Exploiting and Securing MQTT in IoT Environments

Target Audience: IoT Pentesters, Firmware Developers, Embedded Security Engineers
Goal: Demonstrate practical MQTT misconfigurations, vulnerabilities, and defenses through real-world demos using ESP32 and MQTT broker setup.

• MQTT Broker
• MQTT clients and visualizers
• MQTT pentest tools (MQTT-Fuzz - FUME)
• ESP32 development board (acting as a vulnerable MQTT client)
• Raspberrypi (acts as MQTT Broker)

• Cover the MQTT architecture: clients, broker, topics, sessions
• Explore the publish/subscribe model
• Explore QoS levels, retained messages, wildcard subscriptions
• Identify common areas where MQTT implementations go wrong

• Start the broker and connect it to the ESP32 client
• Setup topic subscriptions and sensor/actuator emulation
• Confirm working communication flow between ESP32 and broker

• Demonstrate how brokers without authentication can be freely accessed by attackers

• Show how attackers can persistently inject payloads that execute every time a client reconnects

• Simulate excessive topic creation or publish actions to overload the broker or client

• Redirect a client (e.g., ESP32) to a malicious broker that can spoof responses or inject commands

• Publish malicious commands to subscribed topics to control or crash the target device

• https://www.instructables.com/Secure-Mosquitto-MQTT-Server-for-IoT-Devices-ESP32/
• https://github.com/PBearson/FUME-Fuzzing-MQTT-Brokers
• https://gbhackers.com/vulnerabilities-hardy-barth-ev-station/
• https://www.onekey.com/resource/critical-vulnerabilities-in-ev-charging-stations-analysis-of-echarge-controllers