Internet of Things (In)security - MQTT Protocol
#1
Hey boys and girls. Well, idk if we even have girls around here or not but it'd be rude to leave them out lol. This thread is about the MQTT protocol. MQTT is found in a lot of IoT devices and is used to control them and communicate with their owners. Now before we start, I don't recommend or endorse invading people's privacy. Including breaking into their devices. Fortunately people are stupid enough that we don't really have to break into anything to see some interesting things.
 
An Intro To MQTT
Like I briefly mentioned before, MQTT is a protocol for sending messages back and forth. It's low-bandwidth, which makes it ideal for IoT environments. It uses a publish/subscribe system to communicate with other nodes on the network. You can look up the details of the MQTT protocol if you're the type that likes to read RFC's. Let's use an example of a smart light bulb. You can turn it on and off from your phone and make it change colors and all that fun stuff. To do this, your phone sends a publish message to the MQTT "broker" which runs on the light bulb. You can think of a broker as a server, they're the same in all the important ways. The client can also "subscribe" to receive information about the status of the MQTT device and the things that are running. If you can I recommend you install mosquitto MQTT broker and play around with it. I know it's at least available in Debian-like repos. It's pretty light, so it doesn't cost much to try out. You should also get the mosquitto_clients package. Which includes mosquitto_sub and mosquitto_pub. These two utilities subscribe and publish MQTT messages. They're pretty easy to use as well.
 
The Attack...?
MQTT is great, but it isn't properly locked down in the IoT implementations. MQTT supports passwords, but I've come across very few that actually use them. That may just be my experience, but it's not a good sign either way. For this part of the thread we're going to look at some MQTT services exposed to the internet. We'll only be taking a look of course, not actually publishing or subscribing to topics. Pull up shodan.io in your web browser. If you're not familiar with shodan, you should be. It's probably one of the best things to happen to hackers since google. Go ahead and type "mqtt" into the search bar. There are a lot more queries you can do if you have an account, so you should really get one if you don't already. At the time of writing this search brings up about 113,00 results. Most of them are valid MQTT services. If you look at some of the results you'll see listings like this:
Code:
MQTT Connection Code: 0

Topics:
$SYS/broker/version
$SYS/broker/timestamp
$SYS/broker/uptime
$SYS/broker/clients/total
$SYS/broker/clients/inactive
$SYS/broker/clients/disconnected
$SYS/broker/clients/active
$SYS/broker/clients/connected
$SYS/broker/clients/expired
$SYS/broker/messages/stored
$SYS/broker/messages/received
$SYS/broker/messages/sent

 
These are the "topics" that you can subscribe to. The ones prefixed by "$SYS" are system-specific ones and give some information about uptime and various other things. Some of the $SYS topics are interesting. The more interesting ones are the ones that aren't system topics though. Some don't have functions that are immediately apparent. Here's an example:
Code:
MQTT Connection Code: 0

Topics:
/MECO/9607/MECO_CONFD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
/MECO/9607/MECO_RMS/MECO_QMID
/MECO/9607/MECO_QMID/CMD_WANMONITOR
/MECO/9607/CMD_WANMONITOR/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
/MECO/9607/MECO_RMS/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
/MECO/9607/MECO_RMS/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
 
Some MQTT services are part of home assistants, which makes the data they give pretty interesting.
 
Code:
homeassistant/phicomm_dc1/LivingRoom/switch/logo_light/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch1/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch2/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch3/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch0/state
homeassistant/phicomm_dc1/LivingRoom/sensor/esphome_version/state
homeassistant/phicomm_dc1/LivingRoom/sensor/uptime/state
homeassistant/phicomm_dc1/LivingRoom/sensor/wifi_signal/state
homeassistant/phicomm_dc1/LivingRoom/sensor/config_version/state
homeassistant/phicomm_dc1/LivingRoom/sensor/ip_address/state
homeassistant/phicomm_dc1/LivingRoom/sensor/connected_ssid/state
homeassistant/phicomm_dc1/LivingRoom/sensor/voltage/state
homeassistant/phicomm_dc1/LivingRoom/sensor/current/state
homeassistant/phicomm_dc1/LivingRoom/sensor/power/state
homeassistant/phicomm_dc1/LivingRoom/status
homeassistant/sensor/dc1_3f1597/dc1_3f1597_esphome_version/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_uptime/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_wifi_signal/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_config_version/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_ip_address/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_connected_ssid/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_voltage/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_current/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_power/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_logo_light/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch1/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch2/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch3/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch0/config
 
So if we duckduckgo (bc fuck google) "phicomm_dc1" it pulls up what looks like some sort of device that can make other devices "smart." You plug your non-smart devices into it and it makes them smart. This little guy gives us the status of some switches, Wifi signal, and the SSID of the wireless network it's on. Among other things. I've seen a lot of these types of devices also giving out the local temperature, humidity, air pressure, amount of people in an area, whether a specific person is in an area, etc. But when I first discovered the ubiquity of MQTT I found more disturbing things than all of these other things. I was exploring what MQTT could tell you early on in my discovery of it. I found something called "sarah's iPhone" or something along those lines. I though, "surely it can't be." It told be the latitude, longitude, altitude, how fast she was moving, whether she was at her house or not, phone battery level. There's one in particular I find a lot that's associated with an app called "owntracks." As you might figure this tracks the owner's location and a lot of other data. And it's pretty common to find people who have similar things or their IoT devices just advertise whether they're home or not. And of course there's garage doors, locked house doors, alarms and other things connected to the internet. On top of being able to see their status and easily determine where they are in the real world, don't forget you can also publish messages and tell these devices to do things. You can see how this translates to real world crimes pretty easily. Stalking, breaking and entering, theft, and who knows what else. The people that use these devices likely don't even know what they're exposing.
 
 I've felt that a new frontier for hacking is approaching. With the rise of the IoT, AI, and other emerging technologies, we're on the cutting edge of a new world of hacking. I personally love exploring the new things that people who aren't security-minded put out there lol. That's it for this thread. I encourage you to explore the IoT and see what things you can find.
 
Hack the planet
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Customized DHCP servers for added security. Vector 3 4,171 04-21-2019, 01:04 AM
Last Post: MuddyBucket
  [PDF] Maneuvering Around Clouds: Bypassing Cloud-based Security Providers XzLt 3 4,499 05-18-2017, 08:58 PM
Last Post: lunorian
  Getting free Internet access cyborgs.txt 3 4,540 12-29-2016, 07:59 PM
Last Post: VenAAX
  Attacking the DNS Protocol [PDF] Cypher 3 4,972 12-28-2016, 06:30 PM
Last Post: enmafia2