An Experimental Evaluation of MQTT Authentication and Authorization in IoT

Security vulnerabilities make the Internet of Things (IoT) systems open to online attacks that threaten both their operation and user privacy. Among the many protocols governing IoT operation, MQTT has seen wide adoption, but comes with rudimentary security support. Specifically, while the MQTT standard strongly recommends that servers (brokers) offer Transport Layer Security (TLS), it is mainly concerned with the message transmission protocol, leaving to implementers the responsibility for providing appropriate security features. However, well-known solutions for Web Security (OAuth2) exist, which may benefit MQTT. This paper presents systematic implementation efforts and practical experimentation to evaluate the feasibility of one such approach, namely the MQTT-TLS profile for the Authentication and Authorization in Constrained Environments (ACE), recently specified by the IETF. Our implementation includes the functionality for (1) the Authorization Server (AS), to handle client registration, authorization policies, and Access Tokens; (2) the MQTT broker, to enforce authentication in both MQTT versions 3.1.1 and 5. Together, these enable ACE-MQTT clients to use (3) OAuth2-based authentication and authorization via Proof of Possession tokens. We make the source-code of our ACE-MQTT implementation publicly available, and evaluate it against plain MQTT systems in realistic settings with different computation constraints. To assess the cost of security, we measure the CPU, memory, network usage, and energy consumption. The results obtained confirm that the ACE requirements match the capabilities of moderately constrained devices, hence providing an affordable mechanism to secure MQTT systems.