Issue: MQTT broker accessible when device is in packet forwarding mode.
Should this be possible? Security etc
Any thoughts?
Thanks.
Not sure if it “should” be running, if you want to stop it you could probably figure out where mosquitto (assuming its that) is being launched from something in /etc/init.d
In terms of attack surface, although unnecessary its less of a risk than it would be if there were clients utilizing it.
But more generally a box like this would ideally sit behind a firewall/NAT shielding it from outside traffic, eg typically if you want to have remote access into it you’d have to use a VPN or setup a reverse tunnel.
When running in packet forwarder mode, a gateway contains no real knowledge of value other than how to impersonate itself to server infrastructure, and of course is a platform which could be subverted for purposes unrelated to its intended role.
1 Like
Chris may thanks.
Will take your advice and look at where mosquitto is running from.
The GW will be running an OT segment of client lan and will hopefully be using the new WisDM service (paid-for version) when it launches.
Lawrence