MQTT Security - how to prevent abusers subscribing to topics?

Mosquitto provides security through username and password authentication as well as limiting access to topics with access control lists. There are details in the mosquitto.conf man page: http://mosquitto.org/man/mosquitto-conf-5.html

ACL is what restricts clients subscribing to topics, i am using a auth-plugin to do so, here is the link mosquitto auth plugin

In general, MQTT keeps security very "light" as it was originally designed for use with closed sensor networks. It is down to the broker implementation to provide e.g. SSL and decide how to handle the username/password backend.

Encryption of message data is unlikely to ever be provided by the protocol itself and is something that is typically done at the application layer if this is critical.

If you need a more custom way of handling access control and permission of topics, try using the HiveMQ MQTT broker. Like explained in the documentation you can implement your own behaviour with a plugin. This approach allows you to completely decide how the authentication and authorization of clients, publishes and subscribes is handled [1]. If you are interested the best way to start with your own plugin is described here [2].

By the way, it is also very easy to configure TLS for HiveMQ [3].

Christian (HiveMQ Team)

[1] http://www.hivemq.com/docs/plugins/1.5.0/#auth-permission-chapter

[2] http://www.hivemq.com/documentations/getting-started-plugins/

[3] http://www.hivemq.com/docs/hivemq/1.5.0/#hivemqdocs_ssl_tls