MQTT Broker does not require authentication

Follow

Background

"MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimize network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery." (Source http://mqtt.org/faq)

An MQTT Broker is the glue that connects the devices that "publish" messages to the applications that "consume" them.  The MQTT protocol supports authentication, but it is not mandatory. Authentication allows you to identify the devices and applications that connect to a broker, and prevent hackers from gaining access.

Risks

If a hacker can successfully talk to your MQTT Broker, they can read messages sent by other (genuine) devices, and inject their own false messages.  The possible consequences will depend on what you are using MQTT for.

For more information on MQTT Security, read "MQTT Security: What did you not consider" by Wilfred Nilsen, but the summary is this:

  • Is it safe to use MQTT without authentication?   NO.

  • Is it safe to use MQTT without SSL/TLS?   NO because passwords will be sent in cleartext, and can be intercepted.

  • Is it safe to use MQTT without strict authorization?  NO.

  • Should wildcard subscriptions in the MQTT broker be disabled?  YES.

Detection

Our security scanner was able to connect to your MQTT Broker without any authentication.

Remedies

Check the documentation for your MQTT Broker software, and

  • set up accounts and passwords,
  • enable SSL/TLS, and
  • disable wildcard subscriptions.

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk