Hiding identities of MQTT devices against a global network adversary

In the IoT context, there is an increasing demand for privacy. Indeed, IoT devices can collect and transmit sensitive data that can reveal users' behavior and preferences to third parties. Making the identity of devices anonymous is one of the privacy challenges. In this paper, we address this problem by referring to the MQTT protocol. MQTT is a widely adopted publish-subscribe model tailored for low-end devices. In particular, we propose an approach to achieve anonymity guarantees in MQTT against a global network adversary. Our approach takes inspiration from mixnet-based anonymous protocols, but it is appropriately tailored for MQTT clients. Indeed, our solution has the following features: (1) it is lightweight for MQTT clients, (2) it satisfies the decoupling principles, and (3) it guarantees that subscribers can join and leave the system at any time. By analyzing the security of the proposed approach, we demonstrate that the considered adversary, via known attacks, is unable to reduce its uncertainty in identifying the originator (publisher) or the recipient (subscriber) of a message. We conducted an experimental campaign showing that the strong benefits of anonymity provided by our solution come at the cost of latency with respect to state of the art which offers lower anonymity guarantees. However, this price is acceptable for the amount of bytes typically sent by IoT devices.