Studio• Case Western Reserve Univ. EECS Adjunct Faculty
Nick Barendt
Helping companies improve their culture and their productsDesign and Delivery Studio: Web, Mobile, Cloud, integrated with
UX
I.T. Infrastructure AND Security- tell me more!
Talking about MQTT and Security
How it all started…
Opportunity teach a Junior/Senior engineering course on Connected Devices
CWRU, Cleveland, Ohio - Fall 2015
IoT - Embedded, Web, Mobile, UX - enormous breadth of technology
Why teach a course?
Course Goals
Expose students to broader systems viewDemonstrate evolutionary system designProvide intense, hands-on experiencePresent both functional and nonfunctional requirementsAvoid black boxes and vendor lock-in
Weekly Course Syllabus
Introduction to Connected Devices / Internet of ThingsUser Experience and User InterfacesPublish/Subscribe and Message Queues for IntegrationIntroduction to the CloudWeb User InterfacesIntro Web FrameworksIntroduction to Native Mobile DevelopmentIntroduction to Bluetooth Classic and Bluetooth Low EnergyIntroduction to AnalyticsIntroduction to Load TestingUpdating Firmware in the FieldEssential SecurityIoT Platforms and Final Projects AssignedFinal Projects Presentations
Non-Functional - IoT Security Issues (a partial list :-)
IoT vastly expands surface area for attack - same problems, but enormous scaleTypically, physical access implies full access and authorizationYou distribute thousands or millions of devices - ridiculous physical access!Protect device and owner’s usageProtect against DoS attacks, hackers, etc.Must also protect your infrastructure from compromised devices
Goal: provide students with a recipe for building a baseline secure IoT system2 weeks of 14 week course
What do we mean by IoT?
Connected Devices / Internet of Things (IoT)
How do we connect these devices to the cloud?
MQTT
Publish/Subscribe (Pub/Sub) for Connected Devices
Broker
Clients Publish Messages to TopicsClients Subscribe to Topics
Messages are arbitrary byte strings (frequently JSON, XML snippets)
Topics are UTF-8 Strings, with “/“ to indicate levels
What can you do with it?
Boat of Things
Fun, useful, and hackable demoLearning and experimentation platformPromotes a “What If?” mindset
It all started because someone wanted to control our Pandora station from a command-line…
It has a grown a bit since then…
Amazon Dash Buttons - automated product re-orderingNow developer kit - AWS IoT Button
Every Friday after all-hands standup we have Friday Cleanup, traditionally accompanied by polka music (for reasons lost to history)
Someone would manually change Pandora channel to polka…
We felt the need to automate Polka Friday (and learn about AWS IoT Button)
Video Link
Paho Libraries
Open Source MQTT Client Libraries (Eclipse Foundation)
Java, C, C++, JavaScript, Python, C#.NET, Go
Basic Python Paho Example - Subscribe to all Topics
1 import paho.mqtt.client 2 3 def on_connect(client, userdata, flags, rc): 4 client.subscribe(“#") 5 6 def on_message(client, userdata, msg): 7 print(msg.topic + " | " + str(msg.payload)) 8 9 c = paho.mqtt.client.Client() 10 c.on_connect = on_connect 11 c.on_message = on_message 12 13 c.connect("otis.leandog.com") 14 15 c.loop_forever()
Mosquitto
Open Source MQTT Broker (Eclipse Foundation)
MQTT 3.1.1
Linux, Mac, Windows
Under rapid developmenthttps://github.com/eclipse/mosquitto
Mosquitto ConfigurationTypically stored in /etc/mosquitto/mosquitto.conf
Typical Unix text file configuration syntax
Security settings on a per listener basis - bind address/host, port, protocol (mqtt, web sockets), security
Note: can include configuration files - convenient way to keep somewhat modular
include_dir dir
Mosquitto - Default Listener Configuration
default-listener.conf# IANA assigned MQTT portlistener 1883 # use MQTT protocol (could be websockets)protocol mqtt
The Thing
Security: Authentication vs. Authorization
Authentication - Prove you are who you say you are
1 or more of:- something you have- something you know- something you can do
House key - something you have
Passwords - something you know
ATM + PIN - 2 factor - something you have + something you know
SSL/TLS - something you can do (challenge computation w/ PKI X.509 certificate)
Mosquitto Username / Password Configuration
use the mosquitto_passwd CLI tool to generate/edit file
file format:username:<salted hashed password>
equivalent to HTTP Basic Auth (basically insecure, w/o encryption)
password.conflistener 2883protocol mqttpassword_file /usr/local/etc/mosquitto/conf.d/mosquitto.passwd
Username/Password is almost certainly a bad idea. Clear text passwords
What to do?
SSL/TLS - Encryption and Authentication
Public Key Infrastructure (PKI)Asymmetric Encryption - Public/Private KeysX.509 Certificate - Public Key + Authentication via a Trusted Certificate Authority (CA)
Mosquitto TLS Configuration
tls-broker.conf
listener 8883protocol mqttcafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2
TLS on broker a good start - traffic encrypted- clients can use the CA to authenticate broker
How does the broker authenticate clients?
Provision the clients (devices) with certificates
Sometimes referred to as “Two-Way TLS”
Mosquitto TLS Configuration w/ Client Authentication
tls-broker.conflistener 8883protocol mqttcafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2
require_certificate trueuse_identity_as_username true
Mosquitto TLS Bridge Configuration (Device)
tls-bridge.confconnection b827eb74663e_brokeraddress ec2-52-20-29-213.compute-1.amazonaws.com:8883remote_clientid b827eb74663e_broker
bridge_cafile /etc/mosquitto/ca_certificates/ca.crtbridge_certfile /etc/mosquitto/certs/b827eb74663e_broker.crtbridge_keyfile /etc/mosquitto/certs/b827eb74663e_broker.keybridge_tls_version tlsv1.2
topic lamp/set_config in 1 "" devices/b827eb74663e/topic lamp/changed out 1 "" devices/b827eb74663e/topic lamp/connection/+/state out 2 "" devices/b827eb74663e/
Mosquitto TLS Configuration for Websockets
tls-websockets.conf
listener 52111protocol websocketscafile /usr/local/etc/mosquitto/ca_certificates/ca.crtcertfile /usr/local/etc/mosquitto/server.crtkeyfile /usr/local/etc/mosquitto/server.keytls_version tlsv1.2
Authorization - What actions am I permitted to take?
Access Control List (ACL)
Mosquitto supports a file-based ACL mechanism:
acl_file filepath
with a format:
user <username>pattern [read | write | readwrite] <topic>
This works, but is laborious to maintain as users and devices are added & removed
Mosquitto Auth Plugin
Mosquitto supports an authentication plugin - effectively a shared-object library (DLL)
Very flexible - Authentication and ACL
mosquitto-auth-plug Open Source Plugin supporting various backends (MySQL, PostgreSQL, Redis, LDAP, HTTP)
MQTThttp://www.eclipse.org/paho/http://www.hivemq.com/resources/
LeanDog IoT Blog Articleshttp://blog.leandog.com/internet-of-things/
Today’s PSA If you’re going to connect it,
you’ve got to protect it.