MQTT Vulnerabilities, Attack Vectors and Solutions in the Internet of Things (IoT)

Internet of Things (IoT) paved the way for devices and machine communication using TCP/IP protocol. Lightweight and stateless communication is imperative especially in a situation requiring conservation of energy usage, e.g. wireless sensor network. Representational State Transfer (REST) API method is based on web communication protocol, Hyper-Text Transfer Protocol (HTTP), and is widely used in IoT messaging. Some of these protocols are DPWS, XMPP, MQTT, COaP, AMQP. Among these protocols, MQTT is the most preferred protocol and is expected to be the de facto messaging IoT standard. MQTT uses a publisher/subscriber model to facilitate messaging between devices making messaging lightweight. Nevertheless, there are a number of security issues due to the design of the protocol itself. Some of the issues are denial of service, identity spoofing, information disclosure, elevation of privileges and data tampering. These issues can be caused by both internal and external perpetrators. Researchers have proposed various security techniques and mechanisms to address these issues. Incorporation of security has added processing overhead to the devices and this will have a bearing on IoT devices that are powered by a battery. This issue has opened up new research challenges in making the protocols more lightweight and at the same time not compromising the level of security provided.