3 Areas You Need to Be Familiar with to Understand MQTT Security Fundamentals

Posted on May 2, 2019 by Michael Doran
Tags: IoT, MQTT, security

Researchers estimate there may be 50 billion devices connected to the internet by 2020. Every light bulb, lock, thermostat, and appliance are now designed with network connectivity in mind.

For consumers this means enhanced productivity, health, education, and life. For entrepreneurs this means new revenue streams and markets.

As IoT grows each new connected product has the potential to become subject for hackers, botnets, and DDoS threats. For example, in October 2016, the largest DDoS attack ever was launched using an IoT botnet that was infected with the malware Mirai. Companies such as Netflix, Reddit, and Twitter had their sites brought down because of this malicious attack.

Another example is the hackable cardiac device from St. Jude. According to CNN, “The FDA confirmed that the implantable cardiac devices have vulnerabilities that could allow a hacker to access the device.”

The MQTT messaging protocol provides one way to prevent catastrophic breaches like these.

MQTT Security Fundamentals

When it comes to IoT network security there are three basic concepts to keep in mind: identity, authentication and authorization.

In each MQTT scenario there is a client, and a broker. A client can be anything ranging from a microcontroller to a server. Anything that makes a connection to a broker is considered a client.

A broker receives all messages and coordinates the publishing of messages to clients that are subscribed. The broker is responsible for persisting connections, as well as identifying, and authorizing the transfer of data to MQTT clients. The MQTT connection is only between one client and a broker.


In order for a client to make a connection with a broker it must initiate a request to connect. The MQTT protocol specifies that a client must report a client id when requesting a connection. Ideally, every client has a unique client identifier; most devices come equipped with a universal unique identifier (UUID) or a MAC address of the network device used to connect the client.

MQTT security connection

Once a broker receives a command from a client to connect, it determines if the client is eligible to connect if the message received contains a valid client id, username, and password. It is worth noting that a username and password are optional when requesting a connection to a broker.

Authentication with X.509

MQTT security TCP IPIn addition to authentication with username and password, the MQTT protocol allows a device to authenticate with a X.509 certificate. X.509 is a digital certificate that uses a public key infrastructure to verify that a public key belongs to a client.

In order for your client to utilize X.509 authentication it must implement TLS as its encryption method. TLS is not in the scope of this article, but for context it is worth noting that TLS encryption is the portion of your client stack that secures the communication channel for TCP/IP.

In the X.509 scenario a certificate authority is introduced to verify the identity of a client. During the connection handshaking process the client presents the broker with its certificate containing information such as its identity and public key. The broker then relays this certificate to the certificate authority for verification. Once verified, the broker can ensure that the client certificate is genuine and gain trust in the binding with the client name and public key. It is worth nothing that some MQTT brokers do not support the use of X.509 certificates.

MQTT security X.509

X.509 certificates provide the added benefit of verifying the identity of MQTT clients as well as providing authentication at the transport level.


When a client establishes a connection with the broker, it can perform two activities: publish and subscribe to topics. Topics are the main resource available to clients and require authorization/protection for a secure system – otherwise, without authorization, any client would have the ability to subscribe and publish to any topic available on the broker.

The most common types of authorization used are Role Based Access Controls (RBAC), and Access Control List (ACL).

In RBAC a role provides a level of abstraction between a client and the main resource, i.e. topics in this case. Permissions are always associated with a certain role, therefore, allowing the broker to authorize the ability for a client to publish or subscribe to a certain topic.

ACL associates certain clients with a list of permissions. These permissions provide policies on what topics a client can subscribe/publish to.

Using ACL or RBAC a broker can be configured with topic permissions. During run time the broker can determine allowed topics, allowed operations, and allowed quality of service. In the scenario where a client attempts to perform an unauthorized operation the broker can perform actions such as disconnecting from a client or acknowledging the client but preventing it from the publishing data to other clients that have subscribed to the same topic.

Authorization with Access Tokens

Access tokens provide an additional mechanism for scoping permissions for clients. By scoping the permissions of a client, you can prevent unauthorized access to read or write data that may have adverse effects on other client devices connected to your IoT infrastructure.

When publishing or subscribing the broker needs to authorize the client. Token authorization allows for a client to claim what scope, or permissions, it has. Another way to provide authorization with a server is to provide a third-party source for the broker to look up authorizations associated with a client based on token and unique id.

In order to connect to a broker with an access token, the client must send its access token with a connect message using the password field. In this case additional identification can be provided with the username field as well. Before requesting a connection, the client must be provided with an access token and scope.

MQTT security token passing

There are a variety of token services available. The most commonly used is OAuth 2.0. The client credential flow is modeled above where a client requests a token using credentials and is granted an access token.

Develop with confidence and foresight

While there are many more considerations to take when securing an IoT framework, this article provides three basic concepts as a starting point. Careful consideration of potential vulnerabilities is needed when assessing the scope of your IoT framework, and even then, there’s still the potential for future, yet-unknown vulnerabilities. While the security implications are vast, deconstructing a viable security framework can be the foundation to the execution of security in production environments. 

Michael Doran
by Michael Doran
Embedded Engineer
Michael Doran is an embedded engineer at Dornerworks.