An Overview of Open Standards for IoT Communication Protocols

IoT Building Blocks: Understanding the Ecosystem of Open Source Standards and Solutions

The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes, factories, vehicles and healthcare more connected and thus “smarter,” it’s important to understand the various standards in play.

In its simplest terms, an IoT solution is a collection of sensors combined with a centralized management application permitting the user to modify the environment in some way. Examples include being able to monitor the temperature of your home and adjust it based on occupancy; and being able to monitor the progress of an assembly line and validate manufacturing tolerances.

If you’ve recognized that the communications between these devices benefits from standardization, and could be prone to attack, then you’re asking the right questions. Today, there are a variety of IoT communication protocols and standards designed to simplify IoT designs and increase the ability of vendors to innovate quickly. The following list is far from exhaustive, but gives both an overview for some of the popular choices as well as an indication of their security state.

OPC-UA
OPC Unified Architecture is an industrial machine-to-machine (M2M) communication protocol for interoperability developed by OPC Foundation.

AMQP
The Advanced Message Queuing Protocol is an OASIS standard or specification for application layer protocol in message-oriented middleware.
  • ActiveMQ implements AMQP.
    License: Apache
    Recent vulnerabilities: CVE-2016-3088, CVE-2016-0782 , CVE-2016-0734, CVE-2015-5254
    Alternatives: RabbitMQ, Kafka, and Kestrel
    • MQTT: It is a publish-subscribe based "light weight" messaging protocol for use on top of the TCP/IP protocol
      License: Creative Commons Attribution 4.0 International Public

    • OpenWire: It is a cross language protocol to allow native access to ActiveMQ from different languages and platforms
      License: Apache

    • STOMP: Simple (or Streaming) Text Orientated Messaging Protocol is another cross platform to access ActiveMQ from many different languages as well as use GCJ or IKVM to access the Java code for ActiveMQ from C/C++ or .Net respectively without using OpenWire
      License: Creative Commons Attribution v3.0

  • RabbitMQ: It is an alternative to ActiveMQ; RabbitMQ is developed and maintained by Pivotal.
    License: MPL, GPL, Apache
    Recent vulnerabilities: CVE-2016-0929, CVE-2015-8786

  • Kafka: It is another alternative to ActiveMQ, originally developed by LinkedIn. Currently it is part of Apache Camel project.
    License: Apache
    Recent vulnerabilities: No known disclosures

  • Kestrel: It is an alternative to ActiveMQ, originally developed by Twitter, but currently with Apache.
    License: Apache
    Recent vulnerabilities: No known disclosures

  • QPID Client: Apache QPID is a message queuing solution that aims to fully implement AMQP.
    License: Apache
    Recent vulnerabilities: CVE-2016-4974

CoAP

The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with resource constrained devices and networks (in IoT). CoAP is designed based on RFC 7252 for M2M applications such as smart energy and building automation.
License: MIT, Apache and other licenses that are attached to various utilities/applications
Recent vulnerabilities: There are no known reported vulnerabilities, but certain implementations may cause stack overflow. More information here: https://github.com/nodemcu/nodemcu-firmware/issues/1254/

XMPP

Extensible Messaging and Presence Protocol (formerly Jabber) is a communications protocol for message-oriented middleware. The core specifications for XMPP are developed at the Internet Engineering Task Force (IETF). Various server and client implementations are available for review at http://xmpp.org/software/.
License: Various 
Recent vulnerabilities: No known disclosures

DDS

Data Distribution Service (DDS) is a machine-to-machine (M2M) middleware standard promoted by Object Management Group (OMG) that aims to enable scalable, real-time, dependable, high-performance and interoperable data exchanges between publishers and subscribers,that is, for M2M communication.
License: Various 
Recent vulnerabilities: No known disclosures.

Select Protocols with Care

Selecting the correct protocol for a networked solution is nothing new. Engineering teams have been doing this for decades. While IoT has increased the velocity of product releases, you must maintain care when selecting protocols to ensure they not only meet the technical requirements, but also what my colleague Tim Mackey refers to as the Minimum Success Criteria. After all, the last thing any vendor wants to see happen is a product recall due to security issues.

Open Source and The Internet of Things: A Reality Check

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Classification of Open Source Licenses: A Developer’s Perspective

| Dec 30, 2016

Throughout my career, I have used various Open Source libraries (software or freeware) to build software systems primarily for data management and analytics applications. I knew Open Source software may be governed by different types of licenses, but I did not necessarily know the details, in

| MORE >

Big Data Challenges in Open Source Management

| Oct 31, 2016

The distributors and creators of open source software projects must attach or maintain relevant licenses, notices or both along with their corresponding open source projects to help users consume the projects in a compliant way. However, we know that the reality on the ground is very different for

| MORE >