/autoconf

Utility to assist with autoconfiguration of IoT devices via MQTT

Primary LanguageJavaScriptOtherNOASSERTION

MQTT Autoconf

Synopsis

mqtt-autoconf is a tool designed to allow for secure automated provisioning of - presumably, but not necessarily - IoT devices

mqtt-autoconf acts as an MQTT server, with first-class support for MQTT over TLS, allows for flexible detection/fingerprinting of devices, and pushing configuration commands to the devices in response.

The default module bundled has first-class support for the excellent Tasmota project.

Installation

NPM: npm install -f autoconf

Docker: docker run --init -v /path/to/db:/db issacg/autoconf

Examples

Using FileDB and TasmotaClientInfo

This example contains two configured devices using the Sonoff POW module, and configuration of the final TLS-enabled MQTT server, port and credentials to be used once the device is configured.

File: ../db.json

{
    "GLOBAL": {
        "MqttHost": "10.5.3.114",
        "MqttPort": 8883,
        "MqttUser": "tasmota",
        "MqttPassword": "s3cr3t",
        "MqttFingerprint1": "58 F9 F2 CD 1F 4E CE C6 68 3E F6 66 89 A3 03 0C 61 8B A0 2E",
        "OtaUrl": "http://10.5.3.114/tasmota/tasmota.bin",
        "teleperiod": 30
    }, "2C3AE83BB54C": {
        "topic": "WaterHeater",
        "module": 6
    }, "EC4ABC0F8C3A": {
        "topic": "AirConditioner",
        "module": 6
    }
}

Configuration

Methods

mqtt-autoconf makes use of the excellent rc module, so variables can be passed as command line parameters, environment variables or provided via a configuration file named .autoconfrc

For more detailed information about how to set parameters, see the rc page.

General Options

Parameter Default Value Description
mqtt.port 1883 The default port to listen to
mqtt.tls_keyfile None Path to a PEM-encoded private key file. Requires also setting mqtt.tls_certfile. Setting these settings will automatically enable TLS mode (but will not automatically change the port)
mqtt.tls_certfile None Path to a PEM-encoded x509 certificate (public key) file. Requires also setting mqtt.tls_keyfile. Setting these settings will automatically enable TLS mode (but will not automatically change the port)
mqtt.tls_passphrase None (Optional) Passphrase needed to decrypt the private key file specifed by mqtt.tls_keyfile
statPrefix stat The prefix for status responses from end devices
cmndPrefix cmnd The prefix for sending commands to end devices
dbDriver.name ./drivers/PathDB Name of the database driver to use. For drivers that are not built-in, just use the name of the NPM module
dbDriver.opts See below Driver-specific options to pass to the database driver
clientInfoDriver.name ./drivers/TasmotaClientInfo Name of the device lookup driver to use. For drivers that are not built-in, just use the name of the NPM module
clientInfoDriver.opts See below Driver-specific options to pass to the device lookup driver

Drivers

In order to promote extensibility, mqtt-autoconf uses drivers to abstract detection of end-user devices and to read the configurations to be pushed to detected devices. Each driver has its own configuration options which are documented below.

PathDB

The PathDB driver takes a root path on the filesystem and expects a single file for each device. The filename should be the name of the detected device, and the filename should end with the extension .json. This is the default-configured database driver.

If there is a file called GLOBAL.json (by default - see the global configuration option below), that will be added to the configuration to be returned to all devices IFF a device-specific configuration is also found.

The JSON files will be read at run-time, except for the global configuration which will be read once at startup.

Parameter Default Value Description
dbpath ../db (Required) Path to a folder on the filesystem containing all configuration files
global GLOBAL (Optional) Name of file to treat as global configuration (without the .json extension)

FileDB

The FileDB driver expects all device configurations (and an optional global configuration) to be included in a single JSON formatted file.

If there is a section called GLOBAL (by default - see the global configuration option below), that will be added to the configuration to be returned to all devices IFF a device-specific configuration is also found.

The JSON file will be read once on startup, and currently needs a full restart to pick up changes.

Parameter Default Value Description
dbpath ../db (Required) Path of the JSON file to read
global GLOBAL (Optional) Name of section to treat as global configuration

TasmotaClientInfo

The TasmotaClientInfo driver is designed to work with devices with Tasmota firmware, and will query the database driver using the MAC address of the device as the database key. This is the default-congigured device lookup driver.

This driver doesn't accept any additional configuration parameters.

VersionedTasmotaClientInfo

The VersionedTasmotaClientInfo driver is identical to the TasmotaClientInfo except that the firmware version is also detected.

This driver doesn't accept any additional configuration parameters.

Rationale

MQTT has been accepted as a popular protocol within the IoT system. However many popular firmwares require devices to either be configured via custom firmware builds, an embedded insecure webserver on-board the device, proprietary - and often commercial - remote configuration management, or a combination of the above.

In a modern world where small devices on the edge often represent a weak link in network security, all of the above solutions are potentially problematic.

Custom firmware builds require tracking of the upstream project for security patches and rebuilding of firmware when those are available. However, such builds often introduce significant changes and so, in practice, are often ignored. This leads to outdated devices at the edge which can, and are, easily targetted as a point of entry when attacking a network or application.

Many implementations are unable or unwilling to build custom firmware. This is as true in commercial ecosystems (where the firmware is closed source) as in the do-it-yourself ecosystems (where the firmware is open source, but end-users may not have the technical prowess to build on their own). As such a very popular configuration option is via an embedded webserver in the device. To support security, this webserver supports some basic form of authentication. Unfortunately, TLS-enabled embedded webservers are rarely seen, making such authentication useless, unless on a secured network. As more edge/IoT devices connect to networks, most networks shouldn't be considered secure - a breach of a single device will allow full access to the network (and often Wi-Fi credentials) and, by extension, all unsecured devices on that network.

Because of these shortcomings, there are many commercial services available - most notably AWS IoT - which allow for secure remote configuration. Because TLS-enabled MQTT clients are significantly more popularly available in firmware than TLS-enabled webservers, this is an excellent model from a security standpoint. However, this is still a proprietary service, and often costs money.

This software aims to allow for an open-source solution to enable run-time configuration (possibly version-control backed) of end devices with minimal variants of customized firmware.

License

Copyright 2019 Issac Goldstand margol@beamartyr.net

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.