MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
•
5 j'aime•5,208 vues
This document discusses MQTT (Message Queue Telemetry Transport), including its basics, topology, utilization, and security model. It then describes how MQTT can be used for reconnaissance, abuse, and exploitation of IoT devices. This includes scanning for default ports, enumerating topics to identify devices and gather information, and potentially taking control of devices through over-the-air firmware updates. The presentation concludes with a live demo and Q&A.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
Similaire à MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017) (20)
Dernier
Dernier (20)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
- 1. @dalm oz_ Fun and Profit at the land of MQTT
- 2. @dalm oz_ Hey, Hi! Moshe Zioni Security Research Manager @dalmoz_ Moshe.Zioni@verint.com
- 3. @dalm oz_ What’s inside? ▪MQTT: ▫ Basics ▫Utilization ▫ [in]Security model ▪Fun & Profit: ▫Reconassaince ▫Abuse+Exploitation ▫Live Demo ▪Q&A
- 4. @dalm oz_ 1 MQTT - Message Queue Telemetry Transport Basics, Topology, Utilization,and Security
- 5. @dalm oz_ Connect IoTs MQTT provides devices with an ability to communicate to a central broker in a simple, lightweight, manner.
- 6. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 7. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 8. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 9. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor
- 10. @dalm oz_ Client A device that takes the role of Subscriber and/or Publisher of TOPICS Publish/Subscribe principle Broker Instead of having a direct “client-server” connection we have a Broker as a central mediator and message caster.Mobile device Sensor Not illustrated: - Connect, disconnect - Appropriate acks - Keepalive - QoS 0,1,2
- 11. @dalm oz_ TOPIC HIERARCHY TLV Humidity Weather JER Temp Subscribing to a specific topic: Weather/TLV/Humidity Weather/TLV/Temp Subscribe to both: (# is wildcard) Weather/TLV/# Subscribe to all temperatures of TLV and JER: Weather/+/Temp TLV Temp Weather/TLV Weather/TLV/Humidity
- 12. @dalm oz_ Real-World Usage ▪Smart Home Automation (HA) ▪Messaging Notable mentions: ▪AWS IoT ▪Microsoft IoT Hub ▪Facebook Messenger
- 13. @dalm oz_
- 14. @dalm oz_ Smart Home Automation? Two types of reactions:
- 15. @dalm oz_ Smart Home Automation? Two types of reactions:
- 16. @dalm oz_ Smart Home Automation? Two types of reactions:
- 17. @dalm oz_ Security Model Authentication: -TCP or WebSockets -User/Pass -Over TLS – optional -Client cert.- optional Permissions: -Per Topic -Per Method (Pub/Sub) -[Per QoS]
- 18. @dalm oz_ [in]Security Model But: -Many devices are too weak for TLS (or do not support at all). -Mostly needs to be tech savvy to operate. Hard to implement.
- 19. @dalm oz_ [in]Security Model - Permissions are set on Broker side while topics are defined by clients (!) - Authorized by default. - Superprotected channel doesn’t mean protected broker. .
- 20. @dalm oz_ IoT devices have the best kind of vulnerabilities:
- 21. @dalm oz_
- 22. @dalm oz_ 2 Fun & Profit Recon., Abuse and Exploitation
- 23. @dalm oz_ Scanning for default ports TCP 1883 TCP + SSL 8883 Websocket 9001 Websocket + SSL 9883
- 24. @dalm oz_ Shodan dorking: You can look for servers * “MQTT” * port:1883 * port:8883 * … * mosquitto By simple dorking you get tens of thousands of brokers without breaking a sweat.
- 25. @dalm oz_ Banner grabbing and other internal information ▪$SYS/broker/version <- !!
- 26. @dalm oz_ Banner grabbing and other internal information ▪$SYS/broker/version <- !! ▪$SYS/broker/bytes/received ▪$SYS/broker/bytes/sent ▪$SYS/broker/clients/connected ▪$SYS/broker/clients/expired ▪$SYS/broker/clients/disconnected ▪$SYS/broker/clients/maximum ▪$SYS/broker/clients/total ▪$SYS/broker/connection/# ▪$SYS/broker/heap/current size ▪$SYS/broker/heap/maximum size ▪$SYS/broker/load/connections/+ ▪$SYS/broker/load/bytes/received/+ ▪$SYS/broker/load/bytes/sent/+ ▪$SYS/broker/load/messages/received/+ ▪$SYS/broker/load/messages/sent/+ ▪$SYS/broker/load/publish/dropped/+ ▪$SYS/broker/load/publish/received/+ ▪$SYS/broker/load/publish/sent/+ ▪$SYS/broker/load/sockets/+ ▪$SYS/broker/messages/inflight ▪$SYS/broker/messages/received ▪$SYS/broker/messages/sent ▪$SYS/broker/messages/stored ▪$SYS/broker/publish/messages/dropped ▪$SYS/broker/publish/messages/received ▪$SYS/broker/publish/messages/sent ▪$SYS/broker/retained messages/count ▪$SYS/broker/subscriptions/count ▪$SYS/broker/timestamp ▪$SYS/broker/uptime
- 27. @dalm oz_ Enumerating topics ▪Because topics are subscription based – a very prolific way is to sub to ‘#’. ▪Topics starting with $ should be hidden from wildcards. ▪Depends on what publishers are sending in the period of sampling.
- 28. @dalm oz_ ID sensors by topic naming convention Harmony Harmony_api HA by logitech Zwave Sensors, Home Saunas etc. Sonoff Itead DVES Smart home on/off switch Openhab Open source HA ioBroker Open source Broker HomeAssistant HA software OwnTracks Mobile GPS tracking
- 29. @dalm oz_ Enumerating topics – hidden gems User/Pass sneaked into topic (?!)
- 30. @dalm oz_ Enumerating topics – hidden gems
- 31. @dalm oz_ Enumerating topics – hidden gems SQL injection attempts… on MQTT
- 33. @dalm oz_ Subscribe to topic: owntracks/Paul/iPhone6 Results native payload: { "t": "v", "tst": 1498656346, "acc": 67, "_type": "location", "alt": -1, "lon": -73.97736434698308, "lat": 40.69846557452709, "batt": 99, "conn": "w", "tid": "EC" }
- 34. @dalm oz_
- 35. @dalm oz_
- 36. @dalm oz_
- 37. @dalm oz_ gg , MQTT Troll!
- 39. @dalm oz_
- 40. @dalm oz_ Whoa! That’s a big number, aren’t you proud?
- 41. @dalm oz_ Whoa! That’s a big number, aren’t you proud?
- 42. @dalm oz_ Oooh,shiny! So many topics of interest: WiFi SSID (cmnd/sonoff/Ssid) 2nd WiFi SSID … (cmnd/sonoff/Ssid2) WiFi password (cmnd/sonoff/Password) 2nd WiFi password (cmnd/sonoff/Password2) Mqtt User/Pass (cmnd/sonoff/MqttUser , MqttPassword) Over-The-Air URL (cmnd/sonoff/otaUrl) Over-The-Air Trigger (cmnd/sonoff/Upgrade) * All “cmnd”s will return value to RESULT topic
- 43. @dalm oz_ Steps for full blown exploitation: 1) Request WiFi SSID and PASS 2) Compile an evil firmware with hardcoded values of wifi and its password 3) Publish the otaUrl link to point to your evil firmware. 4) Forcefully request an OTA upgrade 3) PROFIT! (call back to attacker)
- 44. @dalm oz_ 3 DEMO TIME Praise the demo lord
- 45. @dalm oz_ Thanks! ANY QUESTIONS? You can find me at: @dalmoz_ Moshe.Zioni@verint.com