Closing the MQTT Security Gap: An Assistant Tool for Secure-by-Default Mosquitto Deployments

Abstract

The Message Queuing Telemetry Transport (MQTT) protocol has become a widely adopted communication standard in Internet of Things (IoT) ecosystems, edge computing, and Industry 4.0 applications due to its lightweight design and low network overhead. However, MQTT is secure by design but not by default, leaving the responsibility of implementing security to those deploying it. This has created a significant gap in real-world practice, where the priority of operational ease and rapid deployment often outweighs security considerations, resulting in a large number of insecure, publicly exposed MQTT brokers vulnerable to unauthorized access, data interception and manipulation. This dissertation addresses the gap by introducing the MQTT Secure Assistant Tool, designed for Mosquitto, one of the most popular open-source MQTT brokers. The proposed tool enforces secure configurations by default and from the start of an IoT project by automating and simplifying the configuration process , making MQTT security accessible to non-cybersecurity specialists while ensuring robust protection for advanced users. The MQTT Secure Assistant Tool is a Python-based graphical application that automates the secure setup of Mosquitto brokers, including TLS configuration, password-based authentication, ACL enforcement, and user/topic management. It also features a one-click broker launch function, a validation system to prevent misconfiguration, and most importantly a logging and alerting system that surpasses standard manual secure deployments, which typically lack any built-in log analysis. This system continuously scans through large number of logs entries in real time, automatically detecting and alerting administrators to major security-related events such as brute-force login attempts or unauthorized publish actions. By enforcing secure defaults and automating configuration, the tool helps prevent insecure deployments and reduces exposed brokers, while the integrated logging and alerting system eliminates the operational blind spots common in MQTT environments.