MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
•Download as PPTX, PDF•
2 likes•926 views
"Connect all the things!" is, for some time now, the main theme when talking about IoT devices, solutions and products. Our eagerness to find new, at times - innovative, ways to make anything to rhyme along the anthem of the internet is a great promise for malicious activity. As those devices supposed to be lightweight they mostly rely on a small fingerprint stack of protocols - one of those protocols is the message protocol - MQTT. We will go deep into protocol details, observe how common is to find such devices (and how), and several novel ways to abuse any one of tens of thousands easily spotted publicly facing MQTT brokers on the internet for "fun and profit".
Recommended
Recommended
More Related Content
Similar to MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
Similar to MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2 (20)
Recently uploaded
Recently uploaded (20)
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
- 1. @dalmoz_ Fun & Profit at the land of MQTT
- 2. @dalmoz_ Hey, Hi! Moshe Zioni Security Research Manager @dalmoz_ Moshe.Zioni@verint.com
- 3. @dalmoz_ What’s inside? ▪MQTT: ▫ Basics ▫ Utilization ▫[in]Security model ▪Fun & Profit: ▫Reconassaince ▫Abuse+Exploitation ▫Live Demo ▪Q&A
- 4. @dalmoz_ 1 MQTT - Message Queue Telemetry Transport Basics, Topology, Utilization,and Security
- 5. @dalmoz_ Connect IoTs MQTT provides devices with an ability to communicate to a central broker in a simple, lightweight, manner.
- 6. @dalmoz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 7. @dalmoz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 8. @dalmoz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 9. @dalmoz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 10. @dalmoz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor Not illustrated: - Connect, disconnect - Appropriate acks - Keepalive - QoS 0,1,2
- 11. @dalmoz_ TOPIC HIERARCHY TLV Humidity Weather JER Temp Subscribing to a specific topic: Weather/TLV/Humidity Weather/TLV/Temp Subscribe to both: (# is wildcard) Weather/TLV/# Subscribe to all temperatures of TLV and JER: Weather/+/Temp TLV Temp Weather/TLV Weather/TLV/Humidity
- 12. @dalmoz_ Real-World Usage ▪Smart Home Automation (HA) ▪Messaging Notable mentions: ▪AWS IoT ▪Microsoft IoT Hub ▪Facebook Messenger
- 13. @dalmoz_
- 14. @dalmoz_ Smart Home Automation? Two types of reactions:
- 15. @dalmoz_ Smart Home Automation? Two types of reactions:
- 16. @dalmoz_ Smart Home Automation? Two types of reactions:
- 17. @dalmoz_ Security Model Authentication: -TCP or WebSockets -User/Pass -Over TLS – optional -Client cert.- optional Permissions: -Per Topic -Per Method (Pub/Sub) -[Per QoS]
- 18. @dalmoz_ [in]Security Model But: -Many devices are too weak for TLS (or do not support at all). -Mostly needs to be tech savvy to operate. Hard to implement.
- 19. @dalmoz_ [in]Security Model - Permissions are set on Broker side while topics are defined by clients (!) - Authorized by default. - Superprotected channel doesn’t mean protected broker. .
- 20. @dalmoz_ Arduino Client for MQTT
- 21. @dalmoz_ ITEAD SONOFF Switch firmware
- 22. @dalmoz_ IoT devices have the best kind of vulnerabilities:
- 23. @dalmoz_
- 24. @dalmoz_ 2 Fun & Profit Recon., Abuse and Exploitation
- 25. @dalmoz_ Scanning for default ports TCP 1883 TCP + SSL 8883 Websocket 9001 Websocket + SSL 9883
- 26. @dalmoz_ Shodan dorking: You can look for servers * “MQTT” * port:1883 * port:8883 * … * mosquitto By simple dorking you get tens of thousands of brokers without breaking a sweat.
- 27. @dalmoz_ Banner grabbing and other internal information ▪$SYS/broker/version <- !!
- 28. @dalmoz_ Banner grabbing and other internal information ▪$SYS/broker/version <- !! ▪$SYS/broker/bytes/received ▪$SYS/broker/bytes/sent ▪$SYS/broker/clients/connected ▪$SYS/broker/clients/expired ▪$SYS/broker/clients/disconnected ▪$SYS/broker/clients/maximum ▪$SYS/broker/clients/total ▪$SYS/broker/connection/# ▪$SYS/broker/heap/current size ▪$SYS/broker/heap/maximum size ▪$SYS/broker/load/connections/+ ▪$SYS/broker/load/bytes/received/+ ▪$SYS/broker/load/bytes/sent/+ ▪$SYS/broker/load/messages/received/+ ▪$SYS/broker/load/messages/sent/+ ▪$SYS/broker/load/publish/dropped/+ ▪$SYS/broker/load/publish/received/+ ▪$SYS/broker/load/publish/sent/+ ▪$SYS/broker/load/sockets/+ ▪$SYS/broker/messages/inflight ▪$SYS/broker/messages/received ▪$SYS/broker/messages/sent ▪$SYS/broker/messages/stored ▪$SYS/broker/publish/messages/dropped ▪$SYS/broker/publish/messages/received ▪$SYS/broker/publish/messages/sent ▪$SYS/broker/retained messages/count ▪$SYS/broker/subscriptions/count ▪$SYS/broker/timestamp ▪$SYS/broker/uptime
- 29. @dalmoz_ Enumerating topics ▪Because topics are subscription based – a very prolific way is to sub to ‘#’. ▪Topics starting with $ should be hidden from wildcards. ▪Depends on what publishers are sending in the period of sampling.
- 30. @dalmoz_ ID sensors by topic naming convention Harmony Harmony_api HA by logitech Zwave Sensors, Home Saunas etc. Sonoff Itead DVES Smart home on/off switch Openhab Open source HA ioBroker Open source Broker HomeAssistant HA software OwnTracks Mobile GPS tracking
- 31. @dalmoz_ Enumerating topics – hidden gems User/Pass sneaked into topic (?!)
- 32. @dalmoz_ Enumerating topics – hidden gems
- 33. @dalmoz_ Enumerating topics – hidden gems SQL injection attempts… on MQTT
- 35. @dalmoz_ Subscribe to topic: owntracks/Paul/iPhone6 Results native payload: { "t": "v", "tst": 1498656346, "acc": 67, "_type": "location", "alt": -1, "lon": -73.97736434698308, "lat": 40.69846557452709, "batt": 99, "conn": "w", "tid": "EC" }
- 36. @dalmoz_
- 37. @dalmoz_
- 38. @dalmoz_
- 39. @dalmoz_ gg , MQTT Troll!
- 41. @dalmoz_
- 42. @dalmoz_
- 43. @dalmoz_ Whoa! That’s a big number, aren’t you proud?
- 44. @dalmoz_ Oooh,shiny! So many topics of interest: WiFi SSID (cmnd/sonoff/Ssid) 2nd WiFi SSID … (cmnd/sonoff/Ssid2) WiFi password (cmnd/sonoff/Password) 2nd WiFi password (cmnd/sonoff/Password2) Mqtt User/Pass (cmnd/sonoff/MqttUser , MqttPassword) Over-The-Air URL (cmnd/sonoff/otaUrl) Over-The-Air Trigger (cmnd/sonoff/Upgrade) * All “cmnd”s will return value to RESULT topic
- 45. @dalmoz_
- 47. @dalmoz_ 3 DEMO TIME Praise the demo lord
- 48. @dalmoz_
- 49. @dalmoz_ Steps for full blown exploitation: 1) Request WiFi SSID and PASS 2) Compile an evil firmware with hardcoded values of wifi and its password 3) Publish the otaUrl link to point to your evil firmware. 4) Forcefully request an OTA upgrade 3) PROFIT! (call back to attacker)
- 50. @dalmoz_ Thanks! ANY QUESTIONS? You can find me at: @dalmoz_ Moshe.Zioni@verint.com
- 51. @dalmoz_ CREDITS Special thanks to all the people who made and released these awesome resources for free: ▪ Presentation template by SlidesCarnival
Editor's Notes
- Missing parts: SSL – 2 examples Evil Angel CVE C&C??! WiFi leaking – from twitter Run demo twice – have a new checklist
- Client device can sub to all different kinds of topics
- Client device can sub to all different kinds of topics
- Washing machines, refrigirators, computers and mobile Smart home switches, sauna, temperature humidity sensors etc.
- Arduino MQTT lib
- Many developers tend to confuse MQTT for API interface… big problem In a rush – Time to Market
- Gps coordinates, remaining battery, wifi information So I selected some feeds of owntracks to follow online. Checked for someone. Hmm – it’s in Texas, let’s open google maps
- Battery drain analysis, pattern Many use it on their kids, husband, spouse mobile
- Lighting, very attractive because you would have thought that there is nothing fascinating with that – but… rce
- Interesting about reading source: Undocumentd api function CVE on mosquitto