Secure MQTT transmissions

I have used the MQTT protocol quite a lot over the years for domestic as well as industrial applications and have forever been struggling with secure message transmissions.

Magnetic Puck shaped Arduino Nano 33 IoT IMU Sensor

My usual solution for this has been to include a frame counter in the payload and then apply a light encryption on the payload. On the receiving side I would then decrypt the payload, check for an increase of the frame counter and then accept the payload. Of course, this only encryped the payload and other parts of the MQTT message still remained visible during it’s travel from my node to my server. I found that anything more than that was just not possible with nodes I developed using microcontrollers such as the ARM Cortex M0.

I started looking for new opportunities when LoRaWan nodes were being devoped that did come with on-board encryption to allow secure data transmissions. Surely somebody would come up with a nice microcontroller with a crypto chip onboard soon I thought…

… And so they did. Some months ago, Arduino marketed their Arduino Nano 33 IoT microdevice that includes secure communication through an on board the Microchip® ECC608 crypto chip. Finally I am able to communicate via a secure communication channel between node and server using Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Time for an experiment.

Let’s assume a case where you want to check the cycle time of your machine and monitor the number of products made per hour. You want to use Industry 4.0 technology without interfering with (or needing to interface with) your existing Scada or other MES system you may have installed. Let’s also assume you want to do this is a secure manner using your existing (WPA2 secured) WiFi already installed in your machine shop. And just for good measure, you want to prevent others to intercept the message stream and / or spoof your system with false messages.

In this blog, I will set up a simple server with an MQTT broker and Node Red. I will discuss a simple Node-Red script to interface with the broker, handle the incoming messages and display a dashboard. Protecting your server and your Node-Red environment is outside the scope of this blog, but needless to say also very important. I will also show you how to prepare an 3D printed enclosure for the node complete with two small strong magnets for interfacing with the moving metal machine parts without modifications to these parts.

First thing is setting up a MQTT broker on your server with TLS and SSL enabled to provide a secure communication channel between a node (client) and the server. I use RabbitMQ for industrial applications, but for domestic use and quick testing I find Mosquitto easier to setup. There are multiple locations on the Internet that can provide you with good instructions to help you along setting up your MQTT broker. The instructions from HiveMQ are a good starting point for setting up Mosquitto with TLS and SSL.

You can already start with printing your enclosure. STL files can be found on thingiverse.