 Thank you for being here and thank you Avi and all the guys at OSP for having me. So let's start. We're going to talk about MQTT. I'm going to explain shortly what is MQTT of course and what the hell is supposed to do here and why we have a table on the front of the stage without anything except a blinking light. It will be blinking actually. So first mandatory high... oh mandatory it doesn't work. Just a second. Something needs to fail. So hi, my name is Muschazzioni. I'm a security research manager at Verint. Many years into security having fun breaking stuff all the time and this time we're talking IoT in terms of things. Without further ado what we are going to do today. We're going to learn about MQTT. What is exactly all the hype about? If there is any hype. What kind of tools are using MQTT? Why we should or maybe we shouldn't use MQTT. The security model and the insecurity within the model. Last day and of course the attack side of things. How we do reconnaissance on those devices. What is interesting to harvest? How can we exploit those devices? And of course hopefully we'll have a live demo over here but it will be from here. Okay MQTT stands for as you see message queue telemetry transport whatever. It means some simple thing. This simple thing actually means that you or any kind of device can connect to any other device and talk with a very lightweight protocol of communication. Now the thing is that we have many protocols. The most prominent protocol for the internet is of course HTTP. Everyone knows HTTP and the protocol itself is not complicated. But it is kind of heavy on communication side when we are talking about very small devices. When we are talking IoT's we are talking about very small embedded devices. Nothing like your Android or iPhone or nothing even close to any kind of computer that you've ever had. Actually maybe except the 486 and the Pentium. And here we have for example and we'll talk about such examples for embedded devices. Any of you have ever programmed an Arduino? Show of hands. Cool. Wow. So many. So Arduino have like you can find several Arduino live devices that have up to maybe 100 megahertz per second. Megahertz we should say. So if we are looking into regular Arduino's we are talking about 26 maybe 48 megahertz. It's a very small amount of computing power and when we are talking something like that on my table is the ESP8266. It's a very small in comparison to any kind of computer that you have. So that's why we need to have something very lightweight. Very lightweight in terms of communication fingerprint of the memory etc. And maybe in storage and anything like that. Everything that we know of is getting very shrink and very small. So we have to comprehend this. So we have you can connect many devices through MQTT to one major hub. The hub is usually called maybe a server maybe and MQTT server and we have several other names for that. We can anonymously use hub or server. And after we have the server the server is connected and many devices can connect to it and talk to it. Why we need this server what we are doing with it. So first for example we have the mobile device and we have the sensor. Both of those computers and both of the processes are connected to the broker which is the formal name for the server. Talking with the broker and the broker is coordinated between all the messages. If you are familiar with MQ you should be very familiar with the process that we are going to go through. So the first thing we are doing with the broker is sending a sub, a subscribe. We will talk about two types of communications. Subscribe and publish. I am not just joking. It is the very basic items of those communications. And we don't have many more communications. I will explain what else I am omitting here and it is not much. So first of all we need to sub to subscribe some kind of a channel. Think of a channel or a topic that is the formal name of it. Channel is like something that you know from actually any kind of communication protocols. You have some kind of a topic, some kind of a reserved name. Mostly hierarchy related name that should tell you about what you are going to listen to. What kind of messages you are going to receive. So first of all you need to subscribe to WeatherTLV. That is the name of the channel or the topic that we are talking about. So the mobile device, the sensor we are talking with is subscribing to WeatherTLV. And maybe the mobile device is subscribing to MobileTLV through the broker. So now the broker have two items in memory. The mobile device that and the sensor this is talking to me and they are subscribed to this channel. If anyone will publish anything on this channel, they too are going to get the message directly from the broker. So from now on after the subscription the broker does all the stuff. Just waiting for the queue to fill up. And when some kind of a message comes in it will pass along the line, the messages. So the next thing that is going to happen as someone for this example, the sensor of course, is going to transmit or publish the communication topic WeatherTLV, the value 29C. That is just a string. A string named 29C. So what will happen next? The broker will get the publish communication protocol and through the publish it will think about who is subscribed to this, to the WeatherTLV. WeatherTLV. So you have the mobile device that was subscribed to it. So let's send it his way. So the publish will get to the mobile device through the broker. After the broker have gone through some thought and through its record you saw that everyone that subscribed to it got the message. Something that I've omitted from these examples are of course the connection. You have to establish a connection or maybe a disconnection before you are talking to the broker. I've omitted a very important part of the QoS. Maybe the broker is keep on sending this publish request and maybe not. That's the quality of service. Maybe O1 and O2. I won't talk about it because it will complicate things that are not important for security's sake for that scope of talk. And of course the keep-alive. Nothing can be communicated all the time. It's a TCP protocol and we need to have a keep-alive just for the communication not to break in and some kind of optimization for the communication. So believe me or not it gets such a simple scheme for publication and subscription. Hopefully that was pretty okay by you. So now after we get this straight we have an hierarchy. The hierarchy of the topics are important. Why? Because the hierarchy can symbolize to the person or the subscriber what kind of topic he subscribed to but more importantly it can be a batch. It can subscribe to a batch channels in one instance. And that's a reserved name for that. For example we have a weather slash TLV slash humidity. And then we have weather slash TLV slash temp or in the hierarchy we can see the weather now TLV. The weather now TLV. It have another branch for this hierarchy and they have temp and humidity. On the other hand we have also weather slash jar for Jerusalem and then temp for Jerusalem. If you want to subscribe both to humidity and temp you can subscribe to weather TLV pound key or pound symbol. Now you will be subscribed both to humidity and temp. On the other hand if you want to subscribe to TLV temp and Jerusalem temp you just need to say weather plus temp. Then you will be subscribed to any kind of city that is sending publishing temperature for this broker. So far it's pretty nice nothing harmful allegedly. And now we are talking about who is using MQTT. Why I'm spending like maybe 10 minutes so far just to talk about this kind of communication why we need that. So the main usage for MQTT is home automation and we have some protocols that are using it for pure messaging. Facebook Messenger is using by its infrastructure most of it from Facebook is by MQTT. Now that's got pretty interesting but that's to say that Facebook is one of the few that are publicly transmitted that they are using MQTT for this kind of messaging. So let's stay with home automation because that's the most major usage that you will find online. What is home automation and why we need that. I will not talk a lot about it but let me just say for now that notable mentions for that is AWS, Microsoft, IoT Hub both are cloud services that both of Amazon and Microsoft are providing and getting a huge traction on that just because of course the demand by the customers. Now so we have a home and it's connected to everything maybe for the shades maybe for the lights maybe we have even an automatic toilet I don't know and maybe a cat feeder and all those things are connected to one broker maybe maybe on the cloud maybe on your premise in your house whatever you want to do with it. And when people are seeing this picture and thinking about home automation I receive two kind of responses. The first response is wow that's awesome I need home automation why I need to feed my cat right now no matter where I am and MQTT is the thing for that. So that's one reaction the other reaction is exactly that that was mentioned there was an AWS, Amazon's convention in Tel Aviv like I think it was like four or five months ago. It was pretty huge and pretty successful in terms of attendees and Philips showed how they turned out on the lights through MQTT through AWS cloud IoT service broker and one and not only one from the hacker Twitterverse tweeted why the f did we all become so f-ing lazy what the actual f is this crap and this is the second response that I actually get from many people. Now after this show I will let you alone decide if you want it or not. The thing is it's becoming a trend and everyone are using it everyone along the stream maybe you will find it in China you'll find mainly in Europe in Saunas and stuff like that that need to be connected for some reason and of course in the United States everything is coming from the United States in this manner. So that's the response that I will leave it there why it's important for us because we need to deal with security. So I need to say that MQTT is pretty solid in terms of protocol. If you read the documents for MQTT it's ever evolving document. It's now in I think the official version for the documentation at 3.1 for the protocol and it's pretty up to date. You have TLS by definition you have TLS inside you have client certificate which is awesome if you are talking about authentication. You can do permissions per topic, per method if it's publishing or subscribing and per QS which I haven't mentioned as I said. So that's pretty cool right pretty solid security but now it has an insecurity model within it because if you paid attention you saw that the broker is the one that is sending the communication throughout the network and the first one that is publishing to the broker is another item or another entity and no protocol is devised for now between the broker and the publishers to communicate which topics should have what kind of permissions. Now that's pretty confusing not only for you but also for me. I'll have an example just on this table I have the Sonoff which I will turn it into a demo and the Sonoff has an open source firmware that's cool and you can read it but no one actually many people did it the documentation is pretty solid but in this case I found an API which is not mentioned anywhere a topic which is not mentioned anywhere in the documentation and of course I've added it to the official documentation but if I haven't done so there was at least one topic which is harmful for the user which was able to be a bit permission wide or very very sparse in permissions and actually everyone could have used it or exploit this kind of topic maybe it's a bit of a confusion for now because we haven't established what is the topic yet and we'll get it in a few slides but believe me the broker slash publisher the economy we have many many problems with the net. The second thing is it's directed mostly to the tech savvy which is something I guess will be changed in a year or two because that's the thing with technology which is evolving and engrossing everyone. The other thing is that you have authorization by default the brokers that are online we are talking about Mosquito that's the most prominent broker out there it's an open source from Eclipse Foundation and for my testing I've tested like 2000 and something devices around the internet which is not mine and I found that the brokers were 80% plus from Mosquito there are like two more like active MQ for IBM and you have a Hive MQ which is another prominent example but Mosquito is the most prominent one as I said so if the protocol is very protected and you have TLS right you can say to me right now they have TLS built in right so let me just say that TLS is pretty hard on those devices we're talking about very small devices and we'll see two examples for these difficulties the one is from the official Arduino client for MQTT which cannot support SSL TLS for now that's from today it cannot support it at all because it's pretty hard for such small device to comprehend a communication to keep so much memory in place and we are talking a huge amount of memory here in the comments section of the firmware that I mentioned for the Sonoff there it in TLS uses a lot of memory 20K so be careful to enable other options at the same time and it's disabled by default so even if it's by definition inside a protocol you can't use it with Sonoff which is the single most prominent example for MQTT for now and you can't use it with Arduino because you don't have much power on Arduino so you can do SSL whatever you desire to it doesn't matter okay so those are the two prominent examples for that moving on the most successful vulnerability that I found every time and again we're talking about IOTs which kind of vulnerabilities I have one kind of vulnerabilities features those are the best vulnerabilities for IOTs believe me and you should test it yourself not just believe me of course so we'll go through a couple of features in a few slides when we're talking about profit how we can start with exploiting or maybe researching MQTT whatever you desire so the first thing to note is that you have several default ports that you can utilize in order to use MQTT of course anyone can use whatever port he needs or wants to use but the defaults are mainly not changed in terms of standard so you have TCP, you have TCP with SSL you have WebSockets which is pretty cool and convenient if you have enough powerful IOT device to use WebSockets and WebSockets plus SSL with those two are getting traction but not so much so if you want to show them those you can just look for 8083 and 8083 1883 and 8083 and through that you can find many devices as well and just enumerate them after enumeration you can do many things that will scope down the thing that you want to test or research you can look for mosquito, you can look for the port that I've mentioned and you'll find out by yourself the topics that you actually desire to go after in this case we're talking about the broker, about the mosquito that I have here in the Raspberry Pi is communicating through MQTT the sonoff is connected to the Raspberry Pi that I have here and the mosquito server have defaults now I haven't mentioned the dollar sign the dollar sign says that you can't enumerate it all if you would like to enumerate all the topics instead we can use just a pound key, the pound sign why? because the pound sign is a wild card if I'm just subscribing to the pound sign I'm subscribing to every topic that is on the broker unless it's starting with the dollar sign now if you will look into AWS AWS smartly decided to use a dollar sign instead of just AWS as a topic so you can't actually enumerate it as easy as I showed right now but there is a documentation for a dollar sign and dollar sign is by protocol on each and every broker you will have a dollar sign and those kind of topics will have it within it those are the topics that I've collected through the documentation and through the source code as well so I believe we are not missing much here so if you just subscribe to those topics on every kind of broker you will get a lot of information about the devices that are connected what kind of devices, what kind of topics, how much traffic it gets et cetera et cetera pretty interesting just to start with the brokers then, okay that's the thing that I've just said and then we get into the details what kind of devices are connected to those brokers these are kind of a rule of thumb if you want to discover a specific kind of devices the list can go on and on of course I'm just presenting here whatever I find consistent so you have the Harmony which is by Logitech very interesting hub Z-Wave used for home automation I've mentioned Saunas it has many Saunas in Sweden if you fancy one IT-DVS is the switch that I have it only functions on-off switch it's pretty practical if you think about it because if you just want to make your home automated you need an on-off switch for the basic functioning so that's pretty practical if you just buy a bunch for a few dollars and connect your house through Saunas then you have the open-hand Iobroker Home Assistant you will have it on the sides as well and on-tracks now on-tracks is interesting because it's very prominent within mobile devices mobile devices are using MQTT2 especially apps that are connected to GPS and if you want to spy on your kids or spouse for some reason now if you are using on-tracks that's interesting because on-tracks are keeping GPS tracking software on your mobile device and then connecting to the cloud on the MQTT broker and sends the information to you for your full-blown and spying agency that you have will come to on-tracks later again another gem within it for this example I just enumerated all the topics that I could find on the device on Saunbroker I guess you can't see that it says Minus UREBurger Minus PXSineClarin5 which is maybe the password for the mosquito server and maybe for its SSH I won't recommend anyone to test it now that's something that this is a mishap it tried to write something on the command line and it just injected it into topics within the mosquito server that's an error of course but we can greatly affect the operation of the mosquito by that the other thing you can't see that and I'm apologizing for that but I'll tell you it's just a bunch of SQL injection attempts over topics remember everyone that will publish a topic will generally devise a new topic on the broker if the broker does not comprehend what kind of topic are you using so someone tried to use SQL injection on the mosquito broker and the mosquito broker just wrote it all down into topics now maybe someone tried to publish all those topics and maybe some other web application is using M50 in the background and someone tried to SQL inject the web application and through that it got into the publication into the broker and then it just listed and now you're just seeing like I don't know maybe 50 lines I'm talking about more than 50K lines of SQL injection attempts I don't know if it was successful but I guess it wasn't OnTracks I'm coming back to that for a second because OnTracks that's the way it keeps your data you can read and you can subscribe to the OnTracks server or the OnTracks broker and receive some kind of information latitude, longitude, location there are many types you can send in the timestamp for that an app of course, the accuracy of the GPS, the battery level those are the interesting things now I tried it that's actually a genuine line a topic that I found in some broker and by the broker being open to the internet I just can't spy on people now it's something that is pretty childish childish but I'm a child so I tried it and someone and then there's some stuff so that's cool let's open up the map and let's locate the longitude and latitude that we got I got somewhere in Dallas that's cool Dallas is not cool but yet again we found it in Dallas let's zoom in, we have Google Maps now we are in the future and we are using Google Maps to see exactly where the signal is coming from and now it got a bit weird because the first thing that I saw is a huge building I will turn off the light because the impact is important okay, yeah, no? I'll try so you can't see anything but then I'm zooming in and it says okay, so maybe it was the first MQTT troll on the internet I don't know and maybe he wasn't and then again it's a great game thank you very much Troll but I persistently tried to assess the location okay and persistently on it and he moved or he or she moved from this location and traveled you can see a very very obvious pattern of traffic going into traffic somewhere and then maybe home, maybe walk I don't know maybe Archer can use it for spying okay but let's get on to the smart home applications which I said is here on this table we are talking about this device it's a pretty small device encased in plastic when we uncover this plastic we can see that nothing important, nothing special all devices have an on and off relay, you can see here the relay it has the light you can see there the light and of course mains input and mains output I tried to connect it to mains directly it blew up so don't write that even though it says on the team that it can support up to 10 apps no way so mains is not recommended that's the reason why I'm connecting it to something else and then at the back of it it is much more interesting here you have the Wi-Fi because you need to connect it to the MQTT it doesn't connect through Ethernet it doesn't head about WPA vulnerability yet and then we have the Wi-Fi we have the ESP8266 which is a crazy crazy thing right now pretty cool if you want to hear something about it get one for free from me and you have of course very ugly kind of soldering here air gapping something pretty basic in electrical engineering and that's the important stuff very small CPU with very small fingerprint for memory and you can use it for many stuff and as I said Wi-Fi onboard that's pretty huge and only cost a few dollars just to implement that okay so that's pretty neat I guess and it has many topics that I found interesting in this example you can ask for the SSID for the Wi-Fi maybe you have a second Wi-Fi that's the CMND son of SSID2 you have the Wi-Fi password on some kind of a topic for some reason you have the second Wi-Fi password for some reason again the MQTT user pass has a user pass so you can ask it for giving it to you and you have the OTA URL that's important OTA is over the air over the air is the thing that makes you upgrade or download a new firmware and then upgrade your your device on the fly and the triggering for the over the air now I should mention that all of those topics are free to be published at and ask those topics without any kind of content and then you can be subscribed you can get its contents and through that you can easily enumerate the SSID and password of this location for the Wi-Fi and you can change it as well if you publish and by default no permissions as we said you can publish through those topics and change the behavior of the device now that's very important for our exploitation demo in this example I've just enumerated a thousand devices on the internet just as a proof of concept and I just deleted the IP and the IoT type what kind of Wi-Fi and the password for the Wi-Fi you can say ok but the Wi-Fi is somewhere around the internet no one will get to that because it's pretty massive to fly to Sweden just for a quick sound and then to hijack a Wi-Fi if you are a very important person someone will do that but for us, for the automation it's again the risk is there but you can minimize the risk by saying that but I don't need your device I don't need to be in your device in order to hijack this connection because as I said we have the OTA URL and the OTA URL will tell me of which the device will get its new firmware form and if I as I will do in the demo in a second will publish to this OTA URL I will get him to believe a new URL that I will input on my server and then make it to trigger through the upgrade process the upgrade process will make him restart, download the new firmware that I gave him which I devised and through that firmware I can hijack the actual sensor to do whatever I want him to do like a small botnet, think Mirai as terms of IoT ok, the firmware that I'm going to show now is called Son of Evil it's a player of worlds of course and the Son of Angel the Son of Angel is something that I published later just if you want to fix your Son of because there is no fixed for now you can just install the Son of Angel that makes the MQTT dangerous functions to be disabled and you won't be affected by this exploit ok so now I need to pray for a second ok I'm ready so we have the broker up on the table we have the Son of here we have an Arduino just for our regulation the two lines, the 5V in the ground the other ones are disconnected I'm using actually here a more basic approach the Arduino was the older approach it's the same just for power regulation nothing else than that and of course the Son of it is turned on and you can see the non blinking light non blinking saying that it is connected correctly, if it was blinking you would get the feel that it wasn't connected to the MQTT broker that I just designated here and that's just a shell nothing in it ok so I'll go through the steps the first step is to request the Wi-Fi SSID and password why I'm doing that not just for fun, I need that because the second time I will use it in the compile and evil fumer I will need to compile it with the definitions for the Wi-Fi and the password because I want the user to get the feeling that it wasn't connected to the Wi-Fi so I need it to be persisting and connected to the Wi-Fi and the second thing I needed to do is to download my firmware and it will download my firmware and then get the Wi-Fi password synced in and then we'll connect to the internet and we'll transmit to the internet whatever I need I need a shell back and we'll see, hopefully a shell back from the device request the Wi-Fi SSID put the SSID and password into the evil firmware, compile it I won't do it right now but believe me I've already did it just for making things a bit faster publish the OTI URL from my domain from the evil domain OTI URL link to point to my evil firmware just compiled and forcefully request the OTI upgrade and hopefully we'll have some kind of a profit and call back to the attacker 8 minutes? so we have time no, just kidding so let's get into it you're all crossing your fingers right? I can hear you so I'll introduce two tools one of them is pretty basic just Telno connected to my to my domain I'll do the case ok, thank you we have one tool it's pretty basic, it's the NTT lens several tools out there to use as a NTT client that's a Chrome extension, actually a Chrome app it was a Chrome app but now in extension someone said something oh yeah sure so that's NTT lens it's a client just to use for publishing and better so just for making the publishing and subscribing via GUI and not something like hardware it's pretty easy to comprehend, we have the subscribed and we have the published comments I will now subscribe I'm connected to my NTT demo I'll subscribe to the broker and I will start to get messages here those are the messages that are persistent and communicated to me I can see that you can see that I know but the tele-sonoff is online and it has another thing that is from another demo named OWNTracks I can see an OWNTracks record here now, the second thing that I will do is to show you the SID2 because I have two SIDs for some reason just for fun and the SID2 you'll see I just published it and got the NTT demo on the SID2 from the Sonoff device meaning I just send to the broker Hello, I need the I want to get a command Sonoff SID2 enacted it was enacted on the broker the broker thought about this publishing he knew that the publishing means that everyone that is subscribed to the topic named the result will get this result from the command that I just sent to me from the broker NTT demo is something that is known we can try the SID2 the second one just SID just for fun and it will say something else which is very quoted is not a honeypot so don't try to connect to something named not a honeypot so that is SID I won't show the SID2 passport right now but just after the demo and someone will try to to connect it as well so no, I just need a connection to the broker from somewhere around the internet and the brokers are usually on the cloud or on the front of the internet because you want it to be available from the internet ok, so now I've asked for SID and SID2 now I have this information I can ask for passport and passport too and I will have this information and the other thing that I will I need to check is the OTI URL and I want to know what kind of OTI URL is right now on the device and I have the imdelmos.com slash pocgood.bin but we don't want to be good we want to be bad or evil so we'll publish change the topic to be HTTP I am Delmos P O C Evil bin ok, I think it's cool so now I will publish it and it will return a signifying result that there is a new value for OTI URL named imdelmos.com poc evil.bin now the fun part I'll just ready my machine ok I need to prepare ok better I guess ok, I think it's pretty decent I'm just opening up the connection of course the port need to be 1337 that's the designated port within the firmware that will connect to it and have a shell back and now we need to pray I need to pray and we'll have an upgrade for forcing an upgrade I'm just changing the command for upgrade and the message will be one for forcing an upgrade right now ready no one is ready ok I can't see you but I believe you upgrade ok, that's good that's supposed to happen now it downloads my evil code is it hot here? just me yeah yeah imdelmos is a real you can do it by yourself you can download it by yourself imdelmos slash poc evil.bin you can have the binary if you want ok we're waiting we should have a designation that the download was successful and it should be restarting in a few seconds block loop it happens from time to time I need to do it again maybe one time but it should be ok close loop means that it has some kind of communication problem but I'm just doing it again so again I'm publishing an OTA URL which is unfamiliar for him and now I'm upgrading so suffer is starting that's a good hope so just finish it up I want to say thank you again for everyone for being here and thank you for the opportunity and now we have some time for questions I think we have 4 minutes 45 seconds that's a lot so we have some time for one question maybe one question I can't see anyone one device oh you have me thank you thank you for this question the chip is on off chip you can put it on and off that's it from remotely because of the wifi chip it's pretty easy to implement within the wall or after a socket and then you can just make any kind of home device into an automated home device one more question because it was a very basic one one more question ok my server broker in my case just for convenience for the demo it is right here in raspberry 5 in the same vicinity but usually you will have a broker within your home which is connected to the cloud or some other maybe not cloud, just other servers which is funding the internet so you can connect from the outside and make sounds like I don't know you want to preheat the water before you get home so you need you assume it isn't, most of the device that I checked I think more than 70% of them wasn't at any gate or I think I want to answer this guy can I answer this guy about mitigations first of all wait before you implement you can call it the first generation that's the best advice I can tell you but if you are eager to use QTT know your devices don't buy anything that you can't read the code by yourself for now and hopefully I'm correlating with other researchers in QTT and trying to devise a protocol for this kind of communication between the broker and the publisher but for now just know your publisher and authenticate by default without anonymous connections that will solve most of the problem thank you guys, thank you