# MQTT **slug:** `mqtt` · **URL:** `/knowledge/glossary/mqtt/` · **category:** IoT Protocols · **reviewer:** Tatiana ### Definition MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe messaging protocol designed for constrained devices and low-bandwidth networks. Standardized as ISO/IEC 20922 (current version MQTT 5.0), it is the most widely deployed IoT messaging protocol. ### What it means MQTT was designed for resource-constrained devices communicating over unreliable networks — small message footprint, simple state model, broker-mediated topic-based publish-subscribe. It is the default device-to-cloud protocol for AWS IoT Core, Azure IoT Hub, Aliyun IoT, Tencent Cloud IoT, and most major commercial IoT platforms. The security model in MQTT 3.1.1 and earlier is minimal: authentication via username/password (sent in cleartext unless wrapped in TLS), no built-in authorization model beyond what the broker provides, no message encryption beyond TLS. MQTT 5.0 added enhanced authentication (challenge-response, SCRAM, OAuth-equivalent) but adoption is uneven. In practice the security of an MQTT deployment is determined by the broker's TLS configuration, topic-level authorization rules, and client certificate handling. For offensive-security assessment, MQTT testing covers: broker authentication and authorization analysis, topic enumeration and access-control bypass, message replay and injection, broker-side authorization-bypass attempts, and client-side certificate handling review. ### Related terms - [CoAP](/knowledge/glossary/coap/) - [LWM2M](/knowledge/glossary/lwm2m/) - [TLS](/knowledge/glossary/tls/) (P1.5) ### Authoritative sources - [MQTT 5.0 OASIS standard](https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html) - [MQTT 3.1.1 OASIS standard](https://docs.oasis-open.org/mqtt/mqtt/v3.1.1/mqtt-v3.1.1.html) ---