A practical guide to MQTT security for OT/IoT environments covering threat models, core controls, version differences, pentesting checks, configuration examples, cloud shared-responsibility, red flags, and an action plan. Focuses on applying OT-flavored security controls (TLS, identity, ACLs, segmentation, monitoring) and includes hands-on testing and hardening advice.
MQTT Security Considerations — The Little Publish/Subscribe Protocol That Could (Also Betray You) "MQTT: lightweight, ubiquitous, and quietly judging your security posture." — Probably me, 3 cups of coffee in.
You already know the layout: we covered IoT/ICS/SCADA architecture and then dug into embedded device attack surfaces . Now we zoom in on the messaging backbone many devices use to gossip with the cloud and operators: MQTT . If embedded devices are the nervous system and cloud is the brain, MQTT is t...
What is MQTT (quick refresher) MQTT = Message Queuing Telemetry Transport. A tiny, publish/subscribe protocol designed for constrained devices and unreliable networks. Key players: broker (server), clients (publishers/subscribers), topics (string paths), QoS levels (0, 1, 2), Last Will and Testame...
The Threat Model — where MQTT gets messy Unauthenticated brokers : Open brokers leak telemetry and allow command injection. Weak auth : Plain username/password over plaintext TCP = eavesdrop + replay = bad times. Overprivileged topics : One client can publish to control topics because ACLs are mi...
Core Security Controls (and the OT-flavored why) Use TLS everywhere Why : Prevents passive eavesdropping and man-in-the-middle (MITM). OT nuance : Legacy PLCs may not support TLS — if they can’t, put a gateway that does TLS on their behalf. Strong authentication and identity Client certificat...
MQTT v3.1.1 vs MQTT 5.0 — quick comparison Feature MQTT 3.1.1 MQTT 5.0 (security win) Reason codes for failures No Yes — clearer failure handling Enhanced auth exchange No Yes — pluggable auth mechanisms Topic alias and properties Limited Richer metadata (can help or hurt security) ...
Practical pentest checklist — how to assess an MQTT deployment Can you connect anonymously? (Try mosquitto_sub without creds.) Are endpoints using TLS? Check certificate validity and name matching. Enumerate topics and retained messages: search for # and retained flags. Test authentication bypas...
Config snippets & patterns Example mosquitto.conf (TLS + ACL file): listener 8883 cafile /etc/mosquitto/ca.crt certfile /etc/mosquitto/server.crt keyfile /etc/mosquitto/server.key require_certificate true use_identity_as_username true acl_file /etc/mosquitto/acl # ACL example lines: # user devic...
Cloud-managed MQTT: don’t outsource responsibility Managed brokers (AWS IoT Core, Azure IoT Hub) handle patching and uptime, but you still must: Configure TLS and cert rotation Manage device identity & provisioning Define and enforce access policies Monitor logs and telemetry Translate the...
10 study modes available based on your content