This document discusses MQTT (Message Queue Telemetry Transport), including its basics, topology, utilization, and security model. It then describes how MQTT can be used for reconnaissance, abuse, and exploitation of IoT devices. This includes scanning for default ports, enumerating topics to identify devices and gather information, and potentially taking control of devices through over-the-air firmware updates. The presentation concludes with a live demo and Q&A.

1. @dalm oz_
Fun and Profit at
the land of MQTT

2. @dalm oz_
Hey, Hi!
Moshe Zioni
Security Research Manager
@dalmoz_
Moshe.Zioni@verint.com

3. @dalm oz_
What’s inside?
▪MQTT:
▫ Basics
▫Utilization
▫ [in]Security model
▪Fun & Profit:
▫Reconassaince
▫Abuse+Exploitation
▫Live Demo
▪Q&A

4. @dalm oz_
1
MQTT - Message Queue
Telemetry Transport
Basics, Topology,
Utilization,and Security

5. @dalm oz_
Connect IoTs
MQTT provides devices with an
ability to communicate to a
central broker in a simple,
lightweight, manner.

6. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor

7. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor

8. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor

9. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor

10. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
Not illustrated:
- Connect, disconnect
- Appropriate acks
- Keepalive
- QoS 0,1,2

11. @dalm oz_
TOPIC HIERARCHY
TLV
Humidity
Weather
JER
Temp
Subscribing to a specific topic:
Weather/TLV/Humidity
Weather/TLV/Temp
Subscribe to both: (# is wildcard)
Weather/TLV/#
Subscribe to all temperatures of TLV and JER:
Weather/+/Temp
TLV
Temp
Weather/TLV
Weather/TLV/Humidity

12. @dalm oz_
Real-World Usage
▪Smart Home Automation (HA)
▪Messaging
Notable mentions:
▪AWS IoT
▪Microsoft IoT Hub
▪Facebook Messenger

13. @dalm oz_

14. @dalm oz_
Smart Home Automation?
Two types of
reactions:

15. @dalm oz_
Smart Home Automation?
Two types of
reactions:

16. @dalm oz_
Smart Home Automation?
Two types of
reactions:

17. @dalm oz_
Security Model
Authentication:
-TCP or WebSockets
-User/Pass
-Over TLS – optional
-Client cert.- optional
Permissions:
-Per Topic
-Per Method (Pub/Sub)
-[Per QoS]

18. @dalm oz_
[in]Security Model
But:
-Many devices are too
weak for TLS (or do not support
at all).
-Mostly needs to be tech savvy
to operate. Hard to implement.

19. @dalm oz_
[in]Security Model
- Permissions are set on
Broker side while
topics are defined by
clients (!)
- Authorized by default.
- Superprotected channel
doesn’t mean protected
broker.
.

20. @dalm oz_
IoT devices have the
best kind of
vulnerabilities:

21. @dalm oz_

22. @dalm oz_
2
Fun & Profit
Recon., Abuse and
Exploitation

23. @dalm oz_
Scanning for default ports
TCP 1883
TCP + SSL 8883
Websocket 9001
Websocket + SSL 9883

24. @dalm oz_
Shodan dorking:
You can look for servers
* “MQTT”
* port:1883
* port:8883
* …
* mosquitto
By simple dorking you get tens
of thousands of brokers without
breaking a sweat.

25. @dalm oz_
Banner grabbing and other internal information
▪$SYS/broker/version <- !!

26. @dalm oz_
Banner grabbing and other internal information
▪$SYS/broker/version <- !!
▪$SYS/broker/bytes/received
▪$SYS/broker/bytes/sent
▪$SYS/broker/clients/connected
▪$SYS/broker/clients/expired
▪$SYS/broker/clients/disconnected
▪$SYS/broker/clients/maximum
▪$SYS/broker/clients/total
▪$SYS/broker/connection/#
▪$SYS/broker/heap/current size
▪$SYS/broker/heap/maximum size
▪$SYS/broker/load/connections/+
▪$SYS/broker/load/bytes/received/+
▪$SYS/broker/load/bytes/sent/+
▪$SYS/broker/load/messages/received/+
▪$SYS/broker/load/messages/sent/+
▪$SYS/broker/load/publish/dropped/+
▪$SYS/broker/load/publish/received/+
▪$SYS/broker/load/publish/sent/+
▪$SYS/broker/load/sockets/+
▪$SYS/broker/messages/inflight
▪$SYS/broker/messages/received
▪$SYS/broker/messages/sent
▪$SYS/broker/messages/stored
▪$SYS/broker/publish/messages/dropped
▪$SYS/broker/publish/messages/received
▪$SYS/broker/publish/messages/sent
▪$SYS/broker/retained messages/count
▪$SYS/broker/subscriptions/count
▪$SYS/broker/timestamp
▪$SYS/broker/uptime

27. @dalm oz_
Enumerating topics
▪Because topics are subscription
based – a very prolific way is to
sub to ‘#’.
▪Topics starting with $ should be
hidden from wildcards.
▪Depends on what publishers are
sending in the period of
sampling.

28. @dalm oz_
ID sensors by topic naming convention
Harmony
Harmony_api
HA by logitech
Zwave
Sensors, Home Saunas
etc.
Sonoff
Itead
DVES
Smart home on/off
switch
Openhab Open source HA
ioBroker Open source Broker
HomeAssistant HA software
OwnTracks Mobile GPS tracking

29. @dalm oz_
Enumerating topics – hidden gems
User/Pass sneaked into topic (?!)

30. @dalm oz_
Enumerating topics – hidden gems

31. @dalm oz_
Enumerating topics – hidden gems
SQL injection attempts… on MQTT

32. @dalm oz_
GLOBAL SPYING
Here!

33. @dalm oz_
Subscribe to topic:
owntracks/Paul/iPhone6
Results native payload:
{
"t": "v",
"tst": 1498656346,
"acc": 67,
"_type": "location",
"alt": -1,
"lon": -73.97736434698308,
"lat": 40.69846557452709,
"batt": 99,
"conn": "w",
"tid": "EC"
}

34. @dalm oz_

35. @dalm oz_

36. @dalm oz_

37. @dalm oz_
gg , MQTT Troll!

38. @dalm oz_
32.7702302,-97.3872816
32.7574685,-97.3350734
32.7532442,-97.333156
32.755127,-97.3281954
32.756721,-97.3231992
32.7553446,-97.318103
32.7517239,-97.31476
32.7485354,-97.3107414
32.7479675,-97.3054205
32.7486719,-97.300005
32.7490904,-97.2945193
32.7494853,-97.2890518
32.7498415,-97.2835636
32.7505444,-97.2781512
32.752404,-97.2732238
32.7549191,-97.268704
32.7573236,-97.2639909
32.7582826,-97.2586206
32.7589264,-97.2532649
32.7595763,-97.2477639
32.7602181,-97.2423077
32.7605527,-97.2369171
32.7599132,-97.1961597
32.7578917,-97.1794049
32.7555461,-97.1698085
32.7577253,-97.1600873
32.753021,-97.1448981
32.7584765,-97.1546171
32.7530228,-97.1586987
32.7521549,-97.1523871
32.7502886,-97.1406051
32.7500693,-97.1352437
32.7562257,-97.1317734
32.7592582,-97.1201001
32.7607311,-97.101801
32.766575,-97.0972041
32.7619129,-97.097262
32.7603471,-97.102585

39. @dalm oz_

40. @dalm oz_
Whoa! That’s a big number,
aren’t you proud?

41. @dalm oz_
Whoa! That’s a big number,
aren’t you proud?

42. @dalm oz_
Oooh,shiny! So many topics of interest:
WiFi SSID (cmnd/sonoff/Ssid)
2nd WiFi SSID … (cmnd/sonoff/Ssid2)
WiFi password (cmnd/sonoff/Password)
2nd WiFi password (cmnd/sonoff/Password2)
Mqtt User/Pass (cmnd/sonoff/MqttUser , MqttPassword)
Over-The-Air URL (cmnd/sonoff/otaUrl)
Over-The-Air Trigger (cmnd/sonoff/Upgrade)
* All “cmnd”s will return value to RESULT topic

43. @dalm oz_
Steps for full blown exploitation:
1) Request WiFi SSID and PASS
2) Compile an evil firmware with hardcoded
values of wifi and its password
3) Publish the otaUrl link to point to your
evil firmware.
4) Forcefully request an OTA upgrade
3) PROFIT! (call back to attacker)

44. @dalm oz_
3
DEMO TIME
Praise the demo lord

45. @dalm oz_
Thanks!
ANY QUESTIONS?
You can find me at:
@dalmoz_
Moshe.Zioni@verint.com