"Connect all the things!" is, for some time now, the main theme when talking about IoT devices, solutions and products. Our eagerness to find new, at times - innovative, ways to make anything to rhyme along the anthem of the internet is a great promise for malicious activity.
As those devices supposed to be lightweight they mostly rely on a small fingerprint stack of protocols - one of those protocols is the message protocol - MQTT.
We will go deep into protocol details, observe how common is to find such devices (and how), and several novel ways to abuse any one of tens of thousands easily spotted publicly facing MQTT brokers on the internet for "fun and profit".
6. @dalmoz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
7. @dalmoz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
8. @dalmoz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
9. @dalmoz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
10. @dalmoz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
Not illustrated:
- Connect, disconnect
- Appropriate acks
- Keepalive
- QoS 0,1,2
11. @dalmoz_
TOPIC HIERARCHY
TLV
Humidity
Weather
JER
Temp
Subscribing to a specific topic:
Weather/TLV/Humidity
Weather/TLV/Temp
Subscribe to both: (# is wildcard)
Weather/TLV/#
Subscribe to all temperatures of TLV and JER:
Weather/+/Temp
TLV
Temp
Weather/TLV
Weather/TLV/Humidity
19. @dalmoz_
[in]Security Model
- Permissions are set on
Broker side while
topics are defined by
clients (!)
- Authorized by default.
- Superprotected channel
doesn’t mean protected
broker.
.
26. @dalmoz_
Shodan dorking:
You can look for servers
* “MQTT”
* port:1883
* port:8883
* …
* mosquitto
By simple dorking you get tens
of thousands of brokers without
breaking a sweat.
29. @dalmoz_
Enumerating topics
▪Because topics are subscription
based – a very prolific way is to
sub to ‘#’.
▪Topics starting with $ should be
hidden from wildcards.
▪Depends on what publishers are
sending in the period of
sampling.
30. @dalmoz_
ID sensors by topic naming convention
Harmony
Harmony_api
HA by logitech
Zwave
Sensors, Home Saunas
etc.
Sonoff
Itead
DVES
Smart home on/off
switch
Openhab Open source HA
ioBroker Open source Broker
HomeAssistant HA software
OwnTracks Mobile GPS tracking
49. @dalmoz_
Steps for full blown exploitation:
1) Request WiFi SSID and PASS
2) Compile an evil firmware with hardcoded
values of wifi and its password
3) Publish the otaUrl link to point to your
evil firmware.
4) Forcefully request an OTA upgrade
3) PROFIT! (call back to attacker)
51. @dalmoz_
CREDITS
Special thanks to all the people who made and released
these awesome resources for free:
▪ Presentation template by SlidesCarnival
Editor's Notes
Missing parts:
SSL – 2 examples
Evil
Angel
CVE
C&C??!
WiFi leaking – from twitter
Run demo twice – have a new checklist
Client device can sub to all different kinds of topics
Client device can sub to all different kinds of topics
Washing machines, refrigirators, computers and mobile
Smart home switches, sauna, temperature humidity sensors etc.
Arduino MQTT lib
Many developers tend to confuse MQTT for API interface… big problem
In a rush – Time to Market
Gps coordinates, remaining battery, wifi information
So I selected some feeds of owntracks to follow online. Checked for someone.
Hmm – it’s in Texas, let’s open google maps
Battery drain analysis, pattern
Many use it on their kids, husband, spouse mobile
Lighting, very attractive because you would have thought that there is nothing fascinating with that – but… rce
Interesting about reading source:
Undocumentd api function
CVE on mosquitto