Internet of Things (In)security - MQTT Protocol
#1
Hey boys and girls. Well, idk if we even have girls around here or not but it'd be rude to leave them out lol. This thread is about the MQTT protocol. MQTT is found in a lot of IoT devices and is used to control them and communicate with their owners. Now before we start, I don't recommend or endorse invading people's privacy. Including breaking into their devices. Fortunately people are stupid enough that we don't really have to break into anything to see some interesting things.
 
An Intro To MQTT
Like I briefly mentioned before, MQTT is a protocol for sending messages back and forth. It's low-bandwidth, which makes it ideal for IoT environments. It uses a publish/subscribe system to communicate with other nodes on the network. You can look up the details of the MQTT protocol if you're the type that likes to read RFC's. Let's use an example of a smart light bulb. You can turn it on and off from your phone and make it change colors and all that fun stuff. To do this, your phone sends a publish message to the MQTT "broker" which runs on the light bulb. You can think of a broker as a server, they're the same in all the important ways. The client can also "subscribe" to receive information about the status of the MQTT device and the things that are running. If you can I recommend you install mosquitto MQTT broker and play around with it. I know it's at least available in Debian-like repos. It's pretty light, so it doesn't cost much to try out. You should also get the mosquitto_clients package. Which includes mosquitto_sub and mosquitto_pub. These two utilities subscribe and publish MQTT messages. They're pretty easy to use as well.
 
The Attack...?
MQTT is great, but it isn't properly locked down in the IoT implementations. MQTT supports passwords, but I've come across very few that actually use them. That may just be my experience, but it's not a good sign either way. For this part of the thread we're going to look at some MQTT services exposed to the internet. We'll only be taking a look of course, not actually publishing or subscribing to topics. Pull up shodan.io in your web browser. If you're not familiar with shodan, you should be. It's probably one of the best things to happen to hackers since google. Go ahead and type "mqtt" into the search bar. There are a lot more queries you can do if you have an account, so you should really get one if you don't already. At the time of writing this search brings up about 113,00 results. Most of them are valid MQTT services. If you look at some of the results you'll see listings like this:
Code:
MQTT Connection Code: 0

Topics:
$SYS/broker/version
$SYS/broker/timestamp
$SYS/broker/uptime
$SYS/broker/clients/total
$SYS/broker/clients/inactive
$SYS/broker/clients/disconnected
$SYS/broker/clients/active
$SYS/broker/clients/connected
$SYS/broker/clients/expired
$SYS/broker/messages/stored
$SYS/broker/messages/received
$SYS/broker/messages/sent

 
These are the "topics" that you can subscribe to. The ones prefixed by "$SYS" are system-specific ones and give some information about uptime and various other things. Some of the $SYS topics are interesting. The more interesting ones are the ones that aren't system topics though. Some don't have functions that are immediately apparent. Here's an example:
Code:
MQTT Connection Code: 0

Topics:
/MECO/9607/MECO_CONFD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
/MECO/9607/MECO_RMS/MECO_QMID
/MECO/9607/MECO_QMID/CMD_WANMONITOR
/MECO/9607/CMD_WANMONITOR/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
/MECO/9607/MECO_RMS/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
/MECO/9607/MECO_RMS/MECO_QMID
/MECO/9607/MECO_QMID/MECO_APPD
/MECO/9607/MECO_APPD/MECO_QMID
/MECO/9607/MECO_QMID/MECO_RMS
 
Some MQTT services are part of home assistants, which makes the data they give pretty interesting.
 
Code:
homeassistant/phicomm_dc1/LivingRoom/switch/logo_light/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch1/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch2/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch3/state
homeassistant/phicomm_dc1/LivingRoom/switch/switch0/state
homeassistant/phicomm_dc1/LivingRoom/sensor/esphome_version/state
homeassistant/phicomm_dc1/LivingRoom/sensor/uptime/state
homeassistant/phicomm_dc1/LivingRoom/sensor/wifi_signal/state
homeassistant/phicomm_dc1/LivingRoom/sensor/config_version/state
homeassistant/phicomm_dc1/LivingRoom/sensor/ip_address/state
homeassistant/phicomm_dc1/LivingRoom/sensor/connected_ssid/state
homeassistant/phicomm_dc1/LivingRoom/sensor/voltage/state
homeassistant/phicomm_dc1/LivingRoom/sensor/current/state
homeassistant/phicomm_dc1/LivingRoom/sensor/power/state
homeassistant/phicomm_dc1/LivingRoom/status
homeassistant/sensor/dc1_3f1597/dc1_3f1597_esphome_version/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_uptime/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_wifi_signal/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_config_version/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_ip_address/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_connected_ssid/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_voltage/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_current/config
homeassistant/sensor/dc1_3f1597/dc1_3f1597_power/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_logo_light/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch1/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch2/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch3/config
homeassistant/switch/dc1_3f1597/dc1_3f1597_switch0/config
 
So if we duckduckgo (bc fuck google) "phicomm_dc1" it pulls up what looks like some sort of device that can make other devices "smart." You plug your non-smart devices into it and it makes them smart. This little guy gives us the status of some switches, Wifi signal, and the SSID of the wireless network it's on. Among other things. I've seen a lot of these types of devices also giving out the local temperature, humidity, air pressure, amount of people in an area, whether a specific person is in an area, etc. But when I first discovered the ubiquity of MQTT I found more disturbing things than all of these other things. I was exploring what MQTT could tell you early on in my discovery of it. I found something called "sarah's iPhone" or something along those lines. I though, "surely it can't be." It told be the latitude, longitude, altitude, how fast she was moving, whether she was at her house or not, phone battery level. There's one in particular I find a lot that's associated with an app called "owntracks." As you might figure this tracks the owner's location and a lot of other data. And it's pretty common to find people who have similar things or their IoT devices just advertise whether they're home or not. And of course there's garage doors, locked house doors, alarms and other things connected to the internet. On top of being able to see their status and easily determine where they are in the real world, don't forget you can also publish messages and tell these devices to do things. You can see how this translates to real world crimes pretty easily. Stalking, breaking and entering, theft, and who knows what else. The people that use these devices likely don't even know what they're exposing.
 
 I've felt that a new frontier for hacking is approaching. With the rise of the IoT, AI, and other emerging technologies, we're on the cutting edge of a new world of hacking. I personally love exploring the new things that people who aren't security-minded put out there lol. That's it for this thread. I encourage you to explore the IoT and see what things you can find.
 
Hack the planet
Reply
#2
Nice post DeepLogic.

The big problem, as always, is not IoT, but companies that don't give a fuck about customer's data security.

I like playing around with smarthome stuff and IoT devices, but I prefer to trust no one, even that companies that has super secure cloud storage ultra encrypted data management.

I have some devices, flashed with Tasmota custom firmware that uses MQTT, secured and connected to a secondary network, without Internet connection and separated from the other one where all personal devices, like pc or smartphones, are connected.

The broker Mosquitto and the main interface to manage all the devices (OpenHAB) are dockerized.

The only ways to interact with the devices are being connected to my local network and reaching the OpenHAB control panel, by VPN, or by Telegram BOT.
In all the 3 cases OpenHAB is the only thing that could interact directly with the IoT devices.

That's more or less my configuration, I think it's pretty secure, but far away to be a "plug and play" configuration. It took me a lot of time to be configured like this.

I can't think of a "normal" person building this mess just to connect a smart strip into his/her house, and that sounds good to me, cause it's not customer's task to secure a device that should be already secured from its seller.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Customized DHCP servers for added security. Vector 3 10,719 04-21-2019, 01:04 AM
Last Post: MuddyBucket
  [PDF] Maneuvering Around Clouds: Bypassing Cloud-based Security Providers XzLt 3 9,198 05-18-2017, 08:58 PM
Last Post: lunorian
  Getting free Internet access cyborgs.txt 3 9,199 12-29-2016, 07:59 PM
Last Post: VenAAX
  Attacking the DNS Protocol [PDF] Cypher 3 10,020 12-28-2016, 06:30 PM
Last Post: enmafia2