← Back to Architecture Communication · Security

MQTT / TLS 1.3

The system's nerve channel. MQTT guarantees telemetry delivery even in tunnels and low-signal areas; TLS 1.3 ensures that no fleet data travels unencrypted.

What MQTT is

MQTT (Message Queuing Telemetry Transport, ISO/IEC 20922) is a publish-subscribe messaging protocol designed in 1999 by Andy Stanford-Clark (IBM) for pipeline telemetry over high-latency, low-bandwidth satellite links. Today it is the de facto standard for IoT communication.

Its design is deliberately minimalist: an MQTT message takes at least 2 bytes of header, versus the hundreds of bytes of HTTP/REST. A central broker (in IN-SIGHT, Azure IoT Hub acts as the broker) distributes messages to the subscribers of the corresponding topic.

MQTT defines three Quality of Service (QoS) levels: QoS 0 (at-most-once, fire and forget), QoS 1 (at-least-once, receipt confirmation) and QoS 2 (exactly-once, 4-step handshake). IN-SIGHT uses QoS 1 for telemetry: it accepts occasional duplicates in exchange for guaranteeing that no data packet is lost on a disconnection.

What TLS 1.3 is

TLS 1.3 (RFC 8446, 2018) is the current version of the transport-layer security protocol. Compared with TLS 1.2, it introduces critical improvements: the handshake completes in 1 round-trip (vs. 2 in TLS 1.2), all weak cipher suites are removed, and forward secrecy (ECDHE) is mandatory — which means that even if a device's private key is compromised in the future, past data cannot be decrypted.

Combined with mTLS (mutual TLS), both the server (IoT Hub) and the client (Pod CM4) mutually authenticate with X.509 certificates, eliminating the possibility of man-in-the-middle attacks.

Role in IN-SIGHT

  • Periodic telemetry: Every 30 s the CM4 publishes a compact JSON packet (< 512 bytes) with the aggregated health metrics of the interval. Under normal conditions, the Pod consumes ~2–4 Kbps.
  • Immediate alerts: When the EKF detects an anomaly, the Pod publishes an alert message instantly, without waiting for the 30 s cycle. The message properties trigger routing to Azure IoT Hub's alert queue.
  • Resilience in tunnels: If the connection is lost (tunnel, no-coverage area), the broker stores the pending messages (QoS 1, persistent session). The Pod retransmits them as soon as the connection is restored.
  • Topic naming: in3/{fleet-id}/{vehicle-id}/{pod-id}/{metric-type} — the hierarchical structure allows selective subscription from the operations portal without processing telemetry from the whole fleet.
Security by design: Each Pod has its own X.509 key pair generated at the factory and stored in a TPM (Trusted Platform Module) soldered to the CM4. The keys never leave the device. Revoking a compromised Pod does not affect the rest of the fleet.
── IN-SIGHT topic structure ────────────────────────────
in3/TMB/5042/pod-a/vibration     ← bogie metrics
in3/TMB/5042/pod-b/door-cycle    ← door metrics
in3/TMB/5042/pod-a/alert         ← EKF alerts
in3/TMB/5042/$twin               ← Device Twin sync

── Normal telemetry payload (example) ──────────────────
{
  "ts": "2026-06-17T10:22:05.412Z",
  "v":  "1.4.2",
  "rms": 0.42,
  "peak_freq": 87.3,
  "temp_c": 38.1,
  "ekf_innov": 0.031
}