All you need to know about MQTT Security

The HiveMQ blog recently ran a blog post series about securing MQTT. It featured 10 blog posts packed with content about security for the Internet of Things and MQTT. 

For convenience, here is a list with all blog posts.

If you plan to run MQTT in production, make sure to read the blog posts!

MQTT presentation at the Global IoT Day 2015 in Vienna

I recently gave a talk about „Pub / Sub for the masses – An introduction to MQTT“ in Vienna at the Global Iot Day 2015 Event. It was a very short talk and I only covered the most important aspects of MQTT.

It’s available on Youtube and you can see it in full length below. Unfortunately the microphone had a loose contact, so I apologize for the bad sound. The audience had some great questions afterwards, so make sure to watch the whole video. Enjoy!

The slides are also available on Slideshare, you can see it below:

All you need to know about MQTT

If you are interested in IoT and particularly in MQTT, you should check out the MQTT Essentials blog post series on the HiveMQ blog. For convenience, here is the full list of all MQTT Essentials parts:

Every Monday is MQTT Monday at the HiveMQ blog, so a fresh new blog post about MQTT is available every Monday. I’m excited to see what’s coming next!

Eclipse Democamp Mini-Tour 2014

I’m finally back home from my Eclipse Luna Democamp Mini-Tour this year and it was awesome. I met many new and old friends and learned a lot. While I am not interested that much in topics like modelling, SWT and RCP for day-to-day business (remember, we do M2M/IoT software like the MQTT Server HiveMQ), I enjoyed learning about new things in these spaces and I was impressed again about the diversity of the Eclipse Ecosystem.

Democamp Munich

My first stop was the Eclipse Democamp in Munich. The location, catering and organization was fantastic and the room was packed. There was a great variety of topics and all the talks had a great quality.
The most notable highlight was for sure the talk by Torkild Ulvøy Reshdeim from Itema AS (Norway). After introducing the new Eclipse Science Working Group, Torkild presented their Eclipse based simulation engine for oil platforms. He showed a live simulation of nautical environment changes which caused catastrophic accidents in the past.
Another interesting talk for me was the Microsoft Team Foundation Integration for Eclipse, I was surprised how well TFS integrates with Eclipse and that Microsoft now really seems to go more open routes, including encouraging companies to use Git.

Angelika Wittek and I showed a proof-of-concept of the redesign of the Eclipse Events page. The awesome thing about it is, that it uses MQTT and the Eclipse Paho Javascript library for bringing the event data to the webpage. The HiveMQ enterprise MQTT broker is used so it is trivial to use MQTT over Websockets thanks to its native MQTT Websocket support. It was great to see to get so many people interested in Eclipse IoT in general and MQTT in particular and I really enjoyed the discussions in the break and after the event.

For those interested, these are the slides we had for our presentation:

Democamp Stuttgart

Next stop was the Democamp in Stuttgart. What I like about the Stuttgart Democamp is, that it’s very practical and the speakers always tend to do much live coding, which is always fun. I was pleasantly surprised that there were 3 (!) out of 6 talks related to IoT and all of them covered MQTT, including the talk from Angelika Wittek and me.
My favourite demo was the „MQTT-Robot-Arm“ Demo by the Eclipse Franca Team which controlled a robot arm via a web page and MQTT. They generated two different backends and one frontend with Franca for the communication. If they would have used HiveMQ together with Paho.JS, the overall design would have been much simpler, though.

Democamp Vienna – Vienna Calling!

The last stop was the Democamp in Vienna. I was surprised that I got 40 minutes for the talk and so I decided to present something different than „just“ MQTT over websockets. The idea was to present the open source plugin system of HiveMQ. When I was sitting in the ICE train from Landshut to Vienna, I suddenly thought about the song „Vienna Calling“ by Falco and it just didn’t get out of my head. So I threw away my initial demo I prepared for the democamp and started hacking right away.

Honestly, this is my favourite demo I ever did: I demonstrated a very simple HiveMQ plugin which was able to actually call people after a MQTT message was sent to a specific topic. To make things more interesting, the called guy wouldn’t just get called by a robot, no, Falco himself would call and play his hit „Vienna Calling“. (Ok, actually Falco didn’t call but at least the song was played by the caller).

The democamp in Vienna was awesome, well organized and there was plenty of beer ;-). I had very interesting discussions and I enjoyed all the talks, especially the talk about Eclipse Oomph by Eike Stepper and Ed Merks, you should definitely check it out if you are a Eclipse User.

If you’ve never an Eclipse Democamp before, you should definitely consider visiting one near you, people and speaker are usually awesome at Eclipse Events and you are definitely going to learn new and cool things.

Bringing MQTT authentication and REST together

For most non-trivial server software which run in production, authentication is a very important. Of course this also applies to MQTT brokers. Luckily the MQTT v3.1 specification includes a username and password authentication mechanism which most MQTT brokers implement.

While username/password files for authentication are sufficient for playing around with MQTT brokers, they are not sufficient for enterprise-grade production systems. When integrating a MQTT broker in existing software landscapes, typically there are existing databases and services.

To demonstrate how dead simple it is to integrate an existing HTTP REST API for MQTT authentication, I created a simple HiveMQ MQTT broker plugin which delegates the authentication mechanism to the REST API (in this case a mock REST API). This API returns a JSON response which we parse in the HiveMQ plugin. It uses the excellent Apache HTTPClient from the HTTP Components project to integrate the authentication mechanism. You can find the project on Github here:


This shows the whole implementation of the authentication mechanism. Feels like 90% exception handling 😉

The exact same mechanism can be used if you want to integrate MQTT authentication with some SOAP webservices, NoSQL databases, SQL databases, OAuth and anything you can imagine.

Make sure your MQTT broker of choice supports plugins. If you want to give the HiveMQ plugin system a shot, start here.

Installing a HiveMQ MQTT Server on AWS EC2 with enabled Websockets

To enable communication between MQTT devices, it’s necessary to use a MQTT broker as the central server for your M2M communication. Although there are some public brokers available like, it’s a good idea to set up an own server for playing around. This post shows how to set up a HiveMQ MQTT server instance on Amazon Web Services Elastic Compute Cloud (EC2). As an additional goodie, we want to enable MQTT over websockets, so every browser can be a full-featured MQTT client!

Step 1: Create a new EC2 instance


The first step is to launch a new EC2 instance. In general it does not matter which OS you choose for HiveMQ as it runs perfectly on every major OS. Any Linux distribution should be fine, I will use a Ubuntu 12.04 LTS. To get started, a Micro Instance will be sufficient, if you need real power and throughput, you should start with more RAM and more vCPUs.

Security groups

Security Groups are very important to configure correctly, otherwise we won’t be able to connect to our server correctly.

AWS MQTT Security Group Settings

AWS MQTT Security Group Settings

Open the following ports to the outside world for maximum MQTT pleasure:

  • 22: Needed for SSH. You probably lock yourself out if your don’t have this port open. Consider restricting this port to your IP adress(es) only.
  • 1883: The MQTT standard port
  • 8883: The MQTT standard port for MQTT over TLS.
  • 8000: The port we want to use for MQTT over websockets

Step 2: Download and install HiveMQ

After launching EC2 instance, we should SSH into it to install Java and HiveMQ. Depending on your OS, these commands might be a bit different.

Install Java + Utils

First we want to install Java and needed utilities. Execute the following commands:

sudo apt-get update
sudo apt-get install openjdk-7-jre-headless unzip

Now you can run

java -version

and the output should look like this:

java version "1.7.0_25"
OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1ubuntu0.12.04.2)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

Install HiveMQ

Now we just have do download HiveMQ and unzip it. Execute the following:

wget --content-disposition
unzip hivemq-1.x.x
cd hivemq-1.x.x

Configure HiveMQ

HiveMQ comes with sensible defaults and we could get started without modifying the configuration if we don’t need websockets support. But since MQTT over websockets is just awesome, we’ll enable it:

Edit the conf/ file and change the following values:


Step 3: Start HiveMQ

Now just run bin/ and HiveMQ should start up. Verify to see an output like this:

2013-11-30 23:04:46,872 INFO  - HiveMQ home directory: /home/ubuntu/hivemq-1.4.2
2013-11-30 23:04:46,876 INFO  - Starting HiveMQ Server
2013-11-30 23:04:50,225 WARN  - No license file found. Using free personal licensing with restrictions to 25 connections.
2013-11-30 23:04:50,832 INFO  - Activating statistics callbacks with an interval of 60 seconds
2013-11-30 23:04:50,833 INFO  - Activating $SYS topics with an interval of 60 seconds
2013-11-30 23:04:52,053 INFO  - Starting on all interfaces and port 1883
2013-11-30 23:04:52,069 INFO  - Starting with Websockets support on all interfaces and port 8000
2013-11-30 23:04:52,076 INFO  - Started HiveMQ 1.4.2 in 5207ms

That was all. Now you have a high performance MQTT server up and running in the cloud and you can start writing your MQTT applications on devices AND in the browser.

P.S. You can test the MQTT over websockets support with the nifty Websocket Browser Client here

MQTT Table Football with Arduino, Raspberry Pi and Websockets

One of our main motivation refreshers in our office is our football table and we use it heavily every day. Someone came up with the idea: „Hey, why don’t we add some freaking MQTT support to the football table?“. Of course there was no argument against it and so we added the MQTT support and used a Arduino One for the job. To make things more interesting we decided against a mechanical goal trigger and used infrared sensors for detecting goals. To raise the motivation even more we used a Raspberry Pi to play goal celebration sounds on actual goals, notified via MQTT, of course.

To raise the nerd factor a bit more, we also decided to remove the built-in goal counter (which needed human interaction count up) and built a very basic small web application which acted as goal counter by using websockets to get MQTT messages when a goal was shot. This web application also implemented the logic when a player has won and published messages to the MQTT broker.

MyMQTT for Android was used as a remote control to reset the game with. With MQTT, of course.

The HiveMQ MQTT broker was the heart of the communication. All communication was done via MQTT with the HiveMQ broker.

Architectural Overview

MQTT Table Football Architecture

MQTT Table Football Architecture

In Action

We brought the football table to an event a few days ago and it was the absolute highlight of the event. Everyone had great fun.

MQTT IRC Bot/Bridge

It has been a long time since my last blog post. I was incredibly busy with HiveMQ and my focus pivoted to M2M in general and MQTT, an awesome, ultra-low footprint protocol for the Internet of Things, specifically. In the future this blog will also cover these things.

I had some spare time this weekend and decided to do some fun programming. The result was a MQTT-to-IRC or IRC-to-MQTT bridge bot. Although it is a fun project, it turns out that there are real useful use cases for that and because of that I decided to share it :)

How to use

The first step is to download or clone my Github Repository. Then, on the command line, simply run:

mvn clean package

Copy the jar file to a directory of choice and create a file with the properties according to the documentation. An example config:

The next step is to install a MQTT broker locally. To do this, go to and download the latest version. HiveMQ is an advanced enterprise MQTT broker which is made for use cases where scalability, extensibility and reliability is key. It is also perfect for private MQTT projects. Please follow the quick start at here to install HiveMQ.

After installing the HiveMQ MQTT broker locally, start the bot and try publish a MQTT message with a tool of choice on the topic „irc/#%yircchannel1“. Now your message should appear in the corresponding IRC chat.

Of course it is also possible to get all messages via MQTT. Just subscribe to the topic „irc/%myircchannel1/messages“ and you should receive all messages of the IRC chat.

Huh? Why should I do that?

At first sight this does not make any sense why one would do that. When taking a second look, you will realize that you could connect any things to a chat with humans. You could send an IRC message when someone enters a door, when your Jenkins has build results, when a Github Commit occurs, and so on.

Also, you may probably want to get a Andorid Push Notification when someone writes your name in an IRC chat. And if you think this does not make any sense, at least it was fun hacking on :-)