From Azure development guide https://azure.microsoft.com/en-us/documentation/articles/iot-hub-devguide, there is a small section (shown as below) talking about device anti-spoofing. It is not clear for me, it says IoT hub stamps every message with properties, but for me device anti-spoofing is that IoT hub to stop receiving messages sent from any spoofed device. Please help to explain how does this work?
Anti-spoofing properties
To avoid device spoofing in device-to-cloud messages, IoT Hub stamps
all messages with the following properties:
ConnectionDeviceId
ConnectionDeviceGenerationId
ConnectionAuthMethod
In IoT Hub there is a device registry that is used to authorize devices to the gateway. After authentication the device is checked against the registry.
When a device is registered with IoT Hub, the device's identity and key are saved in the device registry. This device and key is what the device uses to authenticate to the service.
The generation ID is a key part of this too. When the device is first registered with IoT Hub, a generation ID is assigned to the device. The purpose of this is to distinguish between identity registrations of the same device ID (added, removed, and then later added).
If you're interested in a deeper dive into the IoT Hub architecture see Clemen's 2015 Build talk here.
Related
I am trying to figure out how to use DPS to pass down to a device which edge device to connect to. Is this an option to do with DPS or do we have do to this manually?
The DPS is a helper service for IoT hub that will provide the right IoT hub without requiring human intervention
The IoT Hub Device Provisioning Service (DPS) is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning to the right IoT hub without requiring human intervention.
Below are the scenarios in which DPS is an excellent choice for getting devices connected and configured to IoT Hub.
Zero-touch provisioning to a single IoT solution without hardcoding IoT Hub connection information at the factory (initial setup)
Load-balancing devices across multiple hubs
Connecting devices to their owner's IoT solution based on sales transaction data (multitenancy)
Connecting devices to a particular IoT solution depending on use-case (solution isolation)
Connecting a device to the IoT hub with the lowest latency (geo-sharding)
Reprovisioning based on a change in the device
Rolling the keys used by the device to connect to IoT Hub (when not using X.509 certificates to connect)
Here are a few references which have the complete information on DPS.
https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps
https://learn.microsoft.com/en-us/azure/iot-dps/
I seems to cannot get this information anywhere. I would like to know what will happen to the telemetry message if the device that send this message is not registered in IoT Hub.
This is because I found a few messages from an unregistered device in IoT Hub being processed to the built-in event hub and progress to my next Function App after the built-in event hub.
Thus, I would like to know how is the behavior of IoT Hub if the message was sent without the device registered under the IoT Hub.
Thank you.
This is a really excellent question because it depends on how you connect to the IoT Hub. For my answer, I will take into account MQTT, AMQP, and HTTP. When you connect to an IoT Hub with a device ID that doesn't exist, you will see the following error codes:
MQTT: 401003 IotHubUnauthorized
AMQP: 404001 DeviceNotFound
HTTP: 404001 DeviceNotFound
Now if you have a registered a device but disabled it in IoT Hub, the errors are the same but you won't find the MQTT error in your trace. Instead client side you will receive a Server Unavailable error.
If you want, you can see these error codes for yourself by enabling tracing on the device connect/disconnect events.
So in closing: the behaviour of the IoT Hub is to not allow any devices to connect when unregistered.
In addition to Matthijs van der Veer answer, in the case of connection oriented direct protocol such as MQTT, when the registered device has been connected and the telemetry data is sent under the topic with unregistered device, for instance:
devices/UnregisteredDeviceId/messages/events/$.ct=application%2Fjson&$.ce=utf-8
then, the connected device is immediately disconnected from the IoT Hub.
I do recommend the following:
route your telemetry data messages to the blob storage
export ("excludeKeys":false) all device identities to the blob storage
find some messages which are not in the IoT hub identity registry entry
call the MS support and create the ticket for this issue
I am designing a solution for connected devices and have a requirement to re-provision a device before sending a message to ensure it is always connected to the nearest IoT Hub (based on latency).
Based on the Microsoft documentation, it is possible to register a device using MQTT by publishing a message to the DPS. However, is it possible to re-provision a device with MQTT?
https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-mqtt-support
Also, when registering a device for the first time via MQTT, is there a topic to subscribe to obtain the connection of the IoT Hub that DPS assigned the device?
Yes. The same API (Register message) triggers re-provisioning. The device is unaware as to whether it is being provisioned or re-provisioned.
The results of provisioning (or re-provisioning) including the name of the IotHub and the corresponding credential are published in the DeviceRegistrationResult
object. This object is part of the RegistrationOperationStatus object returned in response to the get-operation-status operation.
As per the documentation page you are referring to, you can subscribe to dps/registrations/res/# to be notified of the progress of your (re-)registration request.
I want to implement the following system.
There are users and each user will have an IoT device. The user should be able to do the following:
Login with their email and password.
Control the IoT device in real time (the user will perform some operation on the IoT device and the result will be displayed instantly on the app).
See the state of IoT device in real time. If something changes on the IoT device it should reflect on the app in real time.
I was wondering if this is doable using azure IoT Hub. I came across an architecture where the device is connected to IoT hub and the app is connected to signalR. The messages from IoT device will go to IoT Hub which will update the app using signalR.
But is there any way we can not have additional component like signalR? Can IoT device and mobile app be connected directly to azure IoT hub and exchange data between them without an entity in between other than IoT hub?
Connecting mobile app to IoT hub seems like an option but I did not find any way to implement email and password based authentication to allow users to connect to IoT hub.
Any help in this regard is appreciated.
You could absolutely go without SignalR. You can use the IoT Hub Service SDK to send C2D messages to your device from your phone, and also listen to the device telemetry with the same SDK.
However, it would probably be a better idea to have some restrictions on what you can do with that SDK. If the user first has to log in, I take it that they don't get access to every device in your application? Using some kind of role-based access might be preferable, you would build an API for that, which then uses the Service SDK to give you the data.
Also, even though you could listen to the device data directly from your phone, that means that if you have bad reception/wifi, data might not be received. You might want to consider storing it somewhere? I don't know the details about your application, but if you would then want to listen to events from that storage and send it to your app... SignalR might not be the worst idea.
"See the state of IoT device in real time. If something changes on the IoT device it should reflect on the app in real time."
For this EventGrid integration (https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-event-grid ) would help. For realtime telemetry as Matthijs said SignalR would be a better choice.If you are fine with some delay (say 10 sec) then Azure Time Series Insights can also be used.
I am currently looking for a way to revoke the device session of a device that is connected to the Azure Iot Hub.
For example, when a device connects using a certificate and the certificate expires, the device can still send and receive data while it has a valid token.
Our case is if a device overloads our IoT Hub for whatever reason, we would like to be able to revoke the connection immediately.
We want to be able to revoke such token in order to immediately disconnect a certain device.
Is it even possible to do so? If not, are there workarounds for that?
You can disable a device to connect to the IoT Hub. I just tried this with a simulated device (using the .NET SDK) that was actively sending data. After I turned the switch to Disabled, the connection broke off after a few seconds. This was using the device key, not certificates but I would assume this might work as well.
There is no such as the REST API in the Azure IoT Hub to disconnect connected device. However the following workarounds can help it:
Based on the MQTT Device protocol, only one device with the same ID can be connected to the Azure IoT Hub, so connecting the same device (simulated the same ID) will automatically disconnect a connected one. This workaround doesn't require any change in the device code. You can test it using a tools such as MQTTBox, MQTT.fx, etc.
This workaround is based on invoking a device method to perform closing a device from the device side. You can create a job for Azure IoT Hub background process to "invoke device method". Note, that this workaround needs to built this feature into the device code.
Also, using a notification event on the twin desired property change received by device side can be used for your workaround to perform a closing or re-connecting connection with an Azure IoT Hub.
Edit:
Like #silent answered, changing the state Enable to Disable, the device is going automatically disconnect from the Azure IoT Hub. You can use a REST API to change this status.
I do recommend to built in the device some retrying policy for re-connecting a device to the Azure IoT Hub based on the disconnecting reason such as connection lost, user disconnected, etc.