The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes, factories, vehicles and healthcare more connected and thus “smarter,” it’s important to understand the various standards in play when looking at incorporating IoT communication protocols.
In its simplest terms, an IoT solution is a collection of sensors combined with a centralized management application permitting the user to modify the environment in some way. Examples include being able to monitor the temperature of your home and adjust it based on occupancy; and being able to monitor the progress of an assembly line and validate manufacturing tolerances.
If you’ve recognized that the communications between these devices benefits from standardization, and could be prone to attack, then you’re asking the right questions. Today, there are a variety of IoT communication protocols and standards designed to simplify IoT designs and increase the ability of vendors to innovate quickly. The following list is far from exhaustive, but gives both an overview for some of the popular choices as well as an indication of their security state.
OPC-UA
OPC Unified Architecture is an industrial machine-to-machine (M2M) communication protocol for interoperability developed by OPC Foundation.
- FreeOpcUa is the open source implementation on OPC-UA standard in C++ and Python.
License: LGPL
Recent vulnerabilities: CVE-2014-0180 (ICSA-14-135-04)
AMQP
The Advanced Message Queuing Protocol is an OASIS standard or specification for application layer protocol in message-oriented middleware.
- ActiveMQ implements AMQP.
License: Apache
Recent vulnerabilities: CVE-2016-3088, CVE-2016-0782 , CVE-2016-0734, CVE-2015-5254
Alternatives: RabbitMQ, Kafka, and Kestrel- MQTT: It is a publish-subscribe based "light weight" messaging protocol for use on top of the TCP/IP protocol
License: Creative Commons Attribution 4.0 International Public - OpenWire: It is a cross language protocol to allow native access to ActiveMQ from different languages and platforms
License: Apache - STOMP: Simple (or Streaming) Text Orientated Messaging Protocol is another cross platform to access ActiveMQ from many different languages as well as use GCJ or IKVM to access the Java code for ActiveMQ from C/C++ or .Net respectively without using OpenWire
License: Creative Commons Attribution v3.0
- MQTT: It is a publish-subscribe based "light weight" messaging protocol for use on top of the TCP/IP protocol
- RabbitMQ: It is an alternative to ActiveMQ; RabbitMQ is developed and maintained by Pivotal.
License: MPL, GPL, Apache
Recent vulnerabilities: CVE-2016-0929, CVE-2015-8786 - Kafka: It is another alternative to ActiveMQ, originally developed by LinkedIn. Currently it is part of Apache Camel project.
License: Apache
Recent vulnerabilities: No known disclosures - Kestrel: It is an alternative to ActiveMQ, originally developed by Twitter, but currently with Apache.
License: Apache
Recent vulnerabilities: No known disclosures - QPID Client: Apache QPID is a message queuing solution that aims to fully implement AMQP.
License: Apache
Recent vulnerabilities: CVE-2016-4974
CoAP
The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with resource constrained devices and networks (in IoT). CoAP is designed based on RFC 7252 for M2M applications such as smart energy and building automation.
License: MIT, Apache and other licenses that are attached to various utilities/applications
Recent vulnerabilities: There are no known reported vulnerabilities, but certain implementations may cause stack overflow. More information here: https://github.com/nodemcu/nodemcu-firmware/issues/1254/
XMPP
Extensible Messaging and Presence Protocol (formerly Jabber) is a communications protocol for message-oriented middleware. The core specifications for XMPP are developed at the Internet Engineering Task Force (IETF). Various server and client implementations are available for review at http://xmpp.org/software/.
License: Various
Recent vulnerabilities: No known disclosures
DDS
Data Distribution Service (DDS) is a machine-to-machine (M2M) middleware standard promoted by Object Management Group (OMG) that aims to enable scalable, real-time, dependable, high-performance and interoperable data exchanges between publishers and subscribers,that is, for M2M communication.
License: Various
Recent vulnerabilities: No known disclosures.
Select IoT communication protocols with care
Selecting the correct protocol for a networked solution is nothing new. Engineering teams have been doing this for decades. While IoT has increased the velocity of product releases, you must maintain care when selecting protocols to ensure they not only meet the technical requirements, but also what my colleague Tim Mackey refers to as the Minimum Success Criteria. After all, the last thing any vendor wants to see happen is a product recall due to security issues.
Continue Reading
