What is MQTT and how does it work?
MQTT (MQ Telemetry Transport) is a publish/subscribe based messaging protocol for machine-to-machine communication. It is a lightweight protocol that exchanges data between multiple IoT devices. However, MQTT is not only used in IoT use cases but can be also found in software products and other applications, such as the Facebook Messenger application, as it takes advantage of MQTT’S low data and energy usage.
In any MQTT protocol, there are two major players: a broker and clients. What exactly are MQTT brokers and MQTT clients and how do they differ?
As stated, MQTT is a pub/sub protocol, meaning the MQTT clients include publishers and subscribers, so ones that are publishing messages and ones that are subscribing to receive messages.
A device (i.e. the client) may want to send data to a server (i.e. the broker), meaning the client publishes the data. When the operation is reversed, we are talking about subscribing to specific messages. Under the pub/sub model, multiple clients connect to the broker and subscribe to specific topics. The broker is responsible therefore for receiving the messages and deciding to whom these messages are then published (i.e. to all the subscribed clients).
Let’s put this into perspective by using an example:
You are using a continuous glucose monitoring (CGM) device which monitors your vital health data. This monitor connects to the hospital monitoring device. The device sends data to the caregivers in order for them to monitor your health parameters remotely.
Your CGM device (i.e. the client) is sending the glucose levels to a server (i.e. the MQTT broker) that in turn is processing and publishing this data to the subscribed hospital device. Therefore, your doctor remains informed about your vital levels at all times and can remotely monitor your glucose levels, only by leveraging an MQTT protocol.
MOSQUITTO MQTT Broker
There are several brokers you can use as servers for MQTT. One of these is Mosquitto, an open-source software implementing this MQTT messaging protocol.
MOSQUITTO is an open-source implementation of a server for versions 5.0, 3.1.1, and 3.1 of the MQTT protocol. It also includes a C and C++ client library, and the mosquitto_pub and mosquitto_sub utilities for publishing and subscribing. You can either run Mosquitto broker on your PC, allowing you to exchange data between different IoT devices that are all connected to the same network. You can also run MOSQUITTO MQTT broker in the cloud, which then allows you to connect IoT devices irrespective of their location and network.
What are the benefits of using MOSQUITTO MQTT?
The lightweight properties of the MQTT protocol setup help ensure smooth data transfer with low bandwidth and reduce the load on the CPU and RAM. This architecture delivers the following advantages for the MQTT protocol:
- efficient data transmission with a quick implementation;
- low network usage, due to minimized data packets;
- efficient distribution of data to all clients;
- fast, efficient message delivery;
- small amounts of power, which is good for the connected devices;
- optimal network bandwidth, minimizing poor connection issues.
What are the downsides of MOSQUITTO MQTT?
However, one of the biggest drawbacks of the MQTT protocol is the fact that it is unencrypted. Because MQTT is trying to leverage its lightweight properties, security and authentication were never the features they were focusing on.
MQTT has very few authentication features built into the protocol. Authentication details, like usernames and passwords, are staying unencrypted in cleartext during their use. Any form of secure use of the MQTT protocol must use SSL/TLS, which is not a lightweight protocol. Client certificates are also not available out-of-the-box. This means that MQTT cannot control who owns the topic and who can publish information on it. Here SSL/TLS jumps in.
Our product MOSQUITTO-SGX meets these challenges and we explain how below.
Now let’s talk about Intel SGX
Before we jump into our MOSQUITTO-SGX product, here is a short introduction to Intel Security Guard Extension (SGX). Intel SGX delivers advanced hardware and RAM security encryption features by leveraging confidential computing technology. By using so-called enclaves, the code and data that are specific to each application stay completely isolated within the secure enclave. Additional security, privacy and trust guarantees are provided when data and application code run in an enclave. This makes these secure containers an ideal choice for (untrusted) cloud environments.
The application code executing within an Intel SGX enclave:
- Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
- Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
- At no moment in time are data, program code and protocol messages leaked or de-anonymized
- Reduces the trusted computing base of its parent application to the smallest possible footprint
Check out our blog post “Confidential Computing Explained” and learn more about confidential computing technology.
Why use MOSQUITTO-SGX (instead of “vanilla” MOSQUITTO) images?
So imagine if you can get all these encryption features of Intel SGX as a “Plus” version of the Mosquitto MQTT Broker. This is what MOSQUITTO-SGX brings to the table.
The MOSQUITTO-SGX product now offered by enclaive combines the confidential computing technology used within Intel SGX with the Mosquitto implementation of the MQTT protocol. The application code within the MQTT Broker is now executed within a secure enclave while being sent back to the client devices. In conjunction with a secure SSL/TLS connection, there will be no leaks of sensitive data. MOSQUITTO-SGX provides this “black box”, that now holds the entire content requested, making sure there will be no leaks of sensitive data. This means that any security and authentication weaknesses that came with MQTT protocol are now met by using confidential computing technology. Furthermore, the implementation of the MOSQUITTO-SGX is an easy and quick setup, making it accessible for everyone.
Following benefits come for free with MOSQUITTO-SGX :
- All business advantages from the migration to a (public) cloud without sacrificing on-premise infrastructure trust
- Hardened security against kernel-space exploits, malicious or accidental privileged insider attacks, UEFI firmware exploits and other “root” attacks corrupting the application to infiltrate the network and system
- Run on any hosting environment irrespectively of geo-location and compliance with privacy export regulations, such as Schrems-II
- GDPR/CCPA compliant processing (“data in use”) of user data in the cloud. The data stays anonymized thanks to the secure enclave
- The broker processes the sensitive data (e.g., health data) and shields it from the outside, making this an ideal choice for an (untrusted) cloud environment.
- It provides strong protection of SSL/TLS certificates, username/passwords and other credentials, by staying stored in the enclave.
- Simple deployment through Docker/Kubernetes compatible containers
- Available for major cloud providers (e.g. Microsoft Azure, OVH, IBM)
Businesses can now benefit from complete end-to-end container encryption of their Mosquitto MQTT broker. At any given moment in time, the code and data are fully secure and stay anonym.
Coming back to our example: if you have to use any personal data while publishing or subscribing to specific topics — i.e. while your CGM device is sending your sensitive health data to the hospital’s device, and the hospital is using a MOSQUITTO-SGX broker to handle your messages (and a million others publishers/subscribers), you can be 100% sure that your user data will never be in any danger of being leaked or de-anonymized.
Connecting and leveraging different IoT devices all around the world was therefore never before as safe and secure as it would be with our MOSQUITTO-SGX product.
Still reading? Head to our Products page and try MOSQUITTO-SGX now for free. Let us know what you think.