This project demonstrates securing an MQTT-based IoT pipeline using TLS encryption and certificate validation.
It simulates a real-world hotel water monitoring system and validates security, performance, and reliability under load.
- Plaintext MQTT traffic can be easily intercepted without TLS
- TLS encryption blocks eavesdropping and impersonation
- Certificate validation prevents fake or malicious brokers
- TLS adds negligible latency for real-world sensor workloads
- The secured system handles normal and emergency traffic levels
-
Eavesdropping Test
Verified plaintext data exposure on port 1883 and complete blocking with TLS on port 8883. -
Certificate Validation Test
Confirmed correct certificates succeed, wrong CAs are rejected, and disabled verification is unsafe. -
Latency Test
Measured TLS overhead (~21.5%) with sub-millisecond absolute impact. -
Stress Test
Sustained SUCCESS at 10, 25, 50, and 100 messages/sec with TLS enabled.
- Mosquitto MQTT Broker
- Python (paho-mqtt)
- TLS / X.509 certificates
- macOS / Linux environment
TLS encryption should be enabled by default on MQTT pipelines. Testing confirms it eliminates trivial interception risk with no meaningful performance tradeoff.
This mirrors real IoT risk in hospitality environments:
unencrypted control systems expose operational data, guest safety, and infrastructure to unnecessary risk.
The project focuses on practical security decisions, not theory.
Sam Sprague
Junior Security Analyst | IoT & Cloud Security