Security analysis of the message queuing telemetry transport protocol

The internet of things aims to assign computational processing and connection to simple objects on a network to collect data and then perform analysis. However, due to its easy use, the simpliﬁed implementation has several information security problems. This paper presents attack procedures in an internet of things environment using the Message Queue Telemetry Transport protocol. We use the Low Orbit Ion Cannon and Wireshark programs for attack procedures, compromising the integrity, conﬁdentiality


Introduction
The Internet of Things (IoT) is a concept that has been in evidence today. In short, the IoT aims to connect simple objects with little computational power for data processing and information collection (Sinha et al., ). The concept of IoT has recently gained prominence as the ability to include data processing into simple objects. With IoT, it is possible to gather information to analyze the information that travels between objects and make a more assertive decision making, generating more positive results (da Cunha et al., ). This large set of data stored, analyzed, and processed by institutions is called Big Data, a concept that, along with IoT, has acquired much relevance in academia and the market due to the positive history of use (Jung et al., , Yadav and Vishwakarma, ).
security, which is a failure during its implementation (Chen and Erfani, ). The lack of data traffic security allows attacks in several ways to capture sensitive data or interfere with the stored dataset, compromising its analysis.
For creating a connection between simple objects, such as stoves and refrigerators, these objects must have some data processing capacity, such as microcontrollers and sensors, along with a wireless network connection. These components are necessary for reading and exchanging information (Samsudin et al., ). This network fostered the exchange of information works with rules for communication, which are called communication protocols (Rouse, ). In the TCP/IP protocol stack, most IoT protocols are in the application layer, as shown in  One of the most used protocols in an IoT network is Message Queuing Telemetry Transport (MQTT), as it is a protocol with low memory usage, low processing demand, and low bandwidth consumption (Yassein et al., ). IBM created the MQTT protocol to be a lightweight protocol, guaranteeing messages with data delivery, using small computational power, and high latency in the network (Yuan, ). It operates using messages between the publisher, the broker, and the client (subscriber).
In practice, the publisher generates the data and sends it through topics to the broker, who acts as the controller who signs the published data. Once published in the broker, the client sends the data's topic, subscribing to the publication and obtaining the data sent from the publisher (Cope, ).
Next, Fig. illustrates the exchange of messages between the publisher and the client, with the topics controlled by a broker. According to the presented context, this paper aims to demonstrate the MQTT protocol's fragility when implemented in an IoT network in the usual way. Thus, when using specific procedures to capture the data that travel on the network, we show that it is possible to compromise the customer's data.
We organized the rest of this paper as follows. Section discusses some concepts regarding this work, and Section presents a literature survey. Besides, Section describes the methodology used to expose weaknesses and indicate solutions. Section details the experiments and results. Finally, Section shows the conclusions of this research.

Literature review
For this work's positioning concerning the others, we did a literature survey of the most relevant works in the area. However, first, we discuss the concepts that underlie IoT and the aspects related to security in the following sections.

. Internet of Things
At the beginning of the discussion, in , the International Telecommunication Union ( ) described the IoT as a global information infrastructure, which enables advanced services through the interconnection (physical and virtual) of objects based on information and communication technologies interoperable and evolving.
For this infrastructure to become real, it is necessary to explore the identification, data capture, processing, and communication resources, which we can see as small data packages for a large set of nodes. Later, practitioners considered that there were more objects connected to the internet with IoT than people. Cisco Systems estimated that in the proportion of connected objects to people would increase, and that number will gradually increase in the following years (Raji, ). The Internet of Things is an evolving concept. As such, it intends to cover several areas of research since the connection of devices to wide area networks or local area networks (LAN) becomes very simple, making activities that require specific monitoring or constant reading of data performs more efficiently and safely (Anil, ). Usually, an IoT system uses an application layer protocol, such as MQTT, to transport light data, reduce network latency, and treat several devices connected to the IoT network. Besides, processing resources must be limited to avoid overloading them, supplying the data to a server with greater processing power to provide data on objects (Navani et al., ). For creating an IoT network, someone must use a sensor for data collection, a controller, and a client that will process the data, such as a desktop or smartphone. .

Message Queuing Telemetry Transport Protocol
After creating the IoT network, one of the means of data transmission is using the Message Queuing Telemetry Transport (MQTT) protocol. Created by IBM in the s, this protocol allows data exchange between an object and other devices connected to a network. Moreover, it is capable of operating on limited hardware and networks with high latency.
In the MQTT protocol, the sensor and clients transfer data via topics. Assuming that several sensors and clients exist, the identifier will be the topic informed when sending data to the broker. For instance, in the type "publisher" topic, the object data is made available to all devices that subscribe to that topic. Therefore, it is necessary to use the "publisher" function to carry out the transfer. Then the publisher sends the data to the broker responsible for receiving and relaying the data. Finally, the function "subscriber" receives the data, identifying the data path and selecting it in the broker.
The TCP protocol with authentication and encryption options establishes the connection with the broker. The entire connection process determines the desired Quality of Service (QoS), indicating the relationship between client communication and a broker (Shinho Lee et al., ). Therefore, we may use one of the following three QoS levels: • QoS (maximum once): This service has no message delivery confirmation. Also, it does not store the message for future retransmissions. • QoS (at least once): In this service, there is a message delivery confirmation. Therefore, it can generate equal messages, depending on the non-confirmation of delivery, until it receives a confirmation of the message's delivery. • QoS (exactly once): It ensures delivery of the message only once, with confirmation in both directions of traffic. As long as the message is not confirmed, the sender keeps it.
The server sent a connack message answering a client's connect message for a connection between client and server. If the message from the client does not reach the server, the connection must be closed.
If the client does not receive the return message, he must restart the session by making a new request to the server and issuing a message. This rule includes messages that provide invalid protocol names or protocol version numbers.
If the server can perform a connection message analysis, it can return a message stating the connection error before ending the session with the client (OASIS Standard, ). .

Information Security Test Procedures
After implementing the test environment, we will perform network attack procedures, which will focus on the data and the connection between the publisher and the broker. Finally, we describe the techniques we will use in the following sections.

. . Denial of Service Method
This type of attack aims to establish the connection to some point on the network inaccessible, obstructing the passage of data through the network. In addition, it is possible to overload any point on the network with data packets, such as the data collection sensor, impairing the sending of information to the next hop. For this procedure, there are specialized programs, most frequently found in the Kali Linux operating system, a Linux distribution made for information security (Chen et al., ). A more elaborate tactic for the denial of service attack is the Distributed Denial of Service (DDoS). This tactic comprises a "boss" computer and several zombie computers connected to the "boss". When the moment of service attack is determined, zombie computers send data packets to a specific service. As a result, the service may not handle the load of requests per session and become unusable since every service, such as the page servers on the web, for example, has a maximum data load limit (Nagpal et al., ).
. . Capture of network data packets Another type of attack resource is to perform a network fragility analysis, such as obtaining an access password and, using specific tools, capturing data packets that travel on the network, obtaining the data, which may be confidential or sensitive information. For this procedure, a sniffer program, such as Wireshark, is generally used to intercept and register data packets that travel on the network and subsequently evaluate the content (Das and  Tuna, ). With the knowledge of the topic used in an IoT network implemented simply, it is possible to use a fake publisher and inject fictitious data, compromising the collected dataset's analysis (Andy et al., ). As stated before, one of the focuses of attacks on an IoT network can be to obtain the data that travels on the network to record sensitive data or make the network unusable. The work from Andy et al. ( ) demonstrates that an IoT-based network with the MQTT's protocol implementation is superficial, as there is no security tool available, only an authentication tool.
With many devices and networks installed, this type of IoT network using the MQTT protocol is vulnerable to attacks. In the first scenario, the attack occurs so that the subscriber uses a generic topic, using the symbol "#", to subscribe to all possible topics connected to the broker, obtaining sensitive data. Fig  It is also possible to perform a reverse attack. It means that, instead of collecting sensitive data using the symbol "#", it is possible to inject data into a broker, using the "publisher" function, informing false data to the broker and the possible reading of the topic by a subscriber.
We can perform the presented scenarios in a public IoT network if that network does not have authentication. That is because, in an IoT network using the MQTT protocol, authentication is not mandatory. Assuming that the attacker connects to the IoT network, he can analyze the data that travels on the network.
In this scenario, we used the Wireshark to verify the data that travels on the network, exploring the MQTT package's privacy and integrity. By definition, MQTT does not have data encryption. As a result, the attacker can soon quickly check the data that travels over the network, according to the screen illustrated in  Although authentication in the IoT network is not mandatory using the MQTT protocol, using a user and password to authenticate with the broker is possible. Assuming the attacker is on the same network as the publisher, one can analyze the network and check the data packets sent to the broker that contain authentication. Within this data package, authentication data is entered in text form by default if there is no encryption by network administrators. Fig. illustrates the connect package collection in the broker, containing the user and password data. Another way to attack the data packets' integrity is to change the data traveling between the publisher and the broker. To perform this procedure, one can change the name of the topic published by another and perform a filter so that the subscriber reads the false topic's data.  After that, using an Etterfilter interface, the attacker, connected to the network, modifies the packet and sends it to the attacked computer. Fig. informs that the subscriber received the changed topic.
As indicated, it is possible to use attack methods on data packets that travel on an IoT network and compromise its connection when someone implements the IoT network without precautions. The following section will demonstrate the testing environment, the experiments carried out, and the results obtained.

Related works
Harsha et al. ( ) analyze how security breaches in the use of the MQTT protocol and demonstrate the implementation of security measures using authorization and authorization techniques. Besides, that work addresses some adversities in the use of the MQTT protocol. Among them, as any customer can subscribe or publish any topic, they explore how to resend lost messages is challenging since there is no access control mechanism or other barriers. Therefore, this work uses Wireshark software to carry out an analysis and monitoring of data packages.
The work indicated that publisher authentication is important, making the broker less vulnerable to unauthorized publishers.  To carry out and prevent non-authenticated publications, the authors configured the authentication option, limiting publications to customers who have access.  It is possible to use encryption on the data and Transport Layer Security or Secure Sockets Layer on port to overcome this vulnerability. That procedure makes data transmission over a secure connection. However, overhead can occur when there are frequent reconnections to the broker.
As a resource, we can use the Access Control List (ACL) -a list configured in the broker, with authorized users for publishing data. For example, the first red rectangle of Fig. shows a customer posting on a topic that has access. In the second rectangle, the same customer tries to post to another topic. This one, however, is refused. Harsha et al. ( ) show that it is possible to create a list of authenticated clients in the broker for data publishing permission. However, it is still possible to capture the customer's name using Wireshark when sending publisher authentication. Furthermore, it is possible to use encryption to guarantee the integrity and confidentiality of the data. Our method shows that only the client can access authentic data using this procedure.
Another attack on MQTT is the denial of service procedure, as shown in Section . In Firdous et al. ( ), the authors show that mobile devices are attractive for performing hacking procedures, as they are always connected to the internet and can be controlled remotely. Another attractive target are web pages.
The work from Firdous et al. ( ) illustrates some scenarios of an attack on MQTT. Among them are the following: • A user can create multiple TCP sessions in a broker, overloading and depleting the broker's resources. • A user can send multiple CONNECT packages to the broker, overloading and depleting their resources. • A user with privileges to send data packets can send many packages to the broker, overloading and depleting resources. • An internal user can obtain access' data and make malicious publications, compromising the study's results. • A user with access information can obtain sensitive data for a specific group of customers.
The mentioned procedures can be challenged with some information security implementation techniques, such as firewall, data encryption, and ACL to broker. In Firdous et al. ( ), the authors used the denial of service procedure using a virtual machine. The authors sent two thousand messages of type "publishers" in the proposed experiment, locking the broker for seconds. Fig.  shows that the CPU load increased, reaching a peak of % utilization. ).
An attack with TCP SYN packets is launched to overload the network bandwidth, increasing the network transfer rate to MB/s, as shown in Fig. . Despite Firdous et al. ( ) show a practical application of the denial of service procedure, the authors restrict the procedure to a single application. Thus, it is different from this paper, which handles other forms of attack on the MQTT protocol, such as sending false data to the broker and presenting security techniques, such as encryption in the transmission of data.
In Potrino et al. ( ), the authors model and evaluate an information security system to mitigate the damage of a denial of service attack using an intrusion detection system (IDS), which applies a policy of discarding packets not authorized in the MQTT protocol. One can use the IDS to monitor only one server or leave a secure network. Constant monitoring and analysis of the network are necessary for its use, allowing quick decisions when the system detects an attack.
The data monitored by sensor nodes are sent periodically to the nebulizer node using the MQTT protocol. Thus, it is possible to accept some packets with limited frequency, monitor the buffer's integrity, prioritize to authorized topics, and identify attacking nodes. Contrary to this work, Potrino et al. ( ) demonstrates a firewall's implementation to contain a denial of service attack.
In Chifor et al. ( ), the authors designed the security for the MQTT protocol, protecting messages against DoS attacks. The scenario is a smart city transport system. A base station receives messages from sensors, trusted and unreliable vehicles, aggregates the data, and transmits it to the cloud. Untrusted vehicles can provide helpful traffic information, but malicious devices can easily interrupt communication between the base station and trusted vehicles.
Chifor et al. ( ) propose dividing MQTT into two separate channels, one for data and one for security control. A device authenticates with the broker and reports message delays or applies security policies in the security channel. Then, if multiple authenticated devices report MQTT message delays, the broker will discard messages transmitted by unauthorized devices until the overall network delay is resolved. Fig. illustrates the architecture of the MQTT division. We did a simulation to verify the consequence of delayed messages. In this simulation, several clients bulk send messages to a broker.
Furthermore, in the experiment, we found that the average delay time in the network increases dramatically. Because of this situation, the broker will discard messages from unauthorized clients and analyze network security policies. Thus, this study shows a more complex implementation of the MQTT protocol, different from the environment proposed by the paper, which analyzes the security of the MQTT protocol implemented in a simplified way.
In agreement with the works presented in this section, the study on information security using the MQTT protocol is quite extensive. In addition to attack procedures, this paper demonstrates the implementation of methods to make attacks more difficult. Section presents the research methodology adopted in this work, showing the concepts and methods we used.

Research Methodology
Focusing on the security analysis of the implementation of the MQTT protocol, this paper demonstrates that the protocol's security service quality is not satisfactory, containing loopholes that can be exploited to intercept data and create connection problems between objects in an IoT network. After the attack procedures described in the previous sections, we will implement security methods in a network, reducing a common IoT network's loopholes.
To achieve the aforementioned objectives, attack procedures will be carried out within the information security concept, focused on transmitting data between the publisher and the broker. The purpose of the attack procedures is to disable the connection between the publisher and broker, capture data packets, and send fake data packets. After the tests, we present the results' analyses.
One of the procedures, focusing on the connection between the devices, is the Denial of Service (DoS). That is a widespread method among attacks to interrupt a system's network connection, making it impossible to use. This practice is prevalent to prevent access to a web page (Chen et al., ).
To obtain data traveling on the network, we used the method of capturing and analyzing packets, also known as sniffing packets. Somebody can use this method to intercept, catalog, and even decrypt data packets that travel over a network (Dawson and McDonald, ).
After executing of the attack procedures mentioned earlier, we will implement a firewall in the broker and the publisher, increasing the difficulty of rendering the connection unusable. Besides, we shall implement data encryption, preventing packet interception, and performing an analysis of possible false data without compromising it.
After the security implementations, we carried out new IoT network attack tests, a new analysis of the results, and compared the results obtained before implementing better security measures.
We used an IoT network implementing the MQTT protocol to perform the procedures through the Python programming language (Nagpal and Gabrani, , Lo et al., ).
This IoT network is composed of a smartphone acting as a client. The customer signs the data for a Raspberry Pi card containing a DHT temperature and humidity sensor, acting as a publisher (Sharmila et al., ). Besides, there is a notebook acting as a broker through the implementation of Mosquitto and a message controller program created to act as a broker in network implementations that use the MQTT protocol (Martins, ).
In addition to the equipment reported for that IoT network, we used a notebook with a Kali Linux operating system (OS) since it is an OS with several pre-installed software to test information security (Al Neyadi et al., ).

Experiments and Results
This section demonstrates the implementation of information security concepts, both in attacking data and implementing security applications on the proposed IoT network. After the experiments, we discuss the analysis of the results, indicating the MQTT protocol's weakness when implemented in an incautious way.

. Attack Procedures
This section will cover some attack strategies, including Denial of Service, data packet capture and encryption, and sending incorrect data packets.

. . Denial of Service
To apply the denial of service concept, a relatively large amount of data packets must be sent to the target, causing the bandwidth to experience very high latency in the connection, leading to loss of connection to the network (Liang et al., ). In the proposed experiment, the targets for the denial of service procedure were the publisher containing the DHT sensor and the broker. We used the Low Orbit Ion Cannon (LOIC) program to carry out the attack. LOIC is an open-source program written in the C# programming language, aimed at a denial of service attack to test the network's quality (Patil et al., ). LOIC sends a large volume of User Datagram Protocol (UDP) request packets, overloading the target, causing it to stop responding to authentic requests. Fig. illustrates the configuration of the LOIC to perform the denial of service. First, we configured the target for the publisher's IP and later for the broker, both using port . The request uses the UDP protocol and, due to hardware limitation, we use five tasks or threads for carrying out the procedure.
Figs. and show the loss of connection between the publisher and broker in the network, interrupting the data flow to the client.
As shown, the denial of service procedure achieved its objective in the IoT environment by implementing the MQTT protocol. Both attacks took seconds, with a total of , , and , , requests, respectively, to reach the goal.

. . Data Packet Capture
With specialized software, we perform methods for analyzing and capturing packets to obtain data with sensitive information. The best-known and most used software is Wireshark, as it has a simplified and easy-touse interface (Wang et al., , Das and Tuna, ). In the experiment, Wireshark runs on the notebook and monitors the wireless network, registering all packets that travel on the network. It is possible to configure the Wireshark filter to display only the MQTT protocol. After configuring the filter, the program saves and interprets the data packets captured on the network, revealing the data sent from the publisher to the broker, including access credentials to the broker. Fig. shows the credentials visible in the Wireshark when checking the connection line between the publisher and the broker. Also, Wireshark show when the publisher sends the credentials to the broker requesting the connection.

Figure :
Capture packets with authentication credentials, using the Wireshark.

Fig.
shows the publisher's data after checking the line containing the topic in transit on the network. That is a severe security breach, as it is possible to obtain authentication data from the broker. However, depending on the context of the implementation of the IoT network, the data sent to the broker may be confidential and should not be exposed to registration and analysis.

Figure :
Capture of packages containing data sent from the publisher.

. . Sending incorrect data packets
Another advantage the attacker used is knowing the connection data, and the topic used to transmit the publisher's data. We can obtain this knowledge through tools aimed at capturing packets, previously mentioned.
After the intercepted packages' registration and analysis, it is possible to create an illusory publisher and send false data, impairing decision-making over the collected data set.

Fig.
illustrated the capture of data packets sent from the publisher with authentication credentials, allowing incorrect data to be sent to the broker using an unaccredited publisher (da Silveira, ).

Fig.
shows that the customer received the false data sent, characterized by the temperature value , and humidity , . As the subscriber receives the false data, the analysis and interpretation may contain errors, harming the whole experiment.

Figure :
Demonstration that the customer signed the false data, sent by a non-authentic publisher. .

Security measures
Following, we will discuss some strategies for increasing device security for IoT.

. . Data packet traffic encryption
Data encryption is a widely used technique for protecting data transmitted over a network (Carracedo et al., ). In this system, clients used a security key that only the publisher and an authentic subscriber have. Therefore, it is necessary to use the security key to read the data (Oak and Daruwala, ). Fig. shows that an attacker using the Wireshark software can still obtain the topic name. However, it is no longer possible to read the original data sent by the publisher. Instead, when reading the original data, it shows the encrypted data.

Figure :
Capturing packages with data sent from the publisher.

. . Firewall
A firewall is composed of software or even hardware, intending to implement security policies at a certain point in the network (Gupta et al., ). We can use the firewall to filter and analyze the data packets that travel on the network. We can also implement it via proxy, where it handles all requests and then sends them to the server (La Cruz and Goyzueta, ). An application firewall (WAF), widely used in web applications, creates a barrier between the business and the internet, filtering and blocking unauthorized access (Clincy and Shahriar, ). For this application, we used the Uncomplicated Firewall (UFW), a firewall rules management interface that uses command lines and is available for Arch Linux, Debian, and Ubuntu distributions. In practice, UFW allows security rules and policies through commands in the Linux terminal (Krout, ). For the protection of denial of service attacks, two security policies can be implemented, for example. The first is to identify the attacker's IP and deny the receipt of data packets, as shown in Fig. . Another policy is to limit the volume of receipt of all data packets of a particular type of protocol, such as UDP, not allowing the target's resources to be rendered unusable. Fig. illustrates the data limitation rule of the UDP type, implemented in the UFW of a broker.

Figure :
Denial of UFW packet received from a given IP address.

Figure :
Limitation of data packets received from the UDP protocol type. .

Analysis of Results
Implementing the MQTT protocol presents a particular weakness for attacks when implemented in a simplified way, both in connecting devices and reading data traveling on the network. Therefore, we implemented methods to make the IoT network less fragile. That is, to identify and hinder attacks carried out by an external agent, such as data encryption and firewalls. After we carried out the attacks, we demonstrated that it is easily possible to succeed in an IoT network implemented in a simplified way.
With the data encryption method's adhesion, it is no longer possible to read the data, as the interpretation is impractical. Using a firewall, we kept the network connection stable, denying the connection to a specific IP and limiting the volume of data packets received.

Conclusion
An IoT network with the simplified implementation of the MQTT protocol has vulnerabilities that can be exploited in several different ways, compromising the confidentiality, integrity, and availability of data, impairing all work and analysis of results. However, using some resources in the network's installation and configuration, it is possible to make it more robust using information security policies. Furthermore, it is possible to prevent the presented vulnerabilities, such as using encryption for the data and implementing a firewall to stabilize the network connection.

. Future Works
We will focus on implementing the IoT network's information security methods using the MQTT protocol, for future works. Such methods will concentrate on the following actions.
• Implement and make available an installation file or source code extraction of complete projects for implementing the MQTT protocol. The publisher, subscriber, and broker already have the appropriate security methods inserted, such as encryption and authentication mechanism. • Perform scalability studies of the environment, adding several sensors at different credential levels, leaving some data more exposed to public access and others more confidential. • Check the cost to implement a more robust information security system in the IoT network, depending on the data's criticality. • Conduct a survey and study the broker's availability in the cloud, where only the publisher and subscriber's implementation in the IoT network is required.

Krout, E. (
). How to configure a firewall with UFW.