Security
This page describes MQTT security recommendations and best-practices.
Secure Connection
Always use a TLS encrypted connection between device and broker to ensure data integrity and prevent man-in-the-middle attacks.
If it is not possible to use a TLS connection, try to ensure a secure connection using other means. For example, some cellular providers may offer a private APN with an encrypted VPN.
Secure Authentication
If possible, prefer to use Client-Certificate authentication to identify and authenticate the device at the broker.
Client Certificates should not be re-used by multiple devices.
The gateway presents its client certificate to the server unless the cert=0 parameter is used within the host configuration parameter.
Your MQTT broker normally should add the Lobaro certificate as a trusted CA; otherwise, the gateway will not connect to the broker. The certificate can be downloaded here.
You should add it as a trusted CA on your server. Certificates of the gateways could also be changed, for this contact Lobaro.
When using username and password authentication, always use individual credentials for each device. This ensures that credentials of a single compromised device can be blocked without affecting other, non-compromised devices.
Do not use a public broker without authentication.
Broker Security
Ensure that each set of credentials can only publish and subscribe to its designated topics. For example, a device should only be allowed to publish and subscribe to its exact topics using its credentials, including the DevEUI.
Keep in mind that a single set of compromised broker credentials with publish and subscribe access to all topics potentially compromises all devices connected to the broker!