Researchers have discovered a method to hide secret data inside everyday IoT traffic using MQTT — one of the most common IoT messaging protocols. The result is GhostMQ, a stealth communication technique that makes covert messaging indistinguishable from normal device chatter.
Who This Is For
- IoT security engineers and defenders
- Threat hunters and forensic analysts
- Researchers studying covert channels and censorship evasion
Why It Matters (2025+)
In a world where surveillance and censorship are on the rise, encryption alone isn’t enough.
While encryption protects what is being said, it doesn’t hide that communication is happening.
Censors can still flag or block traffic that “looks” encrypted.
The research behind GhostMQ explores how to go one step further — blending secret communications seamlessly into IoT traffic using MQTT (Message Queuing Telemetry Transport), a lightweight protocol used by millions of smart devices every day.
Essentially, GhostMQ hides messages in plain sight — right between your thermostat and your home hub.
What You’ll Learn
- How covert channels can hide messages within normal IoT communication
- How MQTT packet lengths can secretly encode data
- Why this approach could redefine private communication under surveillance
What Is GhostMQ?
GhostMQ (based on the academic framework by Lazzaro & Buccafurri, 2024) is a covert communication technique built entirely on MQTT — the protocol that connects smart devices, sensors, and automation systems across the IoT ecosystem.
Rather than using encryption or tunneling tools like Tor or VPNs, GhostMQ hides messages within MQTT packets themselves.
It modifies specific fields — such as the remaining length field of an MQTT message — to carry secret data that appear perfectly normal to any observer.
This method transforms IoT traffic into a covert messaging layer that bypasses detection tools, censorship firewalls, and even compromised brokers.
The Core Idea: Hide in the Noise
Traditional covert channels use two major methods:
| Type | Method | Example |
|---|---|---|
| Storage channel | Hide data inside packet headers or payloads | Using unused bits in TCP headers |
| Timing channel | Encode data via delays or timing | Send packets at specific intervals |
GhostMQ belongs to the storage channel family — it embeds hidden data directly into the structure of MQTT messages by adjusting their “remaining length” field.
Because MQTT is so common in IoT networks, this traffic looks harmless and routine to most intrusion detection systems (IDS) and censors.
How GhostMQ Works
Step 1 — Split and Encode the Message
The sender (publisher) splits a secret message into multiple random parts using XOR-based encoding.
This ensures that no single fragment reveals any meaningful information.
Step 2 — Covert Embedding via MQTT
Each message fragment is converted into a number that defines the length of an MQTT packet — a field most security tools ignore.
Mathematically, the system uses one-way functions and modular exponentiation to determine these lengths, ensuring that only authorized receivers with the secret key can reconstruct the original message.
Step 3 — Use Real IoT Brokers and Topics
The sender publishes these messages across random MQTT brokers and topics using a shared pseudo-random number generator (PRNG).
Because IoT brokers relay massive amounts of benign data, the covert packets are camouflaged among legitimate device updates.
Step 4 — Receiver Rebuilds the Message
Authorized subscribers (who share the same secret key) extract the message parts by analyzing packet lengths, perform brute-force reconstruction on small data blocks, and reassemble the original message.
Even if a censor monitors all traffic, the MQTT flow looks identical to normal IoT telemetry.
Example: Hiding a Message
Let’s say you want to send the letter “H”.
The sender:
- Converts “H” → binary
01001000. - Splits it into 3 random parts using XOR.
- Computes 3 message lengths (
L1,L2,L3) using the shared secret key. - Publishes MQTT packets with those lengths to different brokers.
The receiver monitors these brokers, recognizes the matching length pattern, and reconstructs “H” from the XOR of the three parts.
To everyone else, it’s just random IoT packets about “temperature” or “battery status.”
Performance and Overhead
| Operation | Average Time | Notes |
|---|---|---|
| Part generation | ~0.9 µs × k | Negligible |
| Length computation | ~2 µs × k | Minimal |
| Message reconstruction | <1 µs × k | Instant |
| Setup phase | ~27 s (for 20-bit precomputation) | One-time cost |
Even with heavy traffic, GhostMQ adds no visible delay to IoT communications.
The extra data overhead (in bytes) is also minimal — the “hidden” data fits naturally into MQTT’s variable-length headers.
Security Breakdown
| Threat | Mitigation |
|---|---|
| Eavesdropping | Data split into k random parts — partial interception yields nothing |
| Traffic Analysis | Covert messages mimic normal MQTT patterns |
| Broker Compromise | Random broker selection via PRNG makes correlation nearly impossible |
| Man-in-the-Middle (MITM) | Length field tampering invalidates decoding sequence |
Even powerful adversaries capable of inspecting every network packet (including encrypted ones) cannot distinguish GhostMQ traffic from legitimate IoT messages.
Why MQTT Is the Perfect Cloak
MQTT’s publish–subscribe model makes it ideal for covert operations:
- Publishers and subscribers never communicate directly — brokers act as middlemen.
- Multiple clients often publish on the same topic, making attribution difficult.
- Topics are generic (“/home/temperature”) and high-volume — ideal noise camouflage.
As a result, GhostMQ can hide in plain sight across existing IoT infrastructure without triggering alerts.
Limitations & Future Directions
- Short message lengths only: Larger payloads increase suspicion and overhead.
- Requires shared secret key: Needs secure pre-setup between sender and receiver.
- Relies on MQTT ubiquity: Works best in IoT-heavy environments.
Researchers propose extending the concept to other lightweight protocols like CoAP or AMQP, potentially creating a multi-protocol covert mesh.
Why It Matters for Cybersecurity
GhostMQ raises both opportunities and concerns.
For defenders, it highlights how legitimate IoT traffic can mask exfiltration or command channels.
For privacy advocates and activists under censorship, it offers a path toward undetectable communication.
Either way, it underscores one truth:
In cybersecurity, visibility isn’t enough — you have to know what hides in the ordinary.
Final Thoughts
GhostMQ blurs the line between benign IoT chatter and invisible messaging.
It’s a reminder that encryption hides content, but covert channels hide intent — and that’s where the next privacy battles will unfold.
Stay ahead of stealth communication research — subscribe to SecureBytesBlog.com for more deep dives into IoT security, covert systems, and real-world defensive countermeasures.
