This chapter begins with a pre-study describing the origin of the study, and continues with an orientation in IoT and constrained devices, MQTT, security within IoT, and assessment of the security of an IoT network.
This study originated from CombiQ’s desire to replace their temporary custom communication protocol, used in their IoT network by their sensors to send data to a cloud service, with a standardized protocol. They temporarily used a customized HTTP which was difficult to modify and extend to accommodate different customer’s requirements. Therefore, CombiQ searched for a replacement and found MQTT to be a suitable replacement as it facilitated all their needs and was gaining popularity in the IoT industry.
Prior to this study several MQTT libraries were compared to find one that was programmed in C or C++, was easy to understand and implement, maintained, did not need too much program space, and did not have a general public license. As MQTT has gained popularity it was not difficult to find a set of candidates to compare, the ones that failed first were the ones that were poorly documented and difficult to install, or were not maintained anymore. Another department had already decided to use the Microsoft Azure broker, so we had to make sure that our client worked well with that. We naturally tried the Azure client, but found it to have a too large codebase to be usable in the end product. Mosquitto, by Eclipse Foundation, was difficult to make work reliably with the broker. In the end, the Paho MQTT library was considered to be the best choice as it fulfilled the criteria.
With the MQTT library selected and proven to be usable in CombiQ’s current idea for a product setup a new question arose, how MQTT could be implemented with security without having to sacrifice too much of the energy efficiency. MQTT does not have any specific security countermeasure in its standard so developers can choose the one that suits their needs the most.
The way CombiQ’s products can last for years on a single button cell battery is by limiting the time the hardware is active over its life span. By only activating the hardware over short moments every 10 minutes or more the hardware can last for years without having to replace the battery. This also means that if the time the hardware is active is increased by even 20% the total lifespan of the hardware will be reduced dramatically.
A typical use of one of CombiQ’s sensor nodes might look like Figure 1. There is a short spike of activity “Active” and a long wait in low power mode “Sleep” until the next active period. Each task the software needs to perform during the active period will increase the active period “Active”. This results in the total longevity of the sensor node being determined by the required effort during the active period.
As CombiQ produces ultra-low-power devices, they are interested in the level of security that can be upheld with MQTT while still maintaining a low current consumption.
Internet of Things (IoT), also known as “Internet of Everything” or “Internet 4.0”, are all names for the technology of independent computer-devices exchanging information with each other. There are multiple forms of IoT all meant for different audiences and technical levels. The consumer, commercial and industrial use of IoT will have differing technical requirements, strategies and goals. 
The consumer market has by far the largest exposure with for example smart homes, entertainment and fitness monitoring. The commercial market also put IoT to good use with services in banking, insurance and financials. Industrial Internet of Things (IIoT) covers a vast number of things, energy production, sensor data collection, health care and aviation are just some of them. 
As mentioned before, IoT is growing at incredible speeds. With an expected 30 billion IoT devices by the year 2020, the standards are having a hard time keeping up. With devices having to operate for years at a time without any external power and processing power being reduced to its bare minimum, the need for new effective communication interfaces and designs are becoming an ever-growing necessity. 
The messages transmitted in the IoT network may include personal data, and processing of such information is regulated by legislations. For example, in EU article 32 in the General Data Protection Regulation, which will be enforceable as of May 25th of 2018, it says that appropriate technical and organizational measure must be implemented when processing personal data, to ensure a level of security appropriate to the risk . As more IoT devices are being used, the need for security increases, but implementing secure communications between low-power devices without impacting current consumption is impossible. It is however important to have it make as little impact to the device as possible .
While each implementation of a IoT system is different, there are key architectural parts that are generally always included. There is the sensing layer, network and service layer and application layer as seen in Figure 2.
This layer connects all the available sensors and controllers to the network and service layer, and is responsible for controlling and interpreting different data formats that may be present in the available sensors. It contains common control modules to connect controllers and sensors, common interface modules to organize different communication protocols from multiple sensors. Along with software and terminals to self-configure and adapt. 
Network and service layer
This layer handles all communication from and to the IoT node. It is also be responsible for resource and administration in the form of data storage, processing and security management. 
This layer provides an interface to the node. It is software created by a developer to access different devices and the data within. Along with an Application Program Interface (API) many other applications can gain access to the data within the IoT network. 
As more IoT devices are being used, the need for security increases, and with IoT devices processing sensitive data, security is key. But implementing secure communications between low-power devices without impacting current consumption is impossible. It is however important to have it make as little impact to the device as possible . There are a large number of different types of IoT devices, each with its own computational power, tasks and requirements. Each device with their own unique sensor technology provide a new dimension to the IoT network. However, power-starved devices with little memory and computational power put effort on the developers. Not only does the IoT devices hardware design need to be energy efficient but the software also needs to provide a high degree of security with limited resources. Battery-powered devices have a depletable power source and may not have easy access to charging. They may also need to function for years at a time with only the battery as a source of power. Devices like this need to incorporate methods to reduce current consumption to its absolute minimum while retaining a satisfying degree of performance. 
There are many ways to reduce the amount of power a device ultimately consume. Microchip developers have reduced the voltage limit for hardware to function for many years. Running hardware at or below the minimum voltage level can however cause significant delays and circuit leakage. These effects become more apparent the farther cross the minimum voltage level a processor is pushed. Lowering the processor clock speed and reducing the power level can however provide a significant reduction in current consumption. 
Silicon Labs provide this control in their AN0007 processor for both lowering the clock speed and operating voltage. It is however specified that with lower clock speeds longer computational time follow. If a task takes more time to perform, the hardware may ultimately consume more power. 
Hardware is not the only aspect of ultra-low-power devices. The software that is running on the hardware also needs to be optimized to not waste resources. Software that is running code that is slow to compute, will in the end cause the processor to stay active for a longer periods and waste energy. There are many ways to avoid slow and wasteful software. A more optimized compiler can be chosen to reduce the amount of unnecessary code making its way into the software. Utilization of the memory will be minimized and removing blocks of code from the cache as soon as possible can reduce current consumption by 5% to 16%. 
Reducing the number of loops in the software by fusing them or removing nested loops, will ultimately optimise the code reducing the active time of the processor. Reducing switching of instructions can also reduce the power consumed by the processor by 30% to 65%. 
Ultimately the goal of ultralow-power-devices is to keep the wasted energy to a minimum. By disabling blocks that are not active, and keeping the processor in an idle mode for as much time as possible, the current consumption of a device can be reduced with little to no impact on performance. 
Wireless Sensor Network (WSN)
Wireless sensor networks are a big part of IoT. In areas like smart cities sensor nodes are used to collect data from the environment they are placed in. These are small nodes embedded with sensors and microcontrollers that can gather data and provide a central control unit or each other with information on which to act. 
Advances in wireless communication and hardware has made it possible to create low-cost and low-power sensors. These can be deployed by the thousands to gather vast amounts of data from an area. The collaboration among themselves is what creates the sensor network. The sensors can collect, process and analyse data to provide relevant information at any time from any place. 
The basic layout of a simple sensor node will contain these main parts: a processor, sensor hardware, power supply and some form of wireless transceiver. As they contain such a small number of parts, they can easily be deployed in a remote location. They will self-organize and be able to provide sensor data for multiple applications. As each sensor node is powered by a battery and may not be easily chargeable, it is important to adopt the power-saving techniques mentioned in 2.2.1. The cost of each node is important to be aware of. Since a sensor network often consists of such a large number of nodes, the price for each individual node will justify the overall cost of an entire network. With more sensor nodes a network will generally be more effective, but may also lead to collisions and congestion in the network if not properly managed.
1.2 PURPOSE AND RESEARCH QUESTIONS
2 Theoretical background
2.3 SECURITY IN IOT
2.4 SOFTWARE COMPLEXITY
2.6 SECURITY COUNTERMEASURES
2.7 SECURITY EVALUATION FRAMEWORK (SEF)
3 Method and implementation
3.1 EXPERIMENT METHOD
3.2 SECURITY EVALUATION FRAMEWORK
3.3 IMPLEMENTATIONS OF SECURITY COUNTERMEASURES
3.4 SECURITY COUNTERMEASURE COMPLEXITY
3.5 CURRENT CONSUMPTION
3.6 CURRENT CONSUMPTION VS. SECURITY
4 Findings and analysis
4.2 SECURITY LEVEL
4.3 SECURITY EVALUATION
4.4 SOFTWARE COMPLEXITY
4.5 CURRENT CONSUMPTION
4.6 COMPARISON OF SECURITY LEVEL AND CURRENT CONSUMPTION
5 Discussion and conclusions
5.1 DISCUSSION OF METHOD
5.2 DISCUSSION OF FINDINGS
5.4 FUTURE WORK
GET THE COMPLETE PROJECT
Comparison of security level and current consumption of security implementations for MQTT