sMQTT | Secure MQTT by VESNX

sMQTT sits between your devices and broker, decrypts, validates, re‑encrypts and forwards only trusted MQTT frames. Everything else (fuzzed packets, replay attempts, rogue certificates) is dropped or strike‑boxed—slashing attack surface by > 95 %.

1. Business Challenge

IoT revenue at risk: cloned devices & credential replay jeopardise SLA and licence income.
Compliance drift across regions (IEC 62443 / NIS 2 / EU CRA) raises audit exposure.
Broker DoS & malformed PUBLISH storms degrade customer experience.

2. sMQTT Solution

Device‑bound certificates & topic‑level ACLs enforced before broker accept.
Inline IDPS discards anomalous QoS floods or wildcard‑topic enumeration.
Built‑in licence feature gate: monetise advanced payloads or OTA updates per device.

3. Quantified Impact (12‑month projection)

‑38 % support OPEX (VPN tickets & ACL maintenance eliminated).
+2.1 % gross margin via feature‑tier subscriptions unlocked by licence gating.
<9‑month payback vs. managed IoT security gateways.

4. Next Steps

Get a 14‑day pilot kit (Docker or Raspberry Pi image) and a board‑level risk report aligned to your fleet metrics.

Threat Model Coverage

Protocol abuse—CONNECT floods, QoS2 redelivery loops, oversized PUBLISH.
Identity spoofing—cloned certs, MAC/IP mismatch, stolen ClientID.
Replay & Retain attacks—nonce‑sealed signatures & message digests.
Lateral movement—wildcard SUB scans, bridge‑loop escalations.

Controls & Telemetry

Deep packet inspection (DPI) up to MQTT v5 properties.
Strike counter & penalty box (adaptive back‑off per IP / cert / session).
IDPS feeds SIEM in CEF, JSON or Syslog with MITRE ATT&CK tagging.
Built‑in correlation: MQTT + HTTP + custom TCP share the same threat score.

Compliance Mapping

IEC 62443‑4‑2: SR 2.1 / 2.3 / 3.1 | NIST 800‑82: AC‑4 / SI‑4 | EU CRA Draft Art 10c, Annex I‑3

Quick‑Start in 60 seconds

# 1. Docker side‑car
docker run -d --network=host \
  -v /etc/smqtt/config.yml:/app/config.yml \
  vesnx/smqtt:latest
# 2. Register topic handler (Python)
from walter.mqtt import register_topic
@register_topic("sensors/+/temp")
def on_temp(ctx, payload):
    print(ctx.topic, payload)

Under the Hood

libWalter core in Rust + C: ~3 MB static binary, <1 ms latency budget.
Radix‑tree topic router ≥ 2 M match/s on ARM Cortex‑A53.
mTLS‑EV handshake uses Ed25519 & ChaCha20‑Poly1305 (fallback AES‑GCM).

Extending sMQTT

Lua or WASM rule engine for custom heuristics.
gRPC control plane (enable/disable topics, get strike stats).
C‑types FFI—drop into C, Go, .NET, Java.

Need a deep‑dive architecture session? We’ll map your device mix, latency budget and regulatory drivers to a rollout plan.

sMQTT™ — Secure MQTT Firewall + IDPS