close search bar

Sorry, not available in this language yet

close language selection

An overview of open standards for IoT communication protocols

An Overview of Open Standards for IoT Communication Protocols

The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes, factories, vehicles and healthcare more connected and thus “smarter,” it’s important to understand the various standards in play when looking at incorporating IoT communication protocols.

In its simplest terms, an IoT solution is a collection of sensors combined with a centralized management application permitting the user to modify the environment in some way. Examples include being able to monitor the temperature of your home and adjust it based on occupancy; and being able to monitor the progress of an assembly line and validate manufacturing tolerances.

If you’ve recognized that the communications between these devices benefits from standardization, and could be prone to attack, then you’re asking the right questions. Today, there are a variety of IoT communication protocols and standards designed to simplify IoT designs and increase the ability of vendors to innovate quickly. The following list is far from exhaustive, but gives both an overview for some of the popular choices as well as an indication of their security state.


OPC Unified Architecture is an industrial machine-to-machine (M2M) communication protocol for interoperability developed by OPC Foundation.


The Advanced Message Queuing Protocol is an OASIS standard or specification for application layer protocol in message-oriented middleware.

  • ActiveMQ implements AMQP.
    License: Apache
    Recent vulnerabilities: CVE-2016-3088, CVE-2016-0782 , CVE-2016-0734, CVE-2015-5254
    Alternatives: RabbitMQ, Kafka, and Kestrel
    • MQTT: It is a publish-subscribe based “light weight” messaging protocol for use on top of the TCP/IP protocol
      License: Creative Commons Attribution 4.0 International Public
    • OpenWire: It is a cross language protocol to allow native access to ActiveMQ from different languages and platforms
      License: Apache
    • STOMP: Simple (or Streaming) Text Orientated Messaging Protocol is another cross platform to access ActiveMQ from many different languages as well as use GCJ or IKVM to access the Java code for ActiveMQ from C/C++ or .Net respectively without using OpenWire
      License: Creative Commons Attribution v3.0
  • RabbitMQ: It is an alternative to ActiveMQ; RabbitMQ is developed and maintained by Pivotal.
    License: MPL, GPL, Apache
    Recent vulnerabilities: CVE-2016-0929, CVE-2015-8786
  • Kafka: It is another alternative to ActiveMQ, originally developed by LinkedIn. Currently it is part of Apache Camel project.
    License: Apache
    Recent vulnerabilities: No known disclosures
  • Kestrel: It is an alternative to ActiveMQ, originally developed by Twitter, but currently with Apache.
    License: Apache
    Recent vulnerabilities: No known disclosures
  • QPID Client: Apache QPID is a message queuing solution that aims to fully implement AMQP.
    License: Apache
    Recent vulnerabilities: CVE-2016-4974


The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with resource constrained devices and networks (in IoT). CoAP is designed based on RFC 7252 for M2M applications such as smart energy and building automation.
License: MIT, Apache and other licenses that are attached to various utilities/applications
Recent vulnerabilities: There are no known reported vulnerabilities, but certain implementations may cause stack overflow. More information here:


Extensible Messaging and Presence Protocol (formerly Jabber) is a communications protocol for message-oriented middleware. The core specifications for XMPP are developed at the Internet Engineering Task Force (IETF). Various server and client implementations are available for review at
License: Various
Recent vulnerabilities: No known disclosures


Data Distribution Service (DDS) is a machine-to-machine (M2M) middleware standard promoted by Object Management Group (OMG) that aims to enable scalable, real-time, dependable, high-performance and interoperable data exchanges between publishers and subscribers,that is, for M2M communication.
License: Various
Recent vulnerabilities: No known disclosures.

Select IoT communication protocols with care

Selecting the correct protocol for a networked solution is nothing new. Engineering teams have been doing this for decades. While IoT has increased the velocity of product releases, you must maintain care when selecting protocols to ensure they not only meet the technical requirements, but also what my colleague Tim Mackey refers to as the Minimum Success Criteria. After all, the last thing any vendor wants to see happen is a product recall due to security issues.

Learn more the attributes of secure web application architecture

Baljeet Malhotra

Posted by

Baljeet Malhotra

Baljeet Malhotra

Baljeet Malhotra is Vice President of Research at Black Duck Software and leads Black Duck Software Canada, a research division of Black Duck. Previously, he was Research Director at SAP, where he derived IoT standards strategy. Before that he was a Computational Scientist with the Earth Observation Systems Laboratory and a Senior Software Engineer at Satyam Computers. He holds a PhD in Computing Science from the University of Alberta. Baljeet did his post-doc work at the National University of Singapore. He has published numerous scientific reports and patents. He was NSERC Canada scholar during 2005-2010, and awarded Global Young Scientist by the Government of Singapore in 2011 and 2012.

More from Open source and software supply chain risks