TCP Dangerous Messaging

Port 1883 (MQTT)

Learn about port 1883 (MQTT) - security risks, vulnerabilities, and common uses. Find devices with port 1883 open.

Quick Info

Port Number

1883

Protocol

TCP

Service

MQTT

IANA Name

MQTT

Service Description

Port 1883 is the standard TCP port for MQTT (Message Queuing Telemetry Transport), a lightweight, publish-subscribe network protocol designed for constrained devices and low-bandwidth, high-latency or unreliable networks. Originally developed by Andy Stanford-Clark of IBM and Arlen Nipper of Arcom (now Eurotech) in 1999, MQTT is particularly well-suited for IoT (Internet of Things) applications, mobile applications, and machine-to-machine (M2M) communication. It operates on top of the TCP/IP protocol stack and utilizes a broker to facilitate message exchange between publishers and subscribers. Clients connect to the MQTT broker and can either publish messages to specific topics or subscribe to topics to receive messages published to those topics. The broker manages the distribution of messages based on the topic hierarchy. The protocol defines three Quality of Service (QoS) levels: 0 (At most once), 1 (At least once), and 2 (Exactly once), allowing for trade-offs between reliability and performance depending on the application's needs. The MQTT protocol utilizes a binary message format, making it efficient in terms of bandwidth usage and processing overhead. The simplicity of the protocol and its small footprint make it ideal for resource-constrained devices such as sensors and embedded systems. The MQTT protocol is now an OASIS standard.

## Firewall Recommendations

Blocking port 1883 is recommended if MQTT is not required for any internal or external services. If MQTT is necessary, it should be secured using TLS/SSL encryption (port 8883 is commonly used for MQTT over TLS). Implement strong authentication and authorization mechanisms to prevent unauthorized access. Use access control lists (ACLs) to restrict which clients can publish or subscribe to specific topics. Regularly update MQTT broker software to patch security vulnerabilities. Monitor MQTT traffic for suspicious activity, such as unusual connection patterns or attempts to access sensitive topics. Consider using a VPN or other secure tunnel for MQTT traffic over public networks. For IoT devices, ensure they are securely configured and regularly updated with the latest security patches. Employ network segmentation to isolate IoT devices from other parts of the network, limiting the impact of a potential compromise. Rate limiting can be implemented to prevent denial-of-service attacks.

Security Information

MQTT's lightweight nature can also lead to security vulnerabilities if not properly configured. The lack of built-in security features in the core protocol means that security relies heavily on proper authentication, authorization, and encryption. A common misconfiguration is running an MQTT broker with default settings, including no authentication or weak passwords, making it vulnerable to unauthorized access. Attackers can exploit this to eavesdrop on sensitive data, publish malicious messages, or even take control of connected devices. The 'publish-subscribe' model, while flexible, also poses risks if not managed correctly. If an attacker gains access to the broker, they can subscribe to sensitive topics and intercept messages or publish false information, potentially disrupting operations or causing harm. Insufficient input validation and improper handling of MQTT messages can also lead to vulnerabilities such as buffer overflows or injection attacks. Because MQTT is often used in IoT environments, where devices may be physically accessible or poorly secured, it becomes an attractive target for attackers seeking to compromise entire systems.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2017-7650	Eclipse Mosquitto ACL Bypass	High	An authentication bypass vulnerability in Eclipse Mosquitto allows remote attackers to publish or subscribe to topics without proper authorization.
CVE-2018-12558	Node-RED Information Disclosure	Medium	Node-RED allows information disclosure via MQTT nodes due to improper handling of MQTT client options.
CVE-2020-13952	Apache ActiveMQ MQTT Denial of Service	Medium	A denial-of-service vulnerability exists in Apache ActiveMQ due to excessive memory consumption when processing MQTT CONNECT packets.
CVE-2023-32244	HiveMQ Community Edition Improper Access Control	High	HiveMQ Community Edition versions prior to 4.13.0 are vulnerable to improper access control. A user with MQTT PUBLISH access to the $SYS/# topic can read sensitive information, including all client IDs of connected clients, MQTT bridge configurations, and cluster configurations.
CVE-2023-36400	Azure IoT Hub Spoofing Vulnerability	High	A spoofing vulnerability exists in Azure IoT Hub that allows an attacker to impersonate an IoT device and send malicious messages.