Issue link: https://resources.mouser.com/i/1437738
subscribe messaging transport protocol that is open and simple to use. MQTT is designed for constrained devices such as sensor nodes and other IoT devices, as well as low-bandwidth, high-latency or unreliable networks. These characteristics make MQTT ideal for use in environments, such as communication in Machine-to-Machine (M2M) and IoT scenarios, where a small code footprint is required, and/or network bandwidth is at a premium. MQTT supports TLS and, if implemented, can encrypt the complete communication between client and broker, preventing hackers from intercepting data in motion. CoAP is a specialized web transfer protocol for use with constrained nodes and networks in the IoT. The protocol is designed for M2M applications such as smart energy and building automation. CoAP relies on UDP transport to transfer data and DTLS security aspects to protect the information. Challenges of Securing Connected Devices Although both MQTT and CoAP were designed for the special requirements of the IoT, and both support popular security protocols, they can be easily attacked if not secured correctly. Networks based on these protocols are particularly susceptible to the following security threats. Distributed Denial of Service (DDoS) Attack. One of the most common and disruptive forms of cyberattack, a DDoS impedes the normal operations of a targeted server, service or network by overwhelming the target with a flood of internet traffic. These attacks shut down the system or network and prevent authorized users from accessing data or services. These attacks usually result from hackers breaching thousands of networked devices and then orchestrating their messaging ability to bombard a central server until it fails from exhausting its compute resources. Inadequately secured IoT devices are often implicated in DDoS attacks. The massive attack on Dyn in October 2016 that brought down much of the internet was perpetrated through hacked networked devices such as security cameras and digital video recorders. TCP SYN Flooding. Another form of DDoS attack, a TCP SYN flood manipulates the three-way TCP handshake between client and server to stall the targeted server with incomplete requests to open connection ports. By repeatedly sending initial connection request (SYN) packets without completing the transaction, the attacker is able to overwhelm all available ports on a targeted server, rendering it unresponsive. Slowloris. Another type of DDoS attack, Slowloris allows an attacker to stall a targeted server using a single machine to open and maintain many simultaneous HTTP requests between the attacker and the target. With a limited number of threads available to handle concurrent connections, the targeted server will wait for the request to complete, which never occurs. When the server's maximum possible connections have been exceeded, denial-of-service will occur. Insecure MQTT. While MQTT is not inherently secure, there are several mechanisms available for securing MQTT connections, including simple username and password combinations and TLS, which provides an encrypted pipeline for messages on MQTT. With MQTT, it's important to note that security restrictions are enforced by the MQTT broker or server, and the client nodes must be configured separately. Not only does this introduce added complexity, designers must consider the capabilities of MQTT clients when planning security for the IoT implementation, as sufficient support might be unavailable on simple clients, such as very basic sensors. Insecure CoAP: The security concerns for CoAP are analogous to those for MQTT, but the ramifications of a poor deployment are more severe. Because some of the size and speed advantages of CoAP are negated by adding DTLS security, some publicly exposed infrastructures have neglected to require it, resulting in thousands of unsecured devices on the internet. Because of the differences between TCP and UDP, unsecured CoAP devices can be exploited to launch DDoS attacks with amplification factors of up to 51,000x. However, the problem with MQTT is not the protocol, but the fact that many MQTT networks are either misconfigured for security or operate with no security. Particularly in smart home deployments or IoT networks in small organizations, it often falls to the customer or IoT vendor to implement and properly configure security mechanisms to make MQTT communication protected. Misconfigured MQTT servers without passwords are publicly discoverable on the internet, which allows hackers to infiltrate any smart home or business associated with that server. In addition, because of the one-to-many subscription architecture of MQTT, gaining access to the MQTT server means getting access to all the data crossing the network. Cybercriminals can easily exploit these configuration flaws and vulnerabilities to conduct reconnaissance, covert data theft and DDoS attacks. Securing Connected Devices in the Hostile World Ensuring security for connected designs can be challenging and time-consuming even for experienced developers, with multiple risks and malicious actors awaiting the unprepared. To deliver comprehensive, in-depth security protection for products based on embedded devices requires multiple protocols and safeguards that work together to provide security at many levels. Renesas has been a leader in embedded security for decades | 4 | | 21 |