IoT asset tracking tutorials tend to focus on connecting sensors and getting data streaming. Very few of them tell you how to ensure that the data comes from your own devices and no one else can intercept that data along the way. Here is the complete cybersecurity stack: TLS, mutual authentication, and certificate lifecycle management.
Four actual attacks that you are protecting yourself against
π΅οΈ Eavesdropping
Capture of location and sensor data while in transit β particularly vulnerable on cellular or open WiFi networks
π» Spoofing
Malicious device inserting location data into your asset tracking system through the magic of spoofing
π Broker hijack
Untrusted subscriber client connecting to your MQTT topics and consuming asset telemetry
β»οΈ Replay attack
Attacker reusing a valid packet to insert old or modified location data
Layer 1 β TLS in transit
All bytes sent from your IoT devices must be encrypted. That means, in the case of MQTT, MQTTS on port 8883 β MQTT over TLS. Never unencrypted MQTT on port 1883 in production β thatβs okay just for development.
Mosquitto Configuration to Use TLS:
# /etc/mosquitto/mosquitto.conf
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
require_certificate true # enforce mutual TLS
tls_version tlsv1.3 # TLS 1.2 minimum, 1.3 preferred
# Disable unencrypted port entirely in production
# listener 1883 β DO NOT enable this
From the client side, the connection uses the CA certificate to verify the identity of the broker:
// Node.js device client with TLS
const mqtt = require('mqtt')
const fs = require('fs')
const client = mqtt.connect('mqtts://broker.yourdomain.com:8883', {
ca: fs.readFileSync('/certs/ca.crt'),
cert: fs.readFileSync('/certs/device.crt'), // device cert
key: fs.readFileSync('/certs/device.key'), // device private key
rejectUnauthorized: true // never disable this
})
This is always a no-no: "rejectUnauthorized: false". This means that you're not verifying any certificates at all. Your device will happily connect to anything β even the man-in-the-middle. Definitely not something you want to do in production.
Layer 2 β mTLS
The standard TLS verifies the server, but mutual TLS (mTLS) verifies both sides. The server verifies the client and vice versa, which means thereβs no way someone can spoof it β only your devices with a verified certificate can connect.
To generate unique certificates for each device using OpenSSL:
# Step 1 β Create your Certificate Authority (once)
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
-subj "/CN=AssetTrackPro-CA"
# Step 2 β Generate a keypair for each device
openssl genrsa -out device-7821.key 2048
openssl req -new -key device-7821.key -out device-7821.csr \
-subj "/CN=device-7821/O=fleet-north"
# Step 3 β Sign the device CSR with your CA
openssl x509 -req -days 365 \
-in device-7821.csr \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-out device-7821.crt
CN field tip: Encode the device ID in the CN field of the certificate (CN=device-7821). The broker can then read this value from the client on connection and use it to enforce what topics the device may publish to β no additional authentication layer required.
Layer 3 β MQTT topic authorization
While mTLS ensures authenticity, it does not protect against compromised clients publishing to another client's topics. Enforce topic authorization per device using the Mosquitto ACL plugin:
# /etc/mosquitto/acl.conf
# Each device can only publish to its own topic
# %c = client ID extracted from CN field
pattern publish assets/%c/telemetry
pattern publish assets/%c/status
# Backend services get read access to all topics
user backend-service
topic read assets/#
# No device can subscribe to other devices' data
pattern deny subscribe assets/+/telemetry
Layer 4 β Certificate renewal
Certificates have expiry dates. The IoT devices must have an automated method of updating certificates when they expire without human interaction. The following is a pattern for certificate auto-renewal:
// Device checks cert expiry on boot and renews if < 30 days left
async function checkAndRenewCert() {
const cert = fs.readFileSync('/certs/device.crt')
const expiry = getCertExpiry(cert) // parse NotAfter field
const daysLeft = (expiry - Date.now()) / (1000 * 86400)
if (daysLeft < 30) {
// Generate new CSR and request signing from backend
const newCsr = await generateCSR(deviceId)
const response = await fetch('https://api.yourdomain.com/cert/renew', {
method: 'POST',
headers: { 'Authorization': `Bearer ${deviceToken}` },
body: JSON.stringify({ csr: newCsr, deviceId })
})
const { cert: newCert } = await response.json()
fs.writeFileSync('/certs/device.crt', newCert)
scheduleRestart() // reconnect with new cert
}
}
Security checklist
β MQTTS on 8883 β TLS 1.3 required, 1883 blocked in production mode
β Mutual TLS β device certificate is validated by the broker and vice versa
β Per-device certificates β each device has its own certificate with common name=device_id
β Topic-based access control β devices limited to publishing to their own topics
β Automatic certificate rotation β certificates renew automatically before they expire without human interaction
β Certificate revocation mechanismsβCRL or OCSP configured to handle certificate compromises for devices
β Never store private key within the device firmware code β use secure element or encryption
β Never re-use certificates between devices β if one gets compromised, you lose only one device
Recommended stack
- Mosquitto + TLS
- OpenSSL / CFSSL
- Let's Encrypt (certificate broker)
- Hashicorp Vault (certificate authority)
- Node.js / Python
When considering production-level certificate management, the Hashicorp Vault PKI secrets engine can definitely be worth the hassle since it enables automatic CSR signing, expiry enforcement, and proper handling of revocation. If youβre working with a smaller deployment, self-hosting an OpenSSL certificate authority with a certificate renewal API will do nicely.
AssetTrackPro's communication between devices utilizes mTLS, per device certificates, and renewal of those certificates across all installations β keeping all of your data safe and encrypted.
Learn More β
Looking for a secure IoT tracking solution? AssetTrackPro takes care of device authentication, TLS, and certificate management β enabling you to launch fast while staying secure.
Top comments (0)