Securing IoT application

Question

I'm designing an IoT product, I'm searching solutions to secure the system.

The system's protocol is MQTT, while it's very helpful, it contains vulnerabilities.

I've read enough to come with this proposed system:

Using TLS: It's important, but it depends on support.
Apply a client-id prefix rule: The server wont accept any client-id other than ones meets a certain prefix, e.g. device-.
Authorization: Creating ACL (Access Control List) to allow each device to only subscribe to topics prefixed with its device-id rx/device00001/# and only publish to topics with the same property tx/device00001/.*
Limit the accepted messages lengths.*
Use authentication that depends on MCU's MAC address and a device-name:
Use device-id as client-id, and both device-id and MAC as password. Where MAC and device-id are securely shared to the server at flashing the firmware process.
Use application payload encryption.

Comments:

* Server terminates the client otherwise.
If TLS isn't used, an encrypted password is needed to secure-out the CONNECT packet sent to the server; because credentials are sent in plaintext.
Beside that: the password should be a function of UNIX time, to limit replay attacks. The time is used at server-side to checkout the freshness of the request.
If all security layers are used, Is there a need for application payload encryption?

Can you tell whether this system is secured or it contains threats?

Seems like you already have some basics like TLS for encryption in transit and session timeout, You may run a few security scans as well it can tell you more on here is your weak point — Vcode, Apr 29 '21 at 08:00
Thanks @Vcode, I don't have any experience making security scans, what could be the starting point for that? hopefully something relates to MQTT protocol. — Hamza Hajeir, Apr 29 '21 at 08:26
A similar approach is described [here](https://www.einfochips.com/blog/securing-message-transfer-protocol-mqtt-in-iot-environment/) — Hamza Hajeir, Mar 31 '22 at 12:01
Using DeviceID alongwith the MAC as password is a bad idea, the attacker knows the device-id beforehand (If it's public e.g in WiFi provisioning), and also knows its MAC address for sure. — Hamza Hajeir, Aug 21 '22 at 14:28
Application code encryption would really help, using AEAD (Authenticated Encryption with Associated Data), as associated data being the full topic. It's offers advanced security. — Hamza Hajeir, Aug 21 '22 at 14:30
"If all security layers are used, Is there a need for application payload encryption?" No if TLS is utilized, Yes if not; because a MITM attacks that could alter the message. — Hamza Hajeir, Aug 21 '22 at 14:32

score 1 · Accepted Answer · answered May 26 '21 at 21:20

1

I haven't worked with MQTT myself but did some research and looks like TrendMicro have an article on that:

Some other Scanner tools are: Nessus and Tenable

you may give it a try on their trial version before you pay for any certificate. hope it helps to some extend.

answered May 26 '21 at 21:20

Vcode

Hi Vcode, Thank you for your input. which give me a research tip. I've read the article, and will read the research soon. I've searched Nessus, It seems produced by Tenable company, Is there a specific Tenable product you encourage me to look into it? – Hamza Hajeir May 28 '21 at 06:27
Nessus is the only product from them I have worked with, in general for vulnerability assessment and security scans. I suggest to take a look at that. good luck – Vcode May 31 '21 at 14:32
Thanks @Vcode, I've just finished the document you pointed to, while it's not answering my situation, it's very useful, if there's something against would be its time of publishing (2018), which somehow 'old' due to fast changing world. Despite of this, I've found a mentioned issue in the mqtt library I'm using, I've informed the author and he'll fix it. **Thank you** for pointing out to this document!! – Hamza Hajeir Jun 01 '21 at 10:04

1 Answers1