An Overview of Open Standards for IoT Communication Protocols

IoT Building Blocks: Understanding the Ecosystem of Open Source Standards and Solutions

The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes, factories, vehicles and healthcare more connected and thus “smarter,” it’s important to understand the various standards in play.

In its simplest terms, an IoT solution is a collection of sensors combined with a centralized management application permitting the user to modify the environment in some way. Examples include being able to monitor the temperature of your home and adjust it based on occupancy; and being able to monitor the progress of an assembly line and validate manufacturing tolerances.

If you’ve recognized that the communications between these devices benefits from standardization, and could be prone to attack, then you’re asking the right questions. Today, there are a variety of IoT communication protocols and standards designed to simplify IoT designs and increase the ability of vendors to innovate quickly. The following list is far from exhaustive, but gives both an overview for some of the popular choices as well as an indication of their security state.

OPC-UA
OPC Unified Architecture is an industrial machine-to-machine (M2M) communication protocol for interoperability developed by OPC Foundation.

AMQP
The Advanced Message Queuing Protocol is an OASIS standard or specification for application layer protocol in message-oriented middleware.
  • ActiveMQ implements AMQP.
    License: Apache
    Recent vulnerabilities: CVE-2016-3088, CVE-2016-0782 , CVE-2016-0734, CVE-2015-5254
    Alternatives: RabbitMQ, Kafka, and Kestrel
    • MQTT: It is a publish-subscribe based "light weight" messaging protocol for use on top of the TCP/IP protocol
      License: Creative Commons Attribution 4.0 International Public

    • OpenWire: It is a cross language protocol to allow native access to ActiveMQ from different languages and platforms
      License: Apache

    • STOMP: Simple (or Streaming) Text Orientated Messaging Protocol is another cross platform to access ActiveMQ from many different languages as well as use GCJ or IKVM to access the Java code for ActiveMQ from C/C++ or .Net respectively without using OpenWire
      License: Creative Commons Attribution v3.0

  • RabbitMQ: It is an alternative to ActiveMQ; RabbitMQ is developed and maintained by Pivotal.
    License: MPL, GPL, Apache
    Recent vulnerabilities: CVE-2016-0929, CVE-2015-8786

  • Kafka: It is another alternative to ActiveMQ, originally developed by LinkedIn. Currently it is part of Apache Camel project.
    License: Apache
    Recent vulnerabilities: No known disclosures

  • Kestrel: It is an alternative to ActiveMQ, originally developed by Twitter, but currently with Apache.
    License: Apache
    Recent vulnerabilities: No known disclosures

  • QPID Client: Apache QPID is a message queuing solution that aims to fully implement AMQP.
    License: Apache
    Recent vulnerabilities: CVE-2016-4974

CoAP

The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with resource constrained devices and networks (in IoT). CoAP is designed based on RFC 7252 for M2M applications such as smart energy and building automation.
License: MIT, Apache and other licenses that are attached to various utilities/applications
Recent vulnerabilities: There are no known reported vulnerabilities, but certain implementations may cause stack overflow. More information here: https://github.com/nodemcu/nodemcu-firmware/issues/1254/

XMPP

Extensible Messaging and Presence Protocol (formerly Jabber) is a communications protocol for message-oriented middleware. The core specifications for XMPP are developed at the Internet Engineering Task Force (IETF). Various server and client implementations are available for review at http://xmpp.org/software/.
License: Various 
Recent vulnerabilities: No known disclosures

DDS

Data Distribution Service (DDS) is a machine-to-machine (M2M) middleware standard promoted by Object Management Group (OMG) that aims to enable scalable, real-time, dependable, high-performance and interoperable data exchanges between publishers and subscribers,that is, for M2M communication.
License: Various 
Recent vulnerabilities: No known disclosures.

Select Protocols with Care

Selecting the correct protocol for a networked solution is nothing new. Engineering teams have been doing this for decades. While IoT has increased the velocity of product releases, you must maintain care when selecting protocols to ensure they not only meet the technical requirements, but also what my colleague Tim Mackey refers to as the Minimum Success Criteria. After all, the last thing any vendor wants to see happen is a product recall due to security issues.

Read More About the Internet of Things

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

A Methodology for Quantifying Risks from Web Services

| Jun 27, 2017

In my previous blogs, I explored the challenges of managing Web Services in applications, including the ones that use Open Source. In this blog, I have described a methodology that our research team has developed to quantify the risks that come with using Web Services that make calls to various

| MORE >

Security & Compliance Risks from Web Services in Open Source Projects

| May 15, 2017

REST and SOAP based Web Services have become a new way of building and delivering software systems. In particular, mobile and cloud applications, social networking websites, and automated business processes are among the key technological drivers that are fueling the growth of RESTful APIs. At

| MORE >