Security Analysis of Popular MQTT Broker Platforms

Abstract

The Message Queuing Telemetry Transport (MQTT) protocol has emerged as a fundamental communication mechanism in Internet of Things (IoT) environments due to its lightweight and efficient publish-subscribe architecture. However, its widespread adoption has introduced significant security challenges, particularly within MQTT broker platforms. This thesis aims to analyze popular MQTT broker platforms for known vulnerabilities and prioritize them based on severity and impact to enhance the overall security posture of these systems. The study investigates the evolution of vulnerabilities over time, examining their type, frequency, and severity, through data collected from Snyk and publicly available databases such as the National Vulnerability Database (NVD). To inform secure design decisions, the thesis compares the vulnerability distribution across the major MQTT broker platforms. Although over 70 broker platforms exist, the analysis focuses on accessible open-source platforms including EMQX, VerneMQ, HiveMQ, Mosca, and Eclipse Mosquitto. Special attention is given to architectural design choices and third-party dependencies that contribute to security risks. A key contribution of this study is the development of an improved vulnerability scoring model that addresses the limitations of the Common Vulnerability Scoring System (CVSS). Unlike CVSS, the proposed model incorporates additional context-aware metrics such as frequency, i.e., how often a vulnerability appears in the NVD and popularity, i.e., how many broker platforms are affected by the same vulnerability within a given timeframe. The findings aim to support organizations and developers in strengthening IoT infrastructures by enabling more resilient, secure, and context-aware vulnerability management strategies.