• United States




MQTT is not evil, just not always secure

Jul 17, 20173 mins
Internet of Things

The MQTT messaging protocol standard used by IoT vendors is not inherenly secure enough. Solutions exist to secure it, but organizations and vendors must assess risk and properly configure IoT and network security.

big data risks
Credit: Thinkstock

I recently wrote an article for CSOonline about the security of IoT.  Although primarily about the use of the MQTT protocol, it applies to general security considerations of IoT connectivity.  I received one strong rebuttal by an IBM developer, claiming that I overstated the risk.  I welcome any professional feedback on my positions on any security challenge.  Since this rebuttal was in Twitter, I decided to respond here where I have more than 140 words available.

Summary of argument

First, the OASIS standard MQTT protocol is not secure by itself.  Any implementation requires TLS or other means to secure sessions.  Further, it does not require devices to authenticate to servers.  Does this make all implementations of MQTT unsafe?  No.  Are there many organizations using MQTT or other messaging protocol unsecurely?  Yes.  A Google search provides many examples, so I won’t try to list them here.

My helpful challenger helpfully provided several examples of IoT security solutions.  I provide four examples here because this is information helpful when planning IoT security in any organization.

None of these solutions obviate my concerns. 

My argument

First, MQTT by itself is not “evil,” like TCP is not evil.  However, neither are secure enough by themselves when applying the basic standards.  Consequently, it’s necessary to secure authentication and messaging traffic across IoT messaging links. 

Second, it’s true that unwanted MQTT access across firewalls should be blocked.  However, this is usually the responsibility of the customer.  And while most, if not all, large organizations today properly secure their perimeters, SMBs often don’t. 

Even if the firewall is properly configured, no ineffectively secured devices and their traffic (especially wireless) should exist on network segments handling sensitive data or critical systems.  This responsibility partly falls to the customer and partly to the IoT solutions vendors.  Many IoT devices in organizations and SOHOs are not secure and elevate overall risk.  The examples are too numerous to list, and a daily review of security news provides sufficient supporting evidence.  So the Lundgren research in my original article is a very important finding. 

As for the solutions listed above, they are outstanding.  However, organizations or their IoT vendors must choose to implement them and properly configure them.  If you refer to my original article, you find a list of recommendations from the Department of Homeland Security for securing IoT.  These still apply when a security team assesses risk associated with any business solution, personal devices, break room devices, hospital devices, etc.


Finally, I could have chosen some of my descriptive wording differently.  However, my position remains the same.  Many organizations and vendors do not pay sufficient attention to IoT security.  Although solutions exist to secure MQTT messaging, they are not necessarily implemented by affected organizations.  Again, the role of the security team is to ensure the proper security controls are in place when using any protocol, including MQTT.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.