Open MQTT Report

This report identifies hosts that have an accessible MQTT (Message Queuing Telemetry Transport) service enabled on port 1883/TCP. In particular it identifies MQTT instances that enable anonymous access, which can be abused to leak data. Additionally, the MQTT service on this port is unencrypted, so even password protected instances can lead to data leakage.

MQTT is a lightweight publish/subscribe protocol designed for the Internet of Things (IoT). You can read more on MQTT at http://mqtt.org/.

For more details behind the scan methodology and a daily update of global MQTT scan statistics please visit our dedicated Open MQTT scan page.

We first announced the scan in a blog post titled  Open MQTT Report – Expanding the Hunt for Vulnerable IoT Devices.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report was enabled as part of the European Union INEA CEF VARIoT project.

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    IP of the device in question
  • protocol
    Transport layer protocol used (TCP)
  • port
    Port that the response came from (usually 1883)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Set to mqtt
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City where the device in question resides
  • naics
    North American Industry Classification System Code
  • anonymous_access
    Set to "Y" or "N" depending whether anonymous access allowed
  • raw_response
    Raw response to MQTT device probe
  • hex_code
    The last octet of the raw response which tells you the connection status (00 - 05)
  • code
    The human readable version of the hex_code

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","anonymous_access","raw_response","hex_code","code"
"2020-03-12 17:03:45","122.35.229.163","tcp",1883,,"mqtt",17858,"KR","SEOUL TEUGBYEOLSI","SANGBONG-DONG",517311,0,"Y",20020000,00,"Connection Accepted"
"2020-03-12 17:03:45","47.93.162.196","tcp",1883,,"mqtt",37963,"CN",,"HANGZHOU",518210,0,"N",20020004,04,"Connection Refused, bad user name or password"
"2020-03-12 17:03:45","47.107.105.238","tcp",1883,,"mqtt",37963,"CN",,"HANGZHOU",518210,0,"N",20020005,05,"Connection Refused, not authorized"
"2020-03-12 17:03:45","139.224.13.57","tcp",1883,,"mqtt",37963,"CN",,"HANGZHOU",518210,0,"Y",20020000,00,"Connection Accepted"
"2020-03-12 17:03:45","116.9.122.71","tcp",1883,,"mqtt",4134,"CN",,"WUZHOU",517311,0,"Y",20020000,00,"Connection Accepted"
"2020-03-12 17:03:45","164.115.27.73","tcp",1883,,"mqtt",9835,"TH","KRUNG THEP MAHA NAKHON BANGKOK","SAI MAI",0,0,"N",20020005,05,"Connection Refused, not authorized"
2020-03-12 17:03:45,"68.38.110.243","tcp",1883,"c-68-38-110-243.hsd1.in.comcast.net","mqtt",7922,"US","INDIANA","NOBLESVILLE",517311,0,"N",20020005,05,"Connection Refused, not authorized"
2020-03-12 17:03:45,"120.55.36.40","tcp",1883,,"mqtt",37963,"CN",,"HANGZHOU",518210,0,"Y",20020000,00,"Connection Accepted"

Our 86 Report Types

« Back to Network Reporting