Machine-to-Machine Protocol Security: The Case of MQTT and CoAP


MQTT and CoAP provide data connectivity for practically any kind of “machines”. This talk will cover the results of our security analysis of MQTT and CoAP, which uncovered issues in the design specifications, vulnerable product implementations, and hundreds of thousands unsecured, open-to-the-world deployments. Despite the fixes in the design specifications, it is hard for developers to keep up with a changing standard when a technology becomes pervasive. Also, the market of this technology is very wide because the barrier to entry is fairly low. This led to a multitude of fragmented implementations. Our findings have been acknowledged by the vendors, by the MQTT Technical Committee, which released a note to help identify the risks, and received the attention of several other organizations. Using MQTT and CoAP as case study, we will provide recommendations at various levels, in the hope to see a significant reduction in the number of insecure deployments in the future.

Apr 4, 2019 12:00 AM
Hannover, Germany