MQTT Broker Credentials
Service Name: MQTT (Message Queuing Telemetry Transport)
Service Description: MQTT is a lightweight, publish-subscribe network protocol that transports messages between devices. It is designed for connections with remote locations where a small code footprint is required, or network bandwidth is limited.
Service Address: Varies by MQTT broker implementation (common examples include HiveMQ, Mosquitto, AWS IoT Core MQTT broker, Azure IoT Hub)
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the broker level through access control lists (ACLs) or firewall rules depending on the MQTT broker implementation.
Secret Access Scope: Grants access to publish and subscribe to topics on the MQTT broker, potentially allowing message interception or injection across IoT devices and applications.
Secret Revokement URL: Varies by MQTT broker implementation. Typically managed through the broker's admin interface.
Secret Example: MQTT Broker Credentials Username: mqttuser Password: Tr@ff1cL1ght$2023
Suspicious Activity Investigation Instructions:
- Review broker connection logs for unusual client IDs or connection patterns
- Monitor for unexpected topic subscriptions or publications
- Check for abnormal message volumes or frequencies
- Examine payload contents for malicious data
- Look for connections from unexpected geographic locations or IP addresses
Mitigation Instructions:
- Immediately change the compromised MQTT broker credentials
- Implement or update ACLs to restrict topic access
- Enable TLS/SSL for all MQTT connections if not already in use
- Consider implementing client certificate authentication instead of username/password
- Review and update broker logging and monitoring configurations
- Audit all connected clients and revoke unauthorized connections
- Implement message payload validation to prevent injection attacks