MEDIUM: Open MQTT Report

DESCRIPTION LAST UPDATED: 2023-12-16

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies all hosts that have an accessible MQTT (Message Queuing Telemetry Transport) service enabled on port 1883/TCP and on port 8883/TCP. In particular it identifies MQTT instances that enable anonymous access, which can be abused to leak data. Additionally, unlike the TLS version of the service typically on port 8883/TCP the MQTT service on port 1883/TCP is unencrypted, so even password protected instances can lead to data leakage.

Note the report identifies all MQTT instances, if you wish to receive only lists of services that have anonymous access enabled, please request it.

MQTT is a lightweight publish/subscribe protocol designed for the Internet of Things (IoT). You can read more on MQTT at http://mqtt.org/.

For more details behind the scan methodology and a daily update of global MQTT scan statistics please visit our dedicated Open MQTT scan page.

We first announced the scan in a blog post titled  Open MQTT Report – Expanding the Hunt for Vulnerable IoT Devices. This blog covered the MQTT 1883/TCP scan only launched in March 2020. The TLS scan enhancement (port 8883/TCP) was added in April 2021.

You can track latest MQTT exposure on our Dashboard.

MQTT instances that allow for anonymous access are marked with severity level HIGH. You can also track these on the Dashboard under the “mqtt-anon” tag.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

This report was enabled as part of the European Union INEA CEF VARIoT project.

This report has an IPv4 and IPv6 version.

Filename(s): scan_mqtt, scan6_mqtt

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    IP of the device in question
  • protocol
    Transport layer protocol used (TCP)
  • port
    Port that the response came from (usually 1883)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Set to mqtt
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City where the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • anonymous_access
    Set to "Y" or "N" depending whether anonymous access allowed
  • raw_response
    Raw response to MQTT device probe
  • hex_code
    The last octet of the raw response which tells you the connection status (00 - 05)
  • code
    The human readable version of the hex_code
  • cipher_suite
    The highest CipherSuite that was able to be negotiated
  • cert_length
    Certificate Key Length (1024 bit, 2048 bit, etc)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of certificate
  • sha256_fingerprint
    SHA256 fingerprint of certificate
  • sha512_fingerprint
    SHA512 fingerprint of certificate
  • md5_fingerprint
    MD5 fingerprint of certificate
  • cert_serial_number
    Certificate serial number
  • ssl_version
    SSL/TLS version
  • signature_algorithm
    Signature algorithm used
  • key_algorithm
    Key algorithm used
  • subject_organization_name
    The subject organization name (ON) of the certificate
  • subject_organization_unit_name
    The organization unit name of the subject of the certificate
  • subject_country
    The country of the subject of the certificate
  • subject_state_or_province_name
    The state or province name of the subject of the certificate
  • subject_locality_name
    The locality name of the subject of the certificate
  • subject_street_address
    The street address of the subject of the certificate
  • subject_postal_code
    The postal code of the subject of the certificate
  • subject_surname
    The surname of the subject of the certificate
  • subject_given_name
    The given name of the subject of the certificate
  • subject_email_address
    The e-mail address of the subject of the certificate
  • subject_business_category
    The business category of the subject of the certificate
  • subject_serial_number
    Serial number of the subject of the certificate
  • issuer_organization_name
    Issuing organization name
  • issuer_organization_unit_name
    Issuing organization unit name
  • issuer_country
    Country of issuer
  • issuer_state_or_province_name
    State or province of issuer
  • issuer_locality_name
    Locality of issuer
  • issuer_street_address
    Street address of issuer
  • issuer_postal_code
    Postal code of issuer
  • issuer_surname
    Surname of issuer
  • issuer_given_name
    Given name of issuer
  • issuer_email_address
    Email address of issuer
  • issuer_business_category
    Business category of issuer
  • issuer_serial_number
    Serial number of issuer
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","anonymous_access","raw_response","hex_code","code","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,1883,node01.example.com,mqtt,64512,ZZ,Region,City,0,,N,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=,05,"Connection Refused, not authorized",TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,1883,node02.example.com,mqtt,64512,ZZ,Region,City,0,,Y,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=,00,"Connection Accepted",TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,1883,node03.example.com,mqtt,64512,ZZ,Region,City,0,ptr,N,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=,05,"Connection Refused, not authorized",TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,

Our 130 Report Types