Azure IoT Hub anti-spoofing

0
votes

Just read this thread

What I am still asking myself though is whether the IoT Hub does detect that there are multiple active connections that use the same deviceid and credentials? This could be the case if an attacker would steal the device auth key or the SAS token.

The anti-spoofing property ConnectionDeviceGenerationId does not seem to be used for this since:

generationId - An IoT hub-generated, case-sensitive string up to 128 characters long. This value is used to distinguish devices with the same deviceId, when they have been deleted and re-created.

1
azureazure-iot-hub

1 Answers

0
votes

What I am still asking myself though is whether the IoT Hub does detect that there are multiple active connections that use the same deviceid and credentials?

For AMQP and HTTP, when sending Device-To-Cloud messages,multiple active connections using the same device id are able to work properly. But when receiving Cloud-To-Device messages it doesn't work.

But for MQTT, IoT Hub only supports one active MQTT connection per device. Any new MQTT connection on behalf of the same device ID causes IoT Hub to drop the existing connection.

Update:

IoT Hub allows devices to use MQTT, MQTT over WebSockets, AMQP, AMQP over WebSockets, and HTTP protocols for device-side communications. The following table provides the high-level recommendations for your choice of protocol:

  • MQTT(MQTT over WebSocket)

    Use on all devices that do not require to connect multiple devices (each with its own per-device credentials) over the same TLS connection.

  • AMQP (AMQP over WebSocket)

    Use on field and cloud gateways to take advantage of connection multiplexing across devices.

  • HTTP

    Use for devices that cannot support other protocols.