Security assessment of common open source MQTT brokers and clients

Security and dependability of devices are paramount for the IoT ecosystem. Message Queuing Telemetry Transport protocol (MQTT) is the de facto standard and the most common alternative for those limited devices that cannot leverage HTTP. However, the MQTT protocol was designed with no security concer...

Full description

Saved in:
Bibliographic Details
Published in:arXiv.org 2023-09
Main Authors: Edoardo Di Paolo, Bassetti, Enrico, Spognardi, Angelo
Format: Article
Language:English
Subjects:
Cybersecurity
Internet of Things
Libraries
Queueing
Telemetry
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Edoardo Di Paolo
Bassetti, Enrico
Spognardi, Angelo
description Security and dependability of devices are paramount for the IoT ecosystem. Message Queuing Telemetry Transport protocol (MQTT) is the de facto standard and the most common alternative for those limited devices that cannot leverage HTTP. However, the MQTT protocol was designed with no security concern since initially designed for private networks of the oil and gas industry. Since MQTT is widely used for real applications, it is under the lens of the security community, also considering the widespread attacks targeting IoT devices. Following this direction research, in this paper we present an empirical security evaluation of several widespread implementations of MQTT system components, namely five broker libraries and three client libraries. While the results of our research do not capture very critical flaws, there are several scenarios where some libraries do not fully adhere to the standard and leave some margins that could be maliciously exploited and potentially cause system inconsistencies.
format article
fullrecord <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2862629409</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2862629409</sourcerecordid><originalsourceid>FETCH-proquest_journals_28626294093</originalsourceid><addsrcrecordid>eNqNjMEKgkAQQJcgSMp_GOgsbLNqei2KLh0i72LbCJru2I4e-vs89AGd3uE93kIFaMwuymLElQpFWq01pntMEhOow53s5JvxA5UIifTkRuAaLPc9O-CBHAhP3hJcb0UBD88v8gKVe4LtmrmWjVrWVScU_rhW2_OpOF6iwfN7IhnLdh64WZWYpZhiHuvc_Fd9Ac7AOek</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2862629409</pqid></control><display><type>article</type><title>Security assessment of common open source MQTT brokers and clients</title><source>Publicly Available Content Database</source><creator>Edoardo Di Paolo ; Bassetti, Enrico ; Spognardi, Angelo</creator><creatorcontrib>Edoardo Di Paolo ; Bassetti, Enrico ; Spognardi, Angelo</creatorcontrib><description>Security and dependability of devices are paramount for the IoT ecosystem. Message Queuing Telemetry Transport protocol (MQTT) is the de facto standard and the most common alternative for those limited devices that cannot leverage HTTP. However, the MQTT protocol was designed with no security concern since initially designed for private networks of the oil and gas industry. Since MQTT is widely used for real applications, it is under the lens of the security community, also considering the widespread attacks targeting IoT devices. Following this direction research, in this paper we present an empirical security evaluation of several widespread implementations of MQTT system components, namely five broker libraries and three client libraries. While the results of our research do not capture very critical flaws, there are several scenarios where some libraries do not fully adhere to the standard and leave some margins that could be maliciously exploited and potentially cause system inconsistencies.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Cybersecurity ; Internet of Things ; Libraries ; Queueing ; Telemetry</subject><ispartof>arXiv.org, 2023-09</ispartof><rights>2023. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.proquest.com/docview/2862629409?pq-origsite=primo$$EHTML$$P50$$Gproquest$$Hfree_for_read</linktohtml><link.rule.ids>780,784,25753,37012,44590</link.rule.ids></links><search><creatorcontrib>Edoardo Di Paolo</creatorcontrib><creatorcontrib>Bassetti, Enrico</creatorcontrib><creatorcontrib>Spognardi, Angelo</creatorcontrib><title>Security assessment of common open source MQTT brokers and clients</title><title>arXiv.org</title><description>Security and dependability of devices are paramount for the IoT ecosystem. Message Queuing Telemetry Transport protocol (MQTT) is the de facto standard and the most common alternative for those limited devices that cannot leverage HTTP. However, the MQTT protocol was designed with no security concern since initially designed for private networks of the oil and gas industry. Since MQTT is widely used for real applications, it is under the lens of the security community, also considering the widespread attacks targeting IoT devices. Following this direction research, in this paper we present an empirical security evaluation of several widespread implementations of MQTT system components, namely five broker libraries and three client libraries. While the results of our research do not capture very critical flaws, there are several scenarios where some libraries do not fully adhere to the standard and leave some margins that could be maliciously exploited and potentially cause system inconsistencies.</description><subject>Cybersecurity</subject><subject>Internet of Things</subject><subject>Libraries</subject><subject>Queueing</subject><subject>Telemetry</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>PIMPY</sourceid><recordid>eNqNjMEKgkAQQJcgSMp_GOgsbLNqei2KLh0i72LbCJru2I4e-vs89AGd3uE93kIFaMwuymLElQpFWq01pntMEhOow53s5JvxA5UIifTkRuAaLPc9O-CBHAhP3hJcb0UBD88v8gKVe4LtmrmWjVrWVScU_rhW2_OpOF6iwfN7IhnLdh64WZWYpZhiHuvc_Fd9Ac7AOek</recordid><startdate>20230907</startdate><enddate>20230907</enddate><creator>Edoardo Di Paolo</creator><creator>Bassetti, Enrico</creator><creator>Spognardi, Angelo</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20230907</creationdate><title>Security assessment of common open source MQTT brokers and clients</title><author>Edoardo Di Paolo ; Bassetti, Enrico ; Spognardi, Angelo</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_28626294093</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Cybersecurity</topic><topic>Internet of Things</topic><topic>Libraries</topic><topic>Queueing</topic><topic>Telemetry</topic><toplevel>online_resources</toplevel><creatorcontrib>Edoardo Di Paolo</creatorcontrib><creatorcontrib>Bassetti, Enrico</creatorcontrib><creatorcontrib>Spognardi, Angelo</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni)</collection><collection>ProQuest Central</collection><collection>ProQuest Central Essentials</collection><collection>AUTh Library subscriptions: ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Edoardo Di Paolo</au><au>Bassetti, Enrico</au><au>Spognardi, Angelo</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Security assessment of common open source MQTT brokers and clients</atitle><jtitle>arXiv.org</jtitle><date>2023-09-07</date><risdate>2023</risdate><eissn>2331-8422</eissn><abstract>Security and dependability of devices are paramount for the IoT ecosystem. Message Queuing Telemetry Transport protocol (MQTT) is the de facto standard and the most common alternative for those limited devices that cannot leverage HTTP. However, the MQTT protocol was designed with no security concern since initially designed for private networks of the oil and gas industry. Since MQTT is widely used for real applications, it is under the lens of the security community, also considering the widespread attacks targeting IoT devices. Following this direction research, in this paper we present an empirical security evaluation of several widespread implementations of MQTT system components, namely five broker libraries and three client libraries. While the results of our research do not capture very critical flaws, there are several scenarios where some libraries do not fully adhere to the standard and leave some margins that could be maliciously exploited and potentially cause system inconsistencies.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2023-09
issn 2331-8422
language eng
recordid cdi_proquest_journals_2862629409
source Publicly Available Content Database
subjects Cybersecurity
Internet of Things
Libraries
Queueing
Telemetry
title Security assessment of common open source MQTT brokers and clients
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T11%3A36%3A21IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Security%20assessment%20of%20common%20open%20source%20MQTT%20brokers%20and%20clients&rft.jtitle=arXiv.org&rft.au=Edoardo%20Di%20Paolo&rft.date=2023-09-07&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2862629409%3C/proquest%3E%3Cgrp_id%3Ecdi_FETCH-proquest_journals_28626294093%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2862629409&rft_id=info:pmid/&rfr_iscdi=true