|MQTT is a lightweight publish-subscribe-based messaging transport protocol, ideal for use in machine-to-machine (M2M) and internet of things (IoT) contexts. Through MQTT, multiple clients connect to a broker and subscribe to topics that they are interested in – for example, different kinds of machine data or sensor information. Clients will also connect to the broker and publish messages on different topics.|
|MQTT is increasingly popular as the world of IoT and industrial IoT (IIoT) expands. MQTT is used for data communication between IoT devices, as well as for IoT sensors and the cloud. However, the security of MQTT systems is often overlooked.
One aspect of MQTT systems that is commonly unsecured is the exposed ports. TCP Port 1883 is used for plain-text MQTT messages, while TCP port 8883 is used for MQTT encrypted with TLS. For this research, we used Shodan, a search engine for internet-connected devices, to gather information. The following chart shows MQTT brokers which connect to the internet via port 1883, as found by Shodan on Sept. 25,2019. 76,928 brokers were found to be exposed to the internet, and the following chart shows the results of Shodan’s attempts to connect to those brokers. The majority of these brokers are in China, where more than 20,000 brokers are exposed, and the United States follows in second at 12,802. Trend Micro published a white paper, “The Fragility of Industrial IoT’s Data Backbone: Security and Privacy Issues in MQTT and CoAP Protocols” in December 2018, which warned about the security risks of exposed brokers. However, even a year later, the same security issues are still prevalent.
|The following pie chart shows how the exposed brokers we discovered responded differently to connection attempts. Surprisingly, the number that easily accepted connections is above 47,000 — over 60% of brokers could be connected to without authentication.|
|This is the map of exposed brokers without authentication. China is still at the top of the list at 14,241.|
|Let’s take a look at the brokers we found which could easily be connected to without authentication, making use of data acquired in July of 2019. The following graph shows the number of opened ports for these connected brokers.
Many brokers use HTTP/HTTPS ports for web service and SSH for remote access.
|The following graph shows the total client count and connected client count based on Shodan’s subscription records (limited to Mosquitto). Brokers with more than 10 clients are likely for use by enterprises – few consumer users have more than 10 IoT devices at home.|
|The following map shows brokers with over 100 connected clients. These brokers are often used for large enterprise, however their security is still quite low.|
|Our next pie chart and table show types of brokers. Mosquitto is the most popular broker, followed by ActiveMQ. ActiveMQ is designed for enterprise use, and it supports not only MQTT but also AMQP, STOMP, and also JDBC for database integration.|
|This table shows Shodan’s records of tags for connected brokers. About 20% of brokers use cloud services, and about 8% of brokers have database services as well, so information from MQTT messages can be saved into a database. Interestingly, some brokers support VPN and STARTTLS, but these services are not used for connection to MQTT.|
|You’ll notice that there are brokers tagged as ICS (Industrial Control System). This table shows the number of open ICS ports for ICS tagged brokers. Some of these brokers might only be honeypots, while others seem to have real ICS devices connected.|
|Here, we’ve introduced common uses of MQTT and typical setups for MQTT brokers. The most surprising point is that about 2/3 of exposed MQTT brokers could be connected to without authentication. These brokers have significant security risks, and we will cover those risks and how to mitigate them in our next article.|