Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)

3,725 views

Published on

"Connect all the things!" is, for some time now, the main theme when talking about IoT devices, solutions and products. Our eagerness to find new, at times - innovative, ways to make anything to rhyme along the anthem of the internet is a great promise for malicious activity.

As those devices supposed to be lightweight they mostly rely on a small fingerprint stack of protocols - one of those protocols is the message protocol - MQTT.

We will go deep into protocol details, observe how common is to find such devices (and how), and several novel ways to abuse any one of tens of thousands easily spotted publicly facing MQTT brokers on the internet for "fun and profit".

Published in: Devices & Hardware
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)

  1. 1. @dalm oz_ Fun and Profit at the land of MQTT
  2. 2. @dalm oz_ Hey, Hi! Moshe Zioni Security Research Manager @dalmoz_ Moshe.Zioni@verint.com
  3. 3. @dalm oz_ What’s inside? ▪MQTT: ▫ Basics ▫Utilization ▫ [in]Security model ▪Fun & Profit: ▫Reconassaince ▫Abuse+Exploitation ▫Live Demo ▪Q&A
  4. 4. @dalm oz_ 1 MQTT - Message Queue Telemetry Transport Basics, Topology, Utilization,and Security
  5. 5. @dalm oz_ Connect IoTs MQTT provides devices with an ability to communicate to a central broker in a simple, lightweight, manner.
  6. 6. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
  7. 7. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
  8. 8. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
  9. 9. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
  10. 10. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor Not illustrated: - Connect, disconnect - Appropriate acks - Keepalive - QoS 0,1,2
  11. 11. @dalm oz_ TOPIC HIERARCHY TLV Humidity Weather JER Temp Subscribing to a specific topic: Weather/TLV/Humidity Weather/TLV/Temp Subscribe to both: (# is wildcard) Weather/TLV/# Subscribe to all temperatures of TLV and JER: Weather/+/Temp TLV Temp Weather/TLV Weather/TLV/Humidity
  12. 12. @dalm oz_ Real-World Usage ▪Smart Home Automation (HA) ▪Messaging Notable mentions: ▪AWS IoT ▪Microsoft IoT Hub ▪Facebook Messenger
  13. 13. @dalm oz_
  14. 14. @dalm oz_ Smart Home Automation? Two types of reactions:
  15. 15. @dalm oz_ Smart Home Automation? Two types of reactions:
  16. 16. @dalm oz_ Smart Home Automation? Two types of reactions:
  17. 17. @dalm oz_ Security Model Authentication: -TCP or WebSockets -User/Pass -Over TLS – optional -Client cert.- optional Permissions: -Per Topic -Per Method (Pub/Sub) -[Per QoS]
  18. 18. @dalm oz_ [in]Security Model But: -Many devices are too weak for TLS (or do not support at all). -Mostly needs to be tech savvy to operate. Hard to implement.
  19. 19. @dalm oz_ [in]Security Model - Permissions are set on Broker side while topics are defined by clients (!) - Authorized by default. - Superprotected channel doesn’t mean protected broker. .
  20. 20. @dalm oz_ IoT devices have the best kind of vulnerabilities:
  21. 21. @dalm oz_
  22. 22. @dalm oz_ 2 Fun & Profit Recon., Abuse and Exploitation
  23. 23. @dalm oz_ Scanning for default ports TCP 1883 TCP + SSL 8883 Websocket 9001 Websocket + SSL 9883
  24. 24. @dalm oz_ Shodan dorking: You can look for servers * “MQTT” * port:1883 * port:8883 * … * mosquitto By simple dorking you get tens of thousands of brokers without breaking a sweat.
  25. 25. @dalm oz_ Banner grabbing and other internal information ▪$SYS/broker/version <- !!
  26. 26. @dalm oz_ Banner grabbing and other internal information ▪$SYS/broker/version <- !! ▪$SYS/broker/bytes/received ▪$SYS/broker/bytes/sent ▪$SYS/broker/clients/connected ▪$SYS/broker/clients/expired ▪$SYS/broker/clients/disconnected ▪$SYS/broker/clients/maximum ▪$SYS/broker/clients/total ▪$SYS/broker/connection/# ▪$SYS/broker/heap/current size ▪$SYS/broker/heap/maximum size ▪$SYS/broker/load/connections/+ ▪$SYS/broker/load/bytes/received/+ ▪$SYS/broker/load/bytes/sent/+ ▪$SYS/broker/load/messages/received/+ ▪$SYS/broker/load/messages/sent/+ ▪$SYS/broker/load/publish/dropped/+ ▪$SYS/broker/load/publish/received/+ ▪$SYS/broker/load/publish/sent/+ ▪$SYS/broker/load/sockets/+ ▪$SYS/broker/messages/inflight ▪$SYS/broker/messages/received ▪$SYS/broker/messages/sent ▪$SYS/broker/messages/stored ▪$SYS/broker/publish/messages/dropped ▪$SYS/broker/publish/messages/received ▪$SYS/broker/publish/messages/sent ▪$SYS/broker/retained messages/count ▪$SYS/broker/subscriptions/count ▪$SYS/broker/timestamp ▪$SYS/broker/uptime
  27. 27. @dalm oz_ Enumerating topics ▪Because topics are subscription based – a very prolific way is to sub to ‘#’. ▪Topics starting with $ should be hidden from wildcards. ▪Depends on what publishers are sending in the period of sampling.
  28. 28. @dalm oz_ ID sensors by topic naming convention Harmony Harmony_api HA by logitech Zwave Sensors, Home Saunas etc. Sonoff Itead DVES Smart home on/off switch Openhab Open source HA ioBroker Open source Broker HomeAssistant HA software OwnTracks Mobile GPS tracking
  29. 29. @dalm oz_ Enumerating topics – hidden gems User/Pass sneaked into topic (?!)
  30. 30. @dalm oz_ Enumerating topics – hidden gems
  31. 31. @dalm oz_ Enumerating topics – hidden gems SQL injection attempts… on MQTT
  32. 32. @dalm oz_ GLOBAL SPYING Here!
  33. 33. @dalm oz_ Subscribe to topic: owntracks/Paul/iPhone6 Results native payload: { "t": "v", "tst": 1498656346, "acc": 67, "_type": "location", "alt": -1, "lon": -73.97736434698308, "lat": 40.69846557452709, "batt": 99, "conn": "w", "tid": "EC" }
  34. 34. @dalm oz_
  35. 35. @dalm oz_
  36. 36. @dalm oz_
  37. 37. @dalm oz_ gg , MQTT Troll!
  38. 38. @dalm oz_ 32.7702302,-97.3872816 32.7574685,-97.3350734 32.7532442,-97.333156 32.755127,-97.3281954 32.756721,-97.3231992 32.7553446,-97.318103 32.7517239,-97.31476 32.7485354,-97.3107414 32.7479675,-97.3054205 32.7486719,-97.300005 32.7490904,-97.2945193 32.7494853,-97.2890518 32.7498415,-97.2835636 32.7505444,-97.2781512 32.752404,-97.2732238 32.7549191,-97.268704 32.7573236,-97.2639909 32.7582826,-97.2586206 32.7589264,-97.2532649 32.7595763,-97.2477639 32.7602181,-97.2423077 32.7605527,-97.2369171 32.7599132,-97.1961597 32.7578917,-97.1794049 32.7555461,-97.1698085 32.7577253,-97.1600873 32.753021,-97.1448981 32.7584765,-97.1546171 32.7530228,-97.1586987 32.7521549,-97.1523871 32.7502886,-97.1406051 32.7500693,-97.1352437 32.7562257,-97.1317734 32.7592582,-97.1201001 32.7607311,-97.101801 32.766575,-97.0972041 32.7619129,-97.097262 32.7603471,-97.102585
  39. 39. @dalm oz_
  40. 40. @dalm oz_ Whoa! That’s a big number, aren’t you proud?
  41. 41. @dalm oz_ Whoa! That’s a big number, aren’t you proud?
  42. 42. @dalm oz_ Oooh,shiny! So many topics of interest: WiFi SSID (cmnd/sonoff/Ssid) 2nd WiFi SSID … (cmnd/sonoff/Ssid2) WiFi password (cmnd/sonoff/Password) 2nd WiFi password (cmnd/sonoff/Password2) Mqtt User/Pass (cmnd/sonoff/MqttUser , MqttPassword) Over-The-Air URL (cmnd/sonoff/otaUrl) Over-The-Air Trigger (cmnd/sonoff/Upgrade) * All “cmnd”s will return value to RESULT topic
  43. 43. @dalm oz_ Steps for full blown exploitation: 1) Request WiFi SSID and PASS 2) Compile an evil firmware with hardcoded values of wifi and its password 3) Publish the otaUrl link to point to your evil firmware. 4) Forcefully request an OTA upgrade 3) PROFIT! (call back to attacker)
  44. 44. @dalm oz_ 3 DEMO TIME Praise the demo lord
  45. 45. @dalm oz_ Thanks! ANY QUESTIONS? You can find me at: @dalmoz_ Moshe.Zioni@verint.com

×