Analysis of vulnerabilities in MQTT security using Shodan API and implementation of its countermeasures via authentication and ACLs

摘要

Among the technologies evolved in the recent years, a remarkable one is the IoT (Internet of Things), wherein the `thing' in IoT could be smart phones, tablets, PCs and almost anything with a sensor on it like cars, people, machines in production plants, jet engines, oil drills, wearable devices and many more objects. A standardized, light-weight, session layer protocol with publish/subscribe architecture widely used for messaging and information exchange among IoT devices is the MQTT (MQ Telemetry Transport) protocol. In this paper, we identify various security loopholes in MQTT, using Shodan API and implementing an experimental setup on a Raspberry Pi as an MQTT Broker and python programs as publisher/subscriber clients. The experimental results with respect to the security issues in this protocol at packet and topic levels were studied and the corresponding security measures, consisting of authentication and authorization techniques (ACLs) were implemented. As a result, the Broker was then found to be immune to such attacks. This paper is a concise study of security inconsistencies in MQTT and its countermeasures.