Security

There are options for securing the communication. A TLS connection on the basis of X.509 certificates or a Pre-Shared Key (PSK) can be used for this. It is recommended that communication be secured with TLS especially when communicating over non-trustworthy networks (e.g. the Internet). In the chapters Configuration file and Samples you will find explanations and sample configuration files for operating ADS-over-MQTT via TLS.

The broker itself must be operated in a trustworthy environment, as all messages on the broker are unsecured.

Compromising of the virtual ADS network Even when communication between the devices and the broker takes place in encrypted form via TLS, the devices are not secured among one another. The ADS commands are present on the broker in unencrypted form. If a device is compromised, the attacker can execute all ADS commands via the rights gained. These commands also include file reading operations or operations for starting processes.

Two methods can be used to configure access rights between individual ADS devices:

• Configuration of access rights via Access Control Lists (using Mosquitto as an example)
• Configuration of access rights via a plugin (only for Mosquitto)