Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Some popular Home Assistant posts on Reddit have revealed that a Miami Gardens resident’s smart home has been exposed to the internet. Other people can turn off their lights and even rename their devices. All this was due to their MQTT broker being public and unsecured.
How to make sure not to fall victim to the same security snafu.
Why do smart homes use MQTT?
Efficient communication for smart devices
MQTT stands for Message Queuing Telemetry Transport. The name may sound confusing, but the concept is quite simple. This is a lightweight messaging protocol uses a publisher-subscription model. One device may “publish” messages and another device may “subscribe” to those messages.
For example, a temperature sensor may publish the current temperature every ten minutes. Your smart home app can then subscribe to those messages to find out what the current temperature reading is.
The key to this process is the MQTT broker. The broker is responsible for receiving the information from the publisher and transmitting it to the respective subscribers. The publisher and subscriber do not need to know that the other exists; The MQTT broker is responsible for ensuring that messages reach their destination.
MQTT is ideal for smart homes because it is fast, low-bandwidth, and can run on simple devices like smart home sensors or microcontrollers. For example, in House helperyou can use MQTT to authorize Zigbee devices To transmit data to your Home Assistant server using Zigbee2MQTT.
How brokers are exposed on the internet
Do not use a public MQTT broker
In order for your smart home and devices to communicate using MQTT, you need to run an MQTT broker that can handle message routing. This is something that needs to run locally in your home so that all communication between your sensors and your smart home happens on your local network.
In the case of the person in Miami Gardens, it appears that instead of setting up their own MQTT broker, they were using a public MQTT broker. Since this broker was available to anyone with internet access, other people were able to send messages from the MQTT broker to the Miami Gardens smart home. With the right commands, anyone could control connected smart home devices, such as turning lights on and off.
In most cases, there is no real reason to use a public MQTT broker for your smart home. Some guides may mention that they do this for testing purposes, and this may be what the guy at Miami Gardens did. It is possible that the AI chatbot repeated the wrong information and advised the user to use a public MQTT broker.
To be clear: don’t do it. You should always run an MQTT broker locally on your devices. It is incredibly light; you can run an MQTT broker Raspberry Pi Zero there’s no reason not to host your own if you want to.
- Brand
-
Raspberry Pi
- CPU
-
Quad-core 64-bit ARM Cortex-A53
The Raspberry Pi Zero 2 W is super small and super affordable, but has enough computing power for a variety of DIY projects. You can use it as a Klipper/Mainsail, super compact home or media server, etc. You can use it to create a handheld retro game console.
How to check if your MQTT broker is open to the public
Make sure it is local and not left open
A quick way to check if your MQTT broker is exposed is to try accessing it from outside your home network. You can turn off Wi-Fi on your phone and use an app like MQTT Explorerpass it your public IP address and port 1883. If you can connect to your MQTT broker over a mobile network, your MQTT broker is exposed.
In Home Assistant, check that your MQTT broker is configured with a local IP address and not a public web address. go away Settings > Devices and servicesopen MQTT integrate and click on it three points icon. choose Reconfigure. Provide this Broker is set to a local IP address or internal hostname, not an external URL. You should also make sure you set up a strong password.
If you run your own MQTT broker (which you absolutely should), then the most likely way for it to be exposed outside of your home is if you set it up. port forwarding. If you forward port 1883 to your home server, anyone on the internet can reach it as well. This can also happen accidentally if you use features like Universal Plug and Play (UPnP).
You can see if your MQTT broker is exposed to the outside world using an online service like Shodan and provide your public IP address. It can then allow you to see open services on the public IP. You can too use nmap from the command line has a similar effect.
MQTT blocks your broker
Safety is key
If you accidentally expose your MQTT broker and it’s unsecured, you may find that strangers on the other side of the world start turning off your lights, or worse. Therefore, it is important not to allow anonymous connections; the good news is that MQTT integration in Home Assistant does not support anonymous connections.
Also try to avoid port forwarding. Although port forwarding 1883 allows you to control your lights remotely, it can also allow other people to do so. There are many other, safer options for access the home assistant remotely. You can improve the security of your MQTT broker by enabling it TLS encryption and using port 8883.
Don’t let others turn off your lights
This is an unusual example, but it shows what can happen if you don’t set up your smart home correctly. Reddit users didn’t do anything more malicious than turn a few lights on and off, but bad actors could do worse.
