MQTT - Is your personal information available on INTERNET ? security breached.

MQTT (Message Queuing Telemetry Transport) is a publish/subscribe messaging protocol for constrained Internet of Things devices and low-bandwidth, high-latency or unreliable networks.

Because MQTT specializes in low-bandwidth, high-latency environments, it is an ideal protocol for machine-to-machine (M2M) communication.

Design and History Behind MQTT

MQTT was first developed in 1999, but with the exponential growth of the Internet of Things, and the need to connect and communicate between low-powered smart devices, MQTT has recently found a market. MQTT was built to be a low-overhead protocol that strongly considered bandwidth and CPU limitations. It was designed with ability to run in an embedded environment where it would reliably and effectively provide an avenue for communication.

MQTT fundamentally is a publish/subscribe protocol. It allows clients to connect as a publisher, subscriber, or both. You connect to a broker that handles all the message passing.

High Level Overview

Here’s a quick high level overview of what MQTT allows you to do.

You can send a command with a client (like Node-RED) to control an output:

Or you can read data from a sensor and publish it to a client (like Node-RED):

MQTT Basic Concepts

In MQTT there are a few basic concepts that you need to understand:

• Publish/Subscribe
• Messages
• Topics
• Broker

For more information please watch this video on youtube What is MQTT ???

NOW THE REAL SECURITY PART..

Is your personal information available via public MQTT brokers?

The following very interesting paper from DEFCON shows how vulnerable MQTT brokers can be if the designers are not carefully considering the various attack vectors that can be exploited in an IoT solution powered by MQTT.

The paper shows how one can find and access MQTT brokers on the Internet and perform actions such as open prison doors, change radiation levels, and so on. Your personal information may already be available via a public MQTT broker.

Since MQTT brokers listen on a port number, a simple port scanner can find the broker. The device search engine Shodan now includes searches for MQTT brokers. The paper goes into how to use Shodan to find public brokers and then uses commands that reveal every device connected to the broker.

Unfortunately, MQTT has many attack vectors the IoT system designers must consider when using MQTT.

In addition, many MQTT brokers include special debug commands that make it possible to find all connected devices, thus greatly extending the number of possible attack vectors.

In contrast, the SMQ IoT protocol (a pub/sub protocol similar to MQTT) has a very limited set of attack vectors compared to MQTT. You can completely hide the SMQ broker from automated tools such as Shodan and other port scanners. This is possible since an SMQ connection initially starts as HTTP(S) and a port scanner cannot see the difference between an SMQ broker and a standard web server. In addition, the URL to the broker can be private.

SMQ provides hash based authentication, a feature required when not communicating over SSL. MQTT sends credentials in clear text. However, both protocols will be more secure when communication is protected by TLS. Note that TLS alone will not protect against many of the vulnerabilities mentioned in the paper. For this reason, system designers must have a good understanding of IoT security or the designers must seek help from experienced IoT security specialists by, for example, using the support line provided with commercial security products.

Read the DEFCON MQTT paper

FULL ARTICLE is available here ...

Thank you

Happy-2-Share

Chaaranpall Lambba