MQTT is not evil, just not always secure

I recently wrote an article for CSOonline about the security of IoT.  Although primarily about the use of the MQTT protocol, it applies to general security considerations of IoT connectivity.  I received one strong rebuttal by an IBM developer, claiming that I overstated the risk.  I welcome any professional feedback on my positions on any security challenge.  Since this rebuttal was in Twitter, I decided to respond here where I have more than 140 words available.

Summary of argument

First, the OASIS standard MQTT protocol is not secure by itself.  Any implementation requires TLS or other means to secure sessions.  Further, it does not require devices to authenticate to servers.  Does this make all implementations of MQTT unsafe?  No.  Are there many organizations using MQTT or other messaging protocol unsecurely?  Yes.  A Google search provides many examples, so I won’t try to list them here.

My helpful challenger helpfully provided several examples of IoT security solutions.  I provide four examples here because this is information helpful when planning IoT security in any organization.

• AWS
• IBM Watson
• Verne
• HiveMQ

None of these solutions obviate my concerns. 

My argument

First, MQTT by itself is not “evil,” like TCP is not evil.  However, neither are secure enough by themselves when applying the basic standards.  Consequently, it’s necessary to secure authentication and messaging traffic across IoT messaging links. 

Second, it’s true that unwanted MQTT access across firewalls should be blocked.  However, this is usually the responsibility of the customer.  And while most, if not all, large organizations today properly secure their perimeters, SMBs often don’t. 

Even if the firewall is properly configured, no ineffectively secured devices and their traffic (especially wireless) should exist on network segments handling sensitive data or critical systems.  This responsibility partly falls to the customer and partly to the IoT solutions vendors.  Many IoT devices in organizations and SOHOs are not secure and elevate overall risk.  The examples are too numerous to list, and a daily review of security news provides sufficient supporting evidence.  So the Lundgren research in my original article is a very important finding. 

As for the solutions listed above, they are outstanding.  However, organizations or their IoT vendors must choose to implement them and properly configure them.  If you refer to my original article, you find a list of recommendations from the Department of Homeland Security for securing IoT.  These still apply when a security team assesses risk associated with any business solution, personal devices, break room devices, hospital devices, etc.

Conclusion

Finally, I could have chosen some of my descriptive wording differently.  However, my position remains the same.  Many organizations and vendors do not pay sufficient attention to IoT security.  Although solutions exist to secure MQTT messaging, they are not necessarily implemented by affected organizations.  Again, the role of the security team is to ensure the proper security controls are in place when using any protocol, including MQTT.