MQTT Security - how to prevent abusers subscribing to topics?

Question

I've got everything setup and working for MQTT now. I am using the IBM wmqtt.jar and the Mosquitto broker..

My Java Servlet creates an MQTTConnection to the broker and publishes under the topic "AndroidDeviceID/myAppName" ..

The Android client subscribes to that same topic...

It seems to me that if anyone knew the device name of my user, they could create a simple android app and subscribe to that topic on my MQTT broker. Then they get all the notifications (in this case instant messaging messages) from my users..

How is this properly avoided?

This link may be beneficial for MQTT and security concepts: http://www.hivemq.com/mqtt-security-fundamentals/ — Dominik Obermaier, Oct 25 '16 at 12:27

score 20 · Accepted Answer · answered Apr 07 '12 at 18:54

20

Mosquitto provides security through username and password authentication as well as limiting access to topics with access control lists. There are details in the mosquitto.conf man page: http://mosquitto.org/man/mosquitto-conf-5.html

answered Apr 07 '12 at 18:54

ralight

11,033
3
49
59

2

Great thanks, I have also just started to migrate over to the latest version of Java MQTT - Eclipse Paho - http://git.eclipse.org/c/paho/org.eclipse.paho.mqtt.java.git/ it looks like this will support username/passwords on connect. One Issue I still have is encrpytion.. All of my other data is being sent over ssl... The MQTT messages will be previews of instant messaging messages, so i consider this confidential. Any thoughts on how to prevent snooping the net traffic? – Daniel Guillamot Apr 07 '12 at 19:05
Well I guess I can make my own simple obfuscation method on the text that goes back and forth, hmm.. Not quite what I am getting with the SSL encryption and certificate authentication though. But maybe without going to IBMs commercial MMQT broker that is the best I can do? – Daniel Guillamot Apr 07 '12 at 19:08
Mosquitto will get SSL support in the future. In the meantime you could do simple message encryption... Not the best answer I realise. – ralight Apr 07 '12 at 22:59
Just to add to my developments today. I was unable to get user authentication working with the Windows version of mosquitto. I was using the Cygwin version (as the native windows version was not allowing me to connect at all). Now I am using the CentOs version of mosquitto and user authentication is working well :) The last thing I am looking at now is what QoS to use.. – Daniel Guillamot Apr 08 '12 at 08:20
Right now I feel like QOS 2 is what I want as I need guaranteed delivery as these are IM messages and no delivery means no push notifacation to the phone, and the conversation dies. – Daniel Guillamot Apr 08 '12 at 08:24
Could you email me with any details of what didn't work on Windows? I'm away on holiday now but will look into it when I get back. Qos 1 should also be fine, assuming receiving the message more than once wouldn't be a problem. – ralight Apr 10 '12 at 16:34

score 6 · Answer 2 · answered Apr 17 '14 at 14:05

6

ACL is what restricts clients subscribing to topics, i am using a auth-plugin to do so, here is the link mosquitto auth plugin

answered Apr 17 '14 at 14:05

achuth

1,212
2
16
29

2

Have you you used auth plugin with Redis ? I am struggling with the values for: auth_opt_redis_userquery ?? And auth_opt_redis_aclquery ?? – TheAshwaniK Mar 14 '15 at 00:56
2

i am using auth plugin with mysql. look into the [implementation](https://github.com/jpmens/mosquitto-auth-plug/blob/master/be-redis.c) may help you. – achuth Mar 16 '15 at 04:22

score 4 · Answer 3 · answered Apr 08 '12 at 15:49

4

In general, MQTT keeps security very "light" as it was originally designed for use with closed sensor networks. It is down to the broker implementation to provide e.g. SSL and decide how to handle the username/password backend.

Encryption of message data is unlikely to ever be provided by the protocol itself and is something that is typically done at the application layer if this is critical.

answered Apr 08 '12 at 15:49

Andy Piper

11,422
2
26
49

Just a remark: security is not SSL, nor does SSL is security. In the OP question, it's asking about privacy more than it's asking for security. – xryl669 Nov 05 '19 at 13:56

score 2 · Answer 4 · answered May 03 '14 at 18:49

If you need a more custom way of handling access control and permission of topics, try using the HiveMQ MQTT broker. Like explained in the documentation you can implement your own behaviour with a plugin. This approach allows you to completely decide how the authentication and authorization of clients, publishes and subscribes is handled [1]. If you are interested the best way to start with your own plugin is described here [2].

By the way, it is also very easy to configure TLS for HiveMQ [3].

Christian (HiveMQ Team)

[1] http://www.hivemq.com/docs/plugins/1.5.0/#auth-permission-chapter

[2] http://www.hivemq.com/documentations/getting-started-plugins/

[3] http://www.hivemq.com/docs/hivemq/1.5.0/#hivemqdocs_ssl_tls

MQTT Security - how to prevent abusers subscribing to topics?

4 Answers4