-
Threat: Unauthorized Client Connection and Control
- Description: An attacker connects to the Mosquitto broker without proper authentication. They can then publish malicious messages to any topic, subscribe to sensitive topics to eavesdrop on data, or even control connected devices if those devices act on received messages without further validation. The attacker might use brute-force attacks against weak passwords, exploit default credentials, or leverage a vulnerability in the authentication mechanism.
- Impact:
- Data breaches (sensitive information exposed).
- Unauthorized control of connected devices (potentially causing physical damage or safety hazards).
- Disruption of service (if the attacker floods the broker or connected devices with malicious messages).
- Reputational damage.
- Affected Mosquitto Component:
mosquitto_auth_plugin(if a custom authentication plugin is used).mosquitto_passwd(password file handling).- The core authentication logic within the main Mosquitto broker process (handling of
CONNECTpackets and authentication checks). - ACL handling (
mosquitto.confACL configuration and the internal ACL enforcement).
- Risk Severity: Critical
- Mitigation Strategies:
- Disable anonymous access completely (
allow_anonymous falseinmosquitto.conf). - Enforce strong, unique passwords for all clients. Use a password manager.
- Implement and strictly enforce Access Control Lists (ACLs) to limit client access to only the necessary topics (principle of least privilege).
- Use TLS client certificate authentication for the strongest authentication.
- Regularly audit and update ACLs.
- If using a custom authentication plugin, thoroughly vet and audit its security. Keep it updated.
- Implement account lockout mechanisms to prevent brute-force attacks.
- Disable anonymous access completely (
-
Threat: Denial of Service (DoS) via Connection Exhaustion
- Description: An attacker establishes a large number of connections to the Mosquitto broker, exceeding the configured connection limit or exhausting system resources (file descriptors, memory). This prevents legitimate clients from connecting. The attacker might use a botnet or a simple script to rapidly open connections.
- Impact:
- Service unavailability for legitimate clients.
- System instability (if the broker crashes due to resource exhaustion).
- Affected Mosquitto Component:
- The main Mosquitto broker process (handling of incoming connections).
- Network listener component.
- Operating system resource limits (file descriptors, memory).
- Risk Severity: High
- Mitigation Strategies:
- Configure a reasonable
max_connectionslimit inmosquitto.conf. - Use a firewall to restrict access to the Mosquitto broker to authorized IP addresses.
- Monitor broker resource usage (CPU, memory, network connections) and set alerts for unusual activity.
- Implement rate limiting (using external tools or plugins) to prevent rapid connection attempts.
- Consider using a load balancer in front of multiple Mosquitto instances.
- Configure a reasonable
-
Threat: Denial of Service (DoS) via Message Flooding
- Description: An attacker sends a large volume of messages to the broker, overwhelming its processing capacity or network bandwidth. This can cause the broker to become unresponsive or crash, preventing legitimate clients from communicating. The attacker might target a specific topic or send messages to all topics.
- Impact:
- Service unavailability for legitimate clients.
- System instability (if the broker crashes).
- Potential data loss (if messages are dropped due to overload).
- Affected Mosquitto Component:
- The main Mosquitto broker process (message handling, queue management, topic matching).
- Network listener and sender components.
- Risk Severity: High
- Mitigation Strategies:
- Implement message rate limiting (using plugins or external tools).
- Configure appropriate resource limits (memory, queue sizes) for the Mosquitto process.
- Monitor broker resource usage and set alerts.
- Use a firewall to restrict access.
- Consider using a load balancer.
-
Threat: Exploitation of Mosquitto Vulnerabilities
- Description: An attacker exploits a known or zero-day vulnerability in the Mosquitto broker code itself. This could allow the attacker to execute arbitrary code on the broker server, gain unauthorized access, cause a denial of service, or leak information. The attacker would likely use a specially crafted MQTT packet or sequence of packets.
- Impact:
- Complete system compromise (if the attacker gains remote code execution).
- Data breaches.
- Denial of service.
- Loss of control over the broker.
- Affected Mosquitto Component:
- Potentially any part of the Mosquitto codebase, depending on the specific vulnerability. This could include:
- Protocol parsing logic (handling of various MQTT packet types).
- Memory management.
- ACL enforcement.
- Authentication mechanisms.
- Plugin handling.
- Potentially any part of the Mosquitto codebase, depending on the specific vulnerability. This could include:
- Risk Severity: Critical
- Mitigation Strategies:
- Keep Mosquitto updated to the latest stable version. Subscribe to security advisories.
- Run Mosquitto with the least privileges necessary (not as root/administrator).
- Use a network intrusion detection system (NIDS) or intrusion prevention system (IPS) to monitor for malicious MQTT traffic.
- Regularly audit the system for signs of compromise.
Threat: Malicious Plugin
-
Threat: Malicious Plugin
- Description: An attacker installs or replaces a legitimate Mosquitto plugin with a malicious one. This could allow the attacker to execute arbitrary code, intercept messages, bypass authentication, or otherwise compromise the broker.
- Impact:
- Complete system compromise.
- Data breaches.
- Denial of service.
- Loss of control.
- Affected Mosquitto Component:
mosquitto_plugin.h(plugin interface).- The plugin loading mechanism.
- The specific functionality of the compromised plugin.
- Risk Severity: Critical
- Mitigation Strategies:
- Only use plugins from trusted sources.
- Verify the integrity of plugin files (e.g., using checksums).
- Keep plugins updated.
- Run Mosquitto with limited privileges.
- Use file integrity monitoring.
Threat: Misconfiguration of ACLs
-
Threat: Misconfiguration of ACLs
- Description: The Access Control Lists (ACLs) are configured incorrectly, allowing clients to access topics they should not be able to access. This could be due to typos, misunderstandings of the ACL syntax, or overly permissive rules.
- Impact:
- Data breaches (unauthorized access to sensitive topics).
- Unauthorized control (clients publishing to topics they shouldn't).
- Affected Mosquitto Component:
mosquitto.conf(ACL configuration).- The internal ACL enforcement logic within Mosquitto.
- Risk Severity: High
- Mitigation Strategies:
- Carefully review and understand the Mosquitto ACL documentation.
- Use a configuration management tool to automate and standardize ACL configuration.
- Regularly audit ACLs to ensure they adhere to the principle of least privilege.
- Test ACLs thoroughly in a non-production environment. Use a variety of clients with different credentials to verify access restrictions.
Threat: Weak TLS Configuration
-
Threat: Weak TLS Configuration
- Description: TLS is enabled, but weak cipher suites or outdated TLS versions are allowed. This makes the communication vulnerable to attacks that can decrypt the traffic.
- Impact:
- Compromised confidentiality (eavesdropping).
- Potential for MitM attacks.
- Affected Mosquitto Component:
- TLS configuration in
mosquitto.conf. - The underlying TLS library used by Mosquitto (e.g., OpenSSL).
- TLS configuration in
- Risk Severity: High
- Mitigation Strategies:
- Configure Mosquitto to use only strong TLS cipher suites (e.g., those recommended by NIST).
- Disable outdated TLS versions (TLS 1.0, 1.1). Prefer TLS 1.3.
- Regularly update the underlying TLS library.