Improving IoT Security with Access Control List Substitution Variables

Editor’s Note: The VMR (Virtual Message Router) mentioned in this post is now Solace PubSub+.

Many IoT applications will see very large numbers of clients connecting to Solace message routers via insecure public networks. For example, vehicles in a fleet may communicate with the company’s Solace routers over the Internet using MQTT. In such a scenario the company’s system administrators may want to implement Access Control Lists (ACLs) so each vehicle can only publish to topics containing their own MQTT client-username. This would prevent, for example, one vehicle from impersonating another.

But client connection counts can be quite large in IoT applications, making it impractical to create a unique ACL profile for each client. In the recent 8.3.0 release of the Solace Virtual Message Router, we added substitution variables for client-usernames in topic strings to ACL profiles, which means you can now apply a single ACL profile to many client connections. When the MQTT client-username substitution variable appears in an ACL rule being applied to a client, the router replaces that variable with the corresponding client-username for the client connection when performing an ACL check.

For example, say the fleet’s system administrator has configured a publisher ACL with topic string $client-username/DIAGNOSTICS/FUEL and assigned it to a number of vehicle client connections. $client-username is the substitution variable for the client-username a vehicle provides in its MQTT CONNECT packet. So, if a client vehicle with VIN=12345 establishes an MQTT connection using its VIN number as its client-username, the router will substitute that VIN number for $client-username in the ACL topic string when matching to topics in messages published on the connection. That means the client’s vehicle can publish messages to 12345/DIAGNOSTICS/FUEL since the topic contains the client’s VIN, but the client’s vehicle cannot publish messages to 7890/DIAGNOSTICS/FUEL since 7890 is not the client’s VIN.

The ACL Substitution Variables feature also supports the use of the MQTT client-id as the variable to match in a topic string. In that case, the substitution variable would be $client-id, and, in our example, the ACL topic string would become, $client-id/DIAGNOSTICS/FUEL. The substitution mechanism applied during an ACL check is the same as before, but this time using the client-id supplied in the vehicle’s MQTT CONNECT packet. (It should be noted that using $client-id is less secure than $client-username because client-username is authenticated, and this level of security becomes more important in multi-router environments.)

The ACL Substitution Variables feature also works for filtering client subscriptions so that they don’t receive messages not meant for them. Continuing with our example, the system administrator might assign a topic string $client-username/MAINTENANCE/CODE3/+ to a subscription ACL that ensures the vehicle can only receive messages that are meant for that vehicle. ACL filtering works as it normally does for subscriptions, but with a substitution made for $client-username when an ACL check is invoked. So, a vehicle with VIN=12345 can subscribe to 12345/MAINTENANCE/CODE3/+, but would not be allowed to subscribe to 7890/MAINTENANCE/CODE3/+.

We’ve only briefly touched on a few very simple examples of how the ACL Substitution Variable feature works. Click here to learn more.