An Enhanced MQTT Communication Protocol for Privacy Preservation in Industrial Internet of Things (IIoT) Systems

This paper addresses the security shortcomings of MQTT in Industrial IoT by designing, implementing, and evaluating a secure MQTT prototype that balances confidentiality, integrity, and usability. Using an Object Oriented Analysis and Design Methodology (OOADM) guided by UML artifacts, the work decomposes the system into modular classes and enforces layered security aligned with the OSI and client–server models. Implemented in Python with Tkinter GUIs and Mosquitto as the MQTT broker, and supporting libraries (paho-mqtt, pycryptodome, bcrypt, hashlib, base64, socket) for secure messaging, encryption, authentication, and IP tracking. MQTT Explorer was used for real-time visualization of message flows, encryption consistency, and topic activity. The system integrates cryptographic techniques such as AES CBC encryption with random IVs, HMAC SHA256 integrity checks, bcrypt password hashing, and an OTP email verification/recovery flow (Gmail SMTP). Role Based Access Control, account lockout policies, and audit logging (user, role, IP, timestamp, message state) provide operational safeguards. Experimental deployment and validation were conducted in a controlled virtual environment. Kali Linux running in VirtualBox provided the platform for penetration testing, and the subscriber was executed on a Kali instance in UserLAnd with GUI access through R VNC to emulate a realistic IIoT endpoint. Security evaluation and Penetration tools included: John the Ripper for offline password cracking, Bettercap for man-in-the-middle (MITM) testing and traffic manipulation, Wireshark for packet capture and protocol analysis, and Nmap/Zenmap for port and service enumeration. These tools verified the system’s resilience against common attacks, including unauthorized topic publishing, credential compromise, and message interception. Results demonstrate that plaintext MQTT (1883) is trivially intercepted and modifiable while TLS (8883) prevents passive decryption without trust compromise, and that the combined cryptographic and access control measures significantly reduce practical attack surfaces for IIoT deployments.

MQTT broker, Privacy Preservation, Security, Penetration Tool and Packets

1. Alaba, F. A., Othman, M., Hashem, I. A. T., & Alotaibi, F. (2017). Internet of Things security: A survey. Journal of Network and Computer Applications, 88, 10–28. https://doi.org/10.1016/j.jnca.2017.04.002 [Google Scholar] [Crossref]

2. Li, C., & Palanisamy, B. (2019). Privacy in Internet of Things: From principles to technologies. IEEE Internet of Things Journal, 6(1), 488–505. https://doi.org/10.1109/JIOT.2018.2877831 [Google Scholar] [Crossref]

3. Roman, R., Zhou, J., & Lopez, J. (2013). On the features and challenges of security and privacy in distributed Internet of Things. Computer Networks, 57(10), 2266–2279. https://doi.org/10.1016/j.comnet.2012.12.018 [Google Scholar] [Crossref]

4. Russo, M., et al. (2022). Analysis on functionalities and security features of Internet of Things related protocols. Wireless Networks. https://doi.org/10.1007/s11276-022-02999-7 [Google Scholar] [Crossref]

5. Santos, J., et al. (2021). Secure MQTT broker for IIoT applications. IEEE Internet of Things Journal, 8(18), 14433–14444. https://doi.org/10.1109/JIOT.2021.3067994 [Google Scholar] [Crossref]

6. Segarra, C., Delgado‑Gonzalo, R., & Schiavoni, V. (2020). MQT‑TZ: Hardening IoT brokers using ARM TrustZone. arXiv. https://doi.org/10.48550/arXiv.2007.12442 [Google Scholar] [Crossref]

7. Singh, M., Rajan, M., Shivraj, V., & Balamuralidhar, P. (2015). Secure MQTT for Internet of Things (IoT). In 2015 Fifth International Conference on Communication Systems and Network Technologies (pp. 746–751). IEEE. https://doi.org/10.1109/CSNT.2015.160 [Google Scholar] [Crossref]

8. Sun, Y., Zhang, Y., Xiong, Y., & Zhu, H. (2016). Data security and privacy in cloud computing. International Journal of Distributed Sensor Networks, 12(4), 1–9. https://doi.org/10.1155/2016/2944075 [Google Scholar] [Crossref]

9. Vaccari, I., Aiello, M., & Cambiaso, E. (2020). SlowITe: A novel denial of service attack affecting MQTT. Sensors, 20(10), 2932. https://doi.org/10.3390/s20102932 [Google Scholar] [Crossref]

10. Das, M. L., Saxena, N., & Gulati, V. P. (2016). A dynamic ID-based remote user authentication scheme. IEEE Transactions on Consumer Electronics, 50(2), 629–631. [Google Scholar] [Crossref]

11. Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319–340. [Google Scholar] [Crossref]

12. Ferraiolo, D. F., Kuhn, D. R., & Chandramouli, R. (2001). Role-Based Access Control. Artech House. [Google Scholar] [Crossref]

13. Frankel, S., Glenn, R., & Kelly, S. (2003). The AES-CBC cipher algorithm and its use with IPsec (RFC 3602). Internet Engineering Task Force. [Google Scholar] [Crossref]

14. Gefen, D., Karahanna, E., & Straub, D. W. (2003). Trust and TAM in online shopping: An integrated model. MIS Quarterly, 27(1), 51–90. [Google Scholar] [Crossref]

15. Hunkeler, U., Truong, H. L., & Stanford-Clark, A. (2008). MQTT-S—A publish/subscribe protocol for Wireless Sensor Networks. 2008 3rd International Conference on Communication Systems Software and Middleware and Workshops, 791–798. [Google Scholar] [Crossref]

16. Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., & Zhao, W. (2017). A survey on Internet of Things: Architecture, enabling technologies, security and privacy, and applications. IEEE Internet of Things Journal, 4(5), 1125–1142. [Google Scholar] [Crossref]

17. Naik, N. (2017). Choice of effective messaging protocols for IoT systems: MQTT, CoAP, AMQP, and HTTP. 2017 IEEE International Systems Engineering Symposium (ISSE), 1–7. [Google Scholar] [Crossref]

18. Niruntasukrat, A., Issariyapat, C., Pongpaibool, P., Phonphoem, A., & Thiemjarus, S. (2016). Authorization mechanism for MQTT-based Internet of Things. In 2016 IEEE International Conference on Communications Workshops (ICC) (pp. 290–295). IEEE. [Google Scholar] [Crossref]

19. Roman, R., Najera, P., & Lopez, J. (2013). Securing the Internet of Things. Computer, 44(9), 51–58. [Google Scholar] [Crossref]

20. Venkatesh, V., & Bala, H. (2008). Technology Acceptance Model 3 and a research agenda on interventions. Decision Sciences, 39(2), 273–315. [Google Scholar] [Crossref]

21. Zeadally, S., Pathan, A. S. K., & Alcaraz, C. (2013). Towards privacy protection in smart grid. Wireless Personal Communications, 73(1), 23–50. [Google Scholar] [Crossref]

• What the Desert Fathers Teach Data Scientists: Ancient Ascetic Principles for Ethical Machine-Learning Practice
• Comparative Analysis of Some Machine Learning Algorithms for the Classification of Ransomware
• Comparative Performance Analysis of Some Priority Queue Variants in Dijkstra’s Algorithm
• Transfer Learning in Detecting E-Assessment Malpractice from a Proctored Video Recordings.
• Dual-Modal Detection of Parkinson’s Disease: A Clinical Framework and Deep Learning Approach Using NeuroParkNet