pith. sign in

arxiv: 2605.15804 · v1 · pith:QO6Q2WDNnew · submitted 2026-05-15 · 💻 cs.CR

Security Analysis of a Communication Protocol: MQTT

Ricardo Ven\^ancio , Clarisse Sousa , Filipe Duarte , Lu\'is Ribeiro This is my paper

Pith reviewed 2026-05-20 17:35 UTC · model grok-4.3

classification 💻 cs.CR
keywords MQTTIoT securityvulnerability analysiseavesdroppingdenial of serviceencryptionauthenticationsmart home
0
0 comments X

The pith

MQTT in IoT lacks robust encryption and authentication, leaving it open to eavesdropping, tampering, denial-of-service, and brute-force attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper tests the security of the MQTT messaging protocol that many Internet of Things devices use to send data. The authors combine a review of how the protocol works with hands-on attacks run inside a simulated smart-home network. The attacks succeed because messages travel without strong encryption or checks on who is sending them. A reader should care because the same weaknesses appear in many real devices that control homes, factories, and sensors. The paper ends by listing concrete fixes such as adding encryption layers and requiring proper login steps before any device can publish or receive messages.

Core claim

The MQTT protocol, when deployed without robust encryption and authentication, permits eavesdropping, tampering, denial-of-service, and brute-force attacks. In the simulated smart-home environment these attacks were executed and confirmed the exposure that results from the protocol's default lack of security measures. The study therefore recommends mitigation strategies and best practices to strengthen MQTT implementations in IoT settings.

What carries the argument

The MQTT protocol's default message handling without mandatory encryption or strong authentication, demonstrated through executed eavesdropping, tampering, DoS, and brute-force attacks inside a simulated smart-home testbed.

Load-bearing premise

That the simulated smart-home environment and the chosen attack executions sufficiently represent real-world MQTT deployments and practical threat models.

What would settle it

A production MQTT broker with TLS encryption and client certificates that successfully blocks all four attacks when subjected to the same test sequence would falsify the central claim.

Figures

Figures reproduced from arXiv: 2605.15804 by Clarisse Sousa, Filipe Duarte, Lu\'is Ribeiro, Ricardo Ven\^ancio.

Figure 2
Figure 2. Figure 2: Diagram illustrating the Man-in-the-Middle (MiTM) tampering attack [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 1
Figure 1. Figure 1: Architecture diagram of the simulated Smart Home environment. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
read the original abstract

This paper analyzes the security of the Message Queuing Telemetry Transport (MQTT) protocol in the context of the Internet of Things (IoT). The main objective consists of identifying vulnerabilities and proposing security improvements. Adopting a hybrid methodology, a theoretical review was combined with an experimental demonstration in a simulated Smart Home environment. Eavesdropping, Tampering, Denial of Service (DoS), and Brute Force attacks were executed and analyzed. The results evidenced critical risks due to the absence of robust encryption and authentication. Finally, mitigation strategies and best practices are proposed to strengthen MQTT implementations.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper analyzes the security of the MQTT protocol in IoT settings via a hybrid methodology combining theoretical review with experimental demonstration of eavesdropping, tampering, DoS, and brute-force attacks in a simulated Smart Home environment. It concludes that the results evidence critical risks due to the absence of robust encryption and authentication, and proposes mitigation strategies and best practices.

Significance. If the experimental results hold under detailed scrutiny and the simulation is shown to reflect typical real-world MQTT deployments (including common use of TLS or broker authentication), the work could usefully illustrate practical attack surfaces in IoT messaging and reinforce the need for layered security. The contribution would be incremental rather than foundational, given the well-documented default insecurity of plain MQTT.

major comments (2)
  1. [Experimental demonstration] Experimental demonstration section: the abstract and summary describe attack executions and results evidencing critical risks, yet supply no quantitative data, error analysis, success rates, or detailed methodology (e.g., network topology, packet captures, or timing measurements). This prevents independent verification of the central claim that the attacks demonstrate protocol-level vulnerabilities rather than expected behavior on an unsecured baseline.
  2. [Attack executions] Attack executions and results: no comparison is reported between the default plaintext MQTT setup and secured variants (MQTT over TLS, ACLs, or broker-level authentication). Without this, the evidence shows risks only in the chosen unsecured simulation and does not establish that the identified risks are inherent to typical deployed MQTT systems, which is load-bearing for the claim of 'critical risks due to the absence of robust encryption and authentication.'
minor comments (1)
  1. The abstract states that mitigation strategies are proposed but does not enumerate them; a brief list or table in the conclusions would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below, indicating where revisions will be made to improve clarity and verifiability while preserving the manuscript's focus on default MQTT deployments.

read point-by-point responses

  1. Referee: [Experimental demonstration] Experimental demonstration section: the abstract and summary describe attack executions and results evidencing critical risks, yet supply no quantitative data, error analysis, success rates, or detailed methodology (e.g., network topology, packet captures, or timing measurements). This prevents independent verification of the central claim that the attacks demonstrate protocol-level vulnerabilities rather than expected behavior on an unsecured baseline.

    Authors: We acknowledge the need for greater methodological detail to support independent verification. The revised manuscript will expand the experimental section with quantitative results including attack success rates, timing measurements, error considerations, and a full description of the simulation environment, network topology, and analysis tools such as packet captures. These additions will explicitly tie the observed outcomes to the unsecured baseline configuration. revision: yes

  2. Referee: [Attack executions] Attack executions and results: no comparison is reported between the default plaintext MQTT setup and secured variants (MQTT over TLS, ACLs, or broker-level authentication). Without this, the evidence shows risks only in the chosen unsecured simulation and does not establish that the identified risks are inherent to typical deployed MQTT systems, which is load-bearing for the claim of 'critical risks due to the absence of robust encryption and authentication.'

    Authors: The manuscript centers on vulnerabilities in the common default plaintext MQTT setup used in many IoT environments. To strengthen the link between the absence of security features and the observed risks, we will add direct comparisons in the revised version, demonstrating attack outcomes under MQTT over TLS and with broker authentication or ACLs enabled. This will show mitigation effectiveness while retaining the emphasis on unsecured deployments. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical attack simulation rests on independent experimental outcomes

full rationale

The paper performs a hybrid theoretical review plus experimental demonstration by executing eavesdropping, tampering, DoS and brute-force attacks inside a simulated Smart Home MQTT setup. All load-bearing claims are grounded in the observed results of those concrete attack executions rather than any fitted parameters, self-referential definitions, equations, or self-citation chains. No derivation chain exists that reduces a prediction back to its own inputs; the work is a standard empirical security audit whose conclusions follow directly from the described test outcomes.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available; no explicit free parameters, axioms, or invented entities are stated. The analysis implicitly assumes standard security threat models and that simulation results generalize.

pith-pipeline@v0.9.0 · 5621 in / 991 out tokens · 85433 ms · 2026-05-20T17:35:04.982363+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

  1. [1]

    O que ´e iot (internet das coisas)?

    Amazon Web Services (AWS), “O que ´e iot (internet das coisas)?” https: //aws.amazon.com/pt/what-is/iot/, accessed: Oct. 11, 2025

    work page 2025

  2. [2]

    What is iot security? risks, examples, and solutions,

    C. Henke, “What is iot security? risks, examples, and solutions,” https: //www.emnify.com/blog/iot-security, 2025, accessed: Oct. 11, 2025

    work page 2025

  3. [3]

    What is iot device vulnerability?

    Fortinet, “What is iot device vulnerability?” https://www.fortinet.com/ resources/cyberglossary/iot-device-vulnerabilities, accessed: Oct. 11, 2025

    work page 2025

  4. [4]

    Survey of mqtt protocol for the internet of things,

    R. Mohanan, “Survey of mqtt protocol for the internet of things,”Inter- national Journal of Research in Engineering, Science and Management, vol. 1, no. 9, pp. 385–389, Sep 2018

    work page 2018

  5. [5]

    A comparison of publish subscribe and client server models for streaming iot telemetry data,

    O. Ajayi, A. Bagula, J. Bode, and M. Damon, “A comparison of publish subscribe and client server models for streaming iot telemetry data,” inEmerging Technologies for Developing Countries, M. Masinde and A. Bagula, Eds. Cham, Switzerland: Springer, 2023, vol. 503, pp. 123–137

    work page 2023

  6. [6]

    A survey and comparison of publish/subscribe protocols for the industrial internet of things (iiot),

    M. Nast, H. Raddatz, B. Rother, F. Golatowski, and D. Timmermann, “A survey and comparison of publish/subscribe protocols for the industrial internet of things (iiot),” inProc. 12th Int. Conf. Internet of Things (IoT ’22), 2023, pp. 193–200

    work page 2023

  7. [7]

    The many faces of publish/subscribe,

    P. T. Eugster, P. A. Felber, R. Guerraoui, and A.-M. Kermarrec, “The many faces of publish/subscribe,”ACM Computing Surveys, vol. 35, no. 2, pp. 114–131, Jun 2003

    work page 2003

  8. [8]

    Content-based publish/subscribe systems,

    H. Shen, “Content-based publish/subscribe systems,” University of Arkansas, Fayetteville, AR, USA, Tech. Rep., 2025

    work page 2025

  9. [9]

    A conceptual modeling approach of mqtt for iot-based systems,

    B. M. M. El-Basioni, “A conceptual modeling approach of mqtt for iot-based systems,”Journal of Electrical Systems and Information Tech- nology, vol. 11, no. 62, 2024

    work page 2024

  10. [10]

    Mqtt at the edge, which do you choose?

    N. Cresswell, “Mqtt at the edge, which do you choose?” Por- tainer.io. https://www.portainer.io/blog/best-mqtt-broker, Feb 2025, ac- cessed: Feb. 20, 2025

    work page 2025

  11. [11]

    Mosquitto vs hivemq – an honest com- parison for iot teams,

    L. Dallinger, “Mosquitto vs hivemq – an honest com- parison for iot teams,” Cedalo. https://cedalo.com/blog/ mosquitto-vs-hivemq-an-honest-comparison-for-iot-teams/, Oct 2025, accessed: Oct. 31, 2025

    work page 2025

  12. [12]

    Introducing the mqtt security fundamentals,

    HiveMQ, “Introducing the mqtt security fundamentals,” https: //www.hivemq.com/blog/introducing-the-mqtt-security-fundamentals/, accessed: Dec. 23, 2025

    work page 2025

  13. [13]

    Large-scale security analysis of real-world backend deployments speaking iot-focused protocols,

    C. Tagliaro, M. Komsic, A. Continella, K. Borgolte, and M. Lindor- fer, “Large-scale security analysis of real-world backend deployments speaking iot-focused protocols,” inProc. 27th Int. Symp. on Research in Attacks, Intrusions and Defenses (RAID), Sep 2024, pp. 561–578

    work page 2024

  14. [14]

    Cve-2019- 9749,

    National Institute of Standards and Technology (NIST), “Cve-2019- 9749,” National Vulnerability Database (NVD). https://nvd.nist.gov/ vuln/detail/CVE-2019-9749

    work page 2019

  15. [15]

    Cve-2018-19417,

    ——, “Cve-2018-19417,” National Vulnerability Database (NVD). https: //nvd.nist.gov/vuln/detail/CVE-2018-19417

    work page 2018

  16. [16]

    Man-in-the-middle attacks on mqtt-based iot using bert based adversarial message generation,

    H. Wong and T. Luo, “Man-in-the-middle attacks on mqtt-based iot using bert based adversarial message generation,” https://arxiv.org/abs/ 2009.02235, 2020

    work page arXiv 2009

  17. [17]

    A review on the study on mqtt security challenge,

    F. Chen, Y . Huo, J. Zhu, and D. Fan, “A review on the study on mqtt security challenge,” in2020 IEEE International Conference on Smart Cloud (SmartCloud), Washington, DC, USA, 2020, pp. 128–133

    work page 2020

  18. [18]

    Securing mqtt ecosystem: Exploring vulnerabilities, mitigations, and future trajectories,

    S. U. A. Laghari, W. Li, S. Manickam, P. Nanda, A. K. Al-Ani, and S. Karuppayah, “Securing mqtt ecosystem: Exploring vulnerabilities, mitigations, and future trajectories,”IEEE Access, vol. 12, pp. 139 273– 139 289, 2024

    work page 2024

  19. [19]

    Address resolution protocol (arp): Resolving network address conflicts,

    Fortinet, “Address resolution protocol (arp): Resolving network address conflicts,” https://www.fortinet.com/resources/cyberglossary/ what-is-arp, accessed: Jan. 04, 2026

    work page 2026

  20. [20]

    How does gratuitous arp work?

    A. Viescinski and M. Aibin, “How does gratuitous arp work?” Baeldung. https://www.baeldung.com/cs/gratuitous-arp, Jan 2026, accessed: Jan. 04, 2026

    work page 2026

  21. [21]

    mqtt-stresser,

    inovex, “mqtt-stresser,” GitHub repository. https://github.com/inovex/ mqtt-stresser, 2020

    work page 2020

  22. [22]

    Application layer security: Mqtt perspective with tls implementation and analysis,

    S. S. Alharbi, D. Bell, and W. Awad, “Application layer security: Mqtt perspective with tls implementation and analysis,” inProc. Int. Conf. IT Innovation and Knowledge Discovery (ITIKD), Manama, Bahrain, 2025, pp. 1–14

    work page 2025

  23. [23]

    Security and performance analysis of mqtt protocol with tls in iot networks,

    A. R. Alkhafajee, A. M. A. Al-muqarm, Z. R. Mohammed, and A. H. Alwan, “Security and performance analysis of mqtt protocol with tls in iot networks,” inProc. 4th Int. Iraqi Conf. Eng. Technol. and Their Appl. (IICETA), Najaf, Iraq, 2021, pp. 206–212

    work page 2021

  24. [24]

    Enhancing mqtt-sn security with a lightweight puf-based authentication and encrypted channel establish- ment scheme,

    X. Gong, T. Kou, and Y . Li, “Enhancing mqtt-sn security with a lightweight puf-based authentication and encrypted channel establish- ment scheme,”Symmetry, vol. 16, no. 10, p. 1282, 2024

    work page 2024

  25. [25]

    A survey on lightweight cryptographic algorithms in iot,

    P. S. Suryateja and K. V . Rao, “A survey on lightweight cryptographic algorithms in iot,”Cybernetics and Information Technologies, vol. 24, no. 1, pp. 21–34, 2024

    work page 2024

  26. [26]

    Mqtt vulnerabilities, attack vectors and solutions in the internet of things (iot),

    A. J. Hintaw, S. Manickam, M. F. Aboalmaaly, and S. Karuppayah, “Mqtt vulnerabilities, attack vectors and solutions in the internet of things (iot),”IETE Journal of Research, vol. 69, no. 6, pp. 3368–3397, 2023

    work page 2023

  27. [27]

    Security model design and formal verification of mqtt protocol,

    C. Gao, X. Xi, and C. Zhang, “Security model design and formal verification of mqtt protocol,”Discovery Applied Sciences, vol. 7, p. 1227, 2025

    work page 2025

  28. [28]

    Dos attacks in available mqtt implementations: Investigating the impact on brokers and devices, and supported anti-dos protections,

    U. Morelli, I. Vaccari, S. Ranise, and E. Cambiaso, “Dos attacks in available mqtt implementations: Investigating the impact on brokers and devices, and supported anti-dos protections,” inProc. 16th Int. Conf. Availability, Reliability and Security (ARES ’21), 2021, pp. 1–9, art. no. 82

    work page 2021

  29. [29]

    A survey of distributed denial- of-service attack, prevention, and mitigation techniques,

    M. T., Y . Xiao, G. Sun, and W. Jiang, “A survey of distributed denial- of-service attack, prevention, and mitigation techniques,”International Journal of Distributed Sensor Networks, vol. 13, no. 12, 2017

    work page 2017

  30. [30]

    A signature-based intrusion detection system for web applications based on genetic algorithm,

    R. Bronte, H. Shahriar, and H. M. Haddad, “A signature-based intrusion detection system for web applications based on genetic algorithm,” in Proc. 9th Int. Conf. Security of Information and Networks (SIN ’16), 2016, pp. 32–39

    work page 2016

  31. [31]

    Dos attacks detection in mqtt networks,

    D. Dikii, S. Arustamov, and A. Grishentsev, “Dos attacks detection in mqtt networks,”Indonesian Journal of Electrical Engineering and Computer Science, vol. 21, no. 1, pp. 601–608, Jan 2021

    work page 2021

  32. [32]

    fail2ban,

    Fail2Ban, “fail2ban,” GitHub repository. https://github.com/fail2ban/ fail2ban, 2012

    work page 2012