IoT Protocols
MQTT
MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe messaging protocol designed for constrained devices and low-bandwidth networks. Standardized as ISO/IEC 20922 (current version MQTT 5.0), it is the most widely deployed IoT messaging protocol.
Definition
MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe messaging protocol designed for constrained devices and low-bandwidth networks. Standardized as ISO/IEC 20922 (current version MQTT 5.0), it is the most widely deployed IoT messaging protocol.
What it means
MQTT was designed for resource-constrained devices communicating over unreliable networks — small message footprint, simple state model, broker-mediated topic-based publish-subscribe. It is the default device-to-cloud protocol for AWS IoT Core, Azure IoT Hub, Aliyun IoT, Tencent Cloud IoT, and most major commercial IoT platforms.
The security model in MQTT 3.1.1 and earlier is minimal: authentication via username/password (sent in cleartext unless wrapped in TLS), no built-in authorization model beyond what the broker provides, no message encryption beyond TLS. MQTT 5.0 added enhanced authentication (challenge-response, SCRAM, OAuth-equivalent) but adoption is uneven. In practice the security of an MQTT deployment is determined by the broker's TLS configuration, topic-level authorization rules, and client certificate handling.
For offensive-security assessment, MQTT testing covers: broker authentication and authorization analysis, topic enumeration and access-control bypass, message replay and injection, broker-side authorization-bypass attempts, and client-side certificate handling review.
Related terms
Authoritative sources
- MQTT 5.0 OASIS standard - MQTT 3.1.1 OASIS standard
---