This document discusses MQTT (Message Queue Telemetry Transport), including its basics, topology, utilization, and security model. It then describes how MQTT can be used for reconnaissance, abuse, and exploitation of IoT devices. This includes scanning for default ports, enumerating topics to identify devices and gather information, and potentially taking control of devices through over-the-air firmware updates. The presentation concludes with a live demo and Q&A.
5. @dalm oz_
Connect IoTs
MQTT provides devices with an
ability to communicate to a
central broker in a simple,
lightweight, manner.
6. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
7. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
8. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
9. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
10. @dalm oz_
Client
A device that takes the
role of Subscriber and/or
Publisher of TOPICS
Publish/Subscribe principle
Broker
Instead of having a direct
“client-server” connection
we have a Broker as a
central mediator and
message caster.Mobile device
Sensor
Not illustrated:
- Connect, disconnect
- Appropriate acks
- Keepalive
- QoS 0,1,2
11. @dalm oz_
TOPIC HIERARCHY
TLV
Humidity
Weather
JER
Temp
Subscribing to a specific topic:
Weather/TLV/Humidity
Weather/TLV/Temp
Subscribe to both: (# is wildcard)
Weather/TLV/#
Subscribe to all temperatures of TLV and JER:
Weather/+/Temp
TLV
Temp
Weather/TLV
Weather/TLV/Humidity
18. @dalm oz_
[in]Security Model
But:
-Many devices are too
weak for TLS (or do not support
at all).
-Mostly needs to be tech savvy
to operate. Hard to implement.
19. @dalm oz_
[in]Security Model
- Permissions are set on
Broker side while
topics are defined by
clients (!)
- Authorized by default.
- Superprotected channel
doesn’t mean protected
broker.
.
24. @dalm oz_
Shodan dorking:
You can look for servers
* “MQTT”
* port:1883
* port:8883
* …
* mosquitto
By simple dorking you get tens
of thousands of brokers without
breaking a sweat.
27. @dalm oz_
Enumerating topics
▪Because topics are subscription
based – a very prolific way is to
sub to ‘#’.
▪Topics starting with $ should be
hidden from wildcards.
▪Depends on what publishers are
sending in the period of
sampling.
28. @dalm oz_
ID sensors by topic naming convention
Harmony
Harmony_api
HA by logitech
Zwave
Sensors, Home Saunas
etc.
Sonoff
Itead
DVES
Smart home on/off
switch
Openhab Open source HA
ioBroker Open source Broker
HomeAssistant HA software
OwnTracks Mobile GPS tracking
42. @dalm oz_
Oooh,shiny! So many topics of interest:
WiFi SSID (cmnd/sonoff/Ssid)
2nd WiFi SSID … (cmnd/sonoff/Ssid2)
WiFi password (cmnd/sonoff/Password)
2nd WiFi password (cmnd/sonoff/Password2)
Mqtt User/Pass (cmnd/sonoff/MqttUser , MqttPassword)
Over-The-Air URL (cmnd/sonoff/otaUrl)
Over-The-Air Trigger (cmnd/sonoff/Upgrade)
* All “cmnd”s will return value to RESULT topic
43. @dalm oz_
Steps for full blown exploitation:
1) Request WiFi SSID and PASS
2) Compile an evil firmware with hardcoded
values of wifi and its password
3) Publish the otaUrl link to point to your
evil firmware.
4) Forcefully request an OTA upgrade
3) PROFIT! (call back to attacker)