MQTT without TLS - prevent publish messages from unauthenticated devices

Question

I have an use case where I'm not able to use MQTTS/TLS due to constraint on devices.

Our plan is to perform authentication during MQTT CONNECT, passing a JWT token as a password. If I understand correctly MQTT keep a TCP connection open for all subsequent messages.

Given a standard MQTT broker (like HiveMQ, VerneMQ, ...), it is possible for an attacker to PUBLISH mqtt message without calling the CONNECT first?

Of course they can potentially sniff the JWT token and call the CONNECT, but this token will be valid only for a short period of time... And we can also put in place some auditing on CONNECT to try to prevent attacks (IP filtering, ...).

I known that in any case this will not be a secure proof solution, but this will be used only on a small set of devices, hopefully for a short period of time.

My concern is if an attacker can just send traffic "on behalf of another TCP connection"? Calling PUBLISH without first calling CONNECT. Maybe this doesn't make sense ...

score 1 · Answer 1 · answered Sep 05 '18 at 10:52

As far as I know the first operation that needs to do after the TCP handshake is a CONNECT. So in theory nobody can send a PUBLISH message on the first MQTT pdu. But I will be worried if the implementation of your devices allows to receive messages without a CONNECT message. So it would be a good idea to verify if the implementation on your devices respect the order, first a CONNECT, by using a library that verify your concerns.

MQTT without TLS - prevent publish messages from unauthenticated devices

1 Answers1