 Yeah, you don't need to hear that. So welcome to DEF CON24, you guys having fun? And as you can see, my name is Lucas. Um, worked for a company called Fork Consult. And it's no secret however that we're going to talk about something called MQTT today. Some of you might have heard of it, some of you might not. So um, I think it's going to be awesome anyway. So please do enjoy it guys. So who am I? My name is Lucas. I've been pen testing stuff, basically it's an age of 12. And I work for companies such as Sony Ericsson and I've active. Of course there will also be a QA afterwards if you guys want to step up and talk to me about the stuff I'm going to present today. I spent a lot of time in unhackable environments. So um, I got some experience in, in web application pen testing, fossing as well as network pen tests. Of course it's going to act up right. So what are we going to talk about today is IOT. And IOT is like a word to use as cyber. So IOT could be anything. Um, but it's mostly devices or intelligent devices that we hook up. I feel that it's a little bit dangerous. And I started looking up stuff I had at home. And that's how I stumble upon this protocol I'm going to speak about today. So MQTT. What is it? It was invented in 1998. In 1999 my Andy Stamford Clark and Arlene Nipper. I think Andy worked for IBM back in the days. And they wanted to create a new protocol to combat basically slow connection speeds. And that could be anything from satellite connection to low modem. It should have a quality of service which means that you could prioritize all the stuff as well. The MQTT stood for MQ telemetry transport. And the MQ is of course something, IBM something, something product back in the days. Today it's royalty free as of 2010. It's been approved as an OASIS standard since October 29th, 2014. What that means, I have no clue. But what I do know is that this July it was also approved as an ISO standard. Current version is of course 3.1.1. So what we know as a server, the MQTT calls a broker. And this broker has clients connected to it. These clients however listen to what the other clients are sending in. So it's basically a two-way communication even if it's stated as a client. Now the data it puts in could be anything. So we'll see in a moment what that could be. Of course it's also dependent on how the clients is set up. For instance we have a good example here where we can see my home attic. And in my home attic I have sensor one. And those are called topics. I tend to think of them as IRC channels basically. So you join a channel and then you join a sub channel. It's easier for me to keep track of. And you can name those anything. For instance, all on Johnson, all on piano. But you should also remember that as well, right? There's also the hash tag. And you guys that are probably developing for MQTT right now, things like hash tag, yeah. But we'll get to that in a minute. So how does this work? I hope you appreciate the nice graphics. Took me like forever to make this. So for instance we could have a logistic packet delivery. And it sends data to the MQTT server which is known as the broker. That one can contain like all the packet information such as the weight. As well as where it's heading, coordinates, GPS, et cetera, et cetera. Address, recipient address. It can also communicate to the transport truck. So if you do that wirelessly, the transport truck knows what kind of package is being transmitted. And they can make adjustments accordingly. And now the graphics is a little bit, ah, man. So let me upgrade that for you, right? It's kind of hard when the presentation was harder than the actual finding, right? So this is the MQTT according to tech target. And as you can see on this screen, it's transport logistics, logistics as well as security, industrial and medical and healthcare. And this picture got me scared. And you guys should probably be scared too. Imagine what if there is a protocol that will allow anyone to read the data being transmitted or even perhaps manipulate the data being sent in. And you see this kind of stuff up here. That's a diaper change for sure. So what kind of software are we talking about? The common and free commercial MQT software that's out there, the most common one is probably the IBM Web Spear as well as Mosquito and Hive MQ. Those are the most common ones that I saw out there. This is the MQTT manual, by the way. And I'd like you to keep this in mind, right? This is directly, the link below goes to the MQTT manual in that section and describes exactly there are a number of threats that the solution providers should consider. Sorry, I'm laughing because devices could be compromised. Data at resting clients and servers might be accessible. There's also the possibility of denial of service and timing attacks. And communication, listen to this, could be intercepted, altered, rerouted or disclosed. And further they say that MQTT is often deployed in hostile environments. And we all know internet is pretty nice, right? There's nothing going on there. So querying Shodan for this. You can see that Shodan has, you can see my search query, just port 1883 which is the MQTT on a cryptoport. And the top countries here are China, United States as well as Singapore and Japan and Germany. For a total of 17,711 devices at the time when I wrote it, it can change. The data that Shodan has about the MQTT is basically this. You only see the topics. And I wanted a little bit more than that. So let's just scan the entire internet, right? Because that's what you do when you want to find something. So according to the vendor, you're not supposed to subscribe to the hashtag because that takes up a lot of memory and your MQTT client might crash, of course. And the hashtag indicates everything. By that, I mean everything inside a topic. So for instance, we have something and something and then I have the hashtag. And yes, if you're a developer, you see the first slash, which is probably very wrong on me and not recommended according to the manual, but yeah. Dude, it's an ANSI. It's a typo and it takes time to change. So enjoy it. Anyway, that one gives you access to everything inside this topic, right? And Shodan just didn't have that information. I made a small script and this is very, very freaking lame, man. I made a small script that actually subscribes to the hashtag sign and I call it holder because of, you know, I'm not going to spoil it, man. If you haven't seen Game of Thrones, man, I'm not going to spoil it, trust me. This is my reaction, by the way. It's pretty accurate. It doesn't look like me or does it? I don't know. Blue hair. And first of all, it's the, oh, my freaking God. What kind of stuff did I get here? And this is the first thing I found at Shodan. So I just took it and just threw my Ruby script at it and I got, like, get voicemails. There's a session ID. I found out later that this session ID is actually tied to their web mail. If it works, I don't know. There's also a base 64 chunk in there and inside the base 64 chunk, you can see that there's the username as well as the mobile phone number, the name of the person, the address, everything I would need to conduct a nice social engineering attack. Further down, which is not included, is also their voice message and auto response for the email. In this case, someone was at a sick leave and should return 25th of June. So this is just me showing how the script actually works. It's for those who haven't touched MQTT. I hope the resolution is all right. Basically what you do is just execute the hotel script and this is a public test server, by the way, and you can see all the data that it's gathering. And of course, this is a test server. So don't worry. I would like to especially thank Archie who does the ArchStrike distro. He was with me last night at my hotel room and thought my Ruby script kind of sucked. So he made an awesome Python script that hopefully is way faster than my Ruby script. And in a couple of hours it's probably going to be on the ArchStrike repo for those interested. So thank you very much Archie. Here is how it looks with the MQTT effects. And the MQTT effects is for OSX and it allows you to actually subscribe. And if you find a nice topic like I did, you can see in the test server, there are GPS coordinates of ferries. But however, this is a test server so we shouldn't worry. Right? The problem with the UI version is that if you just subscribe to the hashtag sign, what will happen is that it will consume so much memory and hang the application because there's so much data going. So what if we just reverse engineered the protocol? Because you know, I don't like reading manuals. Who does, right? So what I did was take the hashtag sign and actually in wire shark just captured the negotiation. And then I thought to myself, is there a tool that I can use that I can actually send this hashtag sign into while scanning the entire internet? So I know this guy, Rob Graham. I don't know if you heard of him. But even if you haven't, give this guy an applause because math scan is fucking awesome. So come on guys. Come on. He deserves it. He deserves it. He deserves it a lot because this tool made it way easier for me. But there was one problem. I've seen people use the hello string which I'm going to talk about in a bit, but they never seem to got it working. So the Kraken only obeys its master or does it. So math scan is able to send data through the hello string. And the only proof it works is from Mr. Graham. He did like the Klan AV scan on his Twitter and blog. And he actually got it to work. But no one else seems to get it to work. So I did like Robert Graham described by setting the IP tables to drop everything on port 6000. And of course, telling that to math scan as well. And you can see I have kind of capsulated the bracket signs around port 1883. And that is basically the thing that made it work. So you have the full strings used in the bottom as well. The below one is the basic four string of the hashtag sign. Do you think I got any data by the way? Mass scanning the entire Internet. I took it for like one, two days scanning the entire Internet. This is what I found. 2.8 million results which I had to throw into Elk, which is the last search logistic in Kibana. And that sucked, dude. That sucked. So if someone here is from any of those three, please make it easier because doing ROP is way easier than this. And what kind of data did I find? In this case, it's an emergency response system. I can't tell you which country. But as you can see, we have a case of infectious LASA fever. 1,400 level people are infected. And there is an expected 6.2 meter flood. Nice. I wouldn't want to be down there because they also have a case of maybe infectious malaria. 599 people infected. Now, I don't know if this is a test server. I certainly hope it is. So the big question is, can we send data to it? Can I say 3,133 people were infected with the zombie virus at DEF CON? And where will that data end up? Will a doctor get a page saying, yo, man, there's like the zombie virus at DEF CON. We need to go, man. So before we found out if it's going to get worse, dude, it's going to get so much worse. So using the Kibana logistic, I was able to map a lot of the MQTT devices, you see. And the MQTT devices, you can get like the geolocation. So you can see where there are the most MQTT devices. And I took Australia, Australia as an example, because the world map was, you can actually assume in and see who owns the IP, who actually, what kind of data is in there. So the actual data that mass scan captured during my scan. Really nice, it takes a lot of CPU power for 2.8 million devices. Now, not all of them were, of course, MQTT, but I found stuff like a distance sensor, just out of the blue, because it's fun. And the distance sensor, this one is probably measuring distance between packets and those rubber gateways the package goes through. That's just my guess. So what kind of device type? That is the trick question that everybody is asking themselves, what kind of device types did you find? Well, I would love to share, but everything is custom. I mean, they built it in their own way. Their clients respond in their own way. So it's kind of hard for me to actually say that yeah, there are 10,000 devices of this type, that is a heartbeat sensor or that it's a medical device, because there were so many. But if you're awesome and if you do big data stuff, and if you can fix that, that would be freaking cool. Here we go. It's starting. I'm just going to get a drink, guys. Cheers. So in this case, we have a pipeline pressure control server. And as you can see, I've censored out a lot of stuff, like the FTP username and password. I've also censored out some other server name, of course. But you can also see that the pipe pressure and the decimal signs. So that's a bit scary. Can I change that maybe? That'd be cool. And I don't know what's going on in the below thing here, but there seems to be tracking someone called Ramon. I don't know if this is government. I will probably know after the talk. But they were tracking GPS locations for someone in some kind of vehicle traveling at a speed. And I actually followed that thing on a map. So what it is, I don't know. Hopefully it's just test equipment, right? Cars. How about cars? There's actually, you can see the speed, 81 kilometers per hour. And I followed that with the GPS coordinates and it was traveling on a highway. There's also something called SV break. Yeah. And below that, we have something even worse. And I've censored out a lot of stuff. As you can see, it's actually when connecting to the MQTT or gathering the data, what I saw was usernames and passwords to their entire infrastructure. Customer database as well as a member registration system to the JIRA, to the source codes. And that was just plain open MQTT. And the thing is if you do an end map scan or if you try to connect to it like with Netcat or any other tool, it would just close the port because you're not sending the correct string. So that's what mass scan data and what my Ruby script does is it sends the correct string in order to get the data. So if you were doing a scan right now, you wouldn't find much. I mean with end map. Unless someone here is actually working on an end map script right now, that would be freaking awesome. Let's get back to more of those later. It's going to get much worse. You guys remember the question I asked? Can we send data to it? Now I probably know a couple of developers in here that says yes, no, maybe not to mine of course. So this is a screen slide demo, right? So what we have here is I connect to a public free server. In this case it's probably IoT.eclipse.org which is a test server for the MQTT protocol. And what I do here is I subscribe to the yes we can topic. I then publish yes we can, of course to the yes we can topic. And what you get is of course, yes we can. I'm listening with my Ruby script. So that means, hold up, what does that mean really? That means we not only can listen in, we can send data to it. So all those things you saw, like the car, like the brake, and all the other things, we can send data to it. And how does that react? And it's all up to the client really, how it reacts. Because the client can be said to actually do nothing. Or it can say if the radiation is below six, then you need to do nothing. If it's above six, turn on the fans. If I say that the radiation level is always going to be zero. Now we're talking people that might get hurt. Now we're talking structural damage. Now we're talking things that are automated that will go to hell, basically. And of course some developers might argue that yeah, there is a way to protect it. There is a way to actually do something about it, but I haven't seen it. I also did a scam for MQTT servers having username and passwords. And MQTT servers actually having encryption. Because that is actually supported. I found two. So two guys are actually doing it the correct way. And of course these numbers might change. So if you're in the same route as me and you can actually do like a scan, then those numbers might have gone up or gone down. Hopefully they've gone up. So what kind of protection are we talking? Because sure, we're at DEF CON and I can say yeah, we can break it, we can hack it, we can tweak it, we can do whatever we want with it. This is mine now. But in real life we need to talk a little bit about protection as well. And of course you can't enable username and password support, which you should. You can use encryption such as TLS 1.4. That's for the official release. So it's not the best, but it might be downgradable. Especially if you're on the same network of course. But what they really need to do is segmentation and trusts. So it only accepts from certain IPs. That's one way to do it. You should combine all these of course. You should have like a username and password as well as the encryption and of course segmentation. And if you can, an IOT type gateway. But that's not always the case. Remember that MQTT was designed to be small, efficient and no matter the bandwidth be able to send data to its clients. So having a big clunky IOT device that is supposed to be a gateway for encryption might not be the correct purpose, right? So what else can we find in here? This is an ATM. What you can see here is which I highlighted in green is the operating system, which is Windows 5.1. You can see what type of hardware they're running. You can see how much money there is in the ATM. You can see how much commission it takes out, how many bills, counts, errors, error messages. I mean this, you can even see the modem that you're using. And remember, we can write to it. So what would happen if I said that the disk space is now zero? Or that it's out of bills? I mean you can only imagine what can and will happen. It's kind of crazy. I mean when I saw this one, this was the last thing I kind of saw when I dug through my scan. And this is, I wouldn't understate it if I say that it's bad. So secure chat messaging everyone. How many have a secure Android app that they do like secure chatting on? Yeah, cool. I hope it's one of the better ones because this is not good, man. I don't know what the message says because it's not my language. So if it's any profanity, please forgive me. It could mean anything but there is a message. And this is, I've been listening to entire conversations both in English and in whatever language that is between people. And it's not only the message. It's the IME number. It's the mobile phone number. It's the username. It's the registered email. Everything is here in the MQTT. I'm just gonna put on my walking mic. So is this better guys? Can you hear me? Yeah, awesome. So as you can see, there's a lot of text messaging going back and forth. Once again, remember, you can still interact with it. That means that I possibly could send a message from one user to another stating something like, hey, I need $100 on my account. Here's my account number. And they would get it through the app, of course. All right, let's go through what I call the whoops list. And this is basically what I found. A little bit about what I found. So you decide to connect your company to that MQTT broker you have publicly. Not good. You thought that running an EBS emergency system was an awesome idea. Let's do it. Get to the shopper. The news server retrieves its news from the MQTT broker. I've seen people subscribing to CBS CNN and get the latest news. Now again, remember, we can interact with it. 3,103 to 3,7 zombies at DEF CON. Stay indoors. Close your doors. It's going to get nasty. Or even attaching 15,000 ATMs to a publicly open MQTT server. How I know that? That's just because you can query the MQTT server as well. How many clients are connected? And with the ATMs that I found, 15,000, that will crash my user interface. I had to use my lead Ruby script to actually listen in. And there were 15,000 ATMs connected. How about running your earthquake alarm system over MQTT? Of course, this stuff I hear I can't show. Man, because it's so sensitive. They would kick me off stage. How about taking MQTT, retrieve data and pushing it directly into an SQL server? That sounds like a bright idea. Using public brokers for your entire company, like using the IOT.eclipse.org, which is like a development slash test for your MQTT, and using that as a real life system. It's like it's there, right? Let's set it up. We can use it. How about pushing software updates by MQTT to cars? I have seen software updates for a certain car brand go through MQTT. And all it does is pushes the URL in. And what I have to do? Remember, we can write so I can probably change the URL and download my binary file instead. There probably some safe sex. Safe sex. There's probably some safe checks. Why not installing an iPhone or Android app to keep track of where you are at all times? I've seen that. There's a lot of those out there so I can keep track of where people are, how they're moving, when they're in the car. How about exposing your entire Bitcoin wallet over MQTT? When you do your transactions, of course. That's nice. So you probably set up your own MQTT server at home. And when you do transactions, you like send it to that one and that handles your wallet. But you do it without using an impasse for an encryption. Nice. How about taking the MQTT data and just pushing it directly to your home page? Does that sound like fun? Just taking the data you get from the MQTT in any topic and just like pushing it onto a home page. Or putting username passwords and URLs and IPs inside the MQTT, especially to your development service. There were a lot of those out there. What else did I find? Prisons. The ability to open prison doors. I could see the commands being transmitted to the MQTT with a cell door X, Y, Z open. Cell door X, Y, Z close. If I could send data into that, how many of you guys have seen Mr. Robot? Never heard of it. Awesome, dude. If you've seen season one, should I spoil it? Yeah, come on. You have to see in season one. If you've seen season one, he actually has to hack a cop car in order to get access to the prison where it's going to open. Dude, man, MQTT will do it for you. So how about car firmer or entertainment system? You can see in the entertainment system what they're doing. I saw someone watching a YouTube video. I could change that. Yeah, I hear your imagination is running well right now. So fitness bands. God knows I need one. But there was a certain brand out there that it communicated that I saw. There's also medical equipment. I don't know if this is test or not. I freaking God hope it's a test server. But you can see the insulin being inserted. You can see like the heartbeat of the patient. You can see, I mean, like everything that has to do with the oxygen in the mask and how much oxygen actually comes through. They sent that over MQTT, unencrypted, and I please let it be a test server. Session tokens. Like web applications, session tokens. And if you're unaware, you can actually reuse those by actually posting those to your own proxy or whatever you're using. Bitcoin information. There's a lot of this out there. Especially when people are doing personal and private transactions. You know, like in Bitcoin, you can say like, I would like to buy one Bitcoin and I'm in this neighborhood and it hooks you up with another guy that's in the same neighborhood and then you can go physically shake hands and say, I want to buy Bitcoins from you. Well, that was online. A lot of it was online. So if you're big and bulky, you can probably go there and get the Bitcoins yourself. Power meters. How much voltage is going through? Not only that, but also the radiation meters. How much radiation radiation there currently is in a certain location? As mentioned before, we can write. So if I change that, what will happen? If there's someone inside the radiation level doing something and then I say that radiation level is zero, what will happen then? Are the fans turning off? People use this as an industrial system thing. It's lightweight. It's fast. And we're not bashing MQTT. It's real nice, but it's, that was 1998. It's 2016. I believe I could be wrong though. Air condition, humidity controls in server rooms. There's a lot of that flight information. This one is sensitive. Flights going from to where? The speed? The altitude? The flight number? What if I were to write flights? XYZ is now at velocity zero, altitude zero. Or we can do like CSI Cyber did. It was like several airplanes going in different directions. And I verified those things go on a real physical, not physical. That would be like a real map online where you can track the airplanes. You could probably change that. You have graphical data like earthquakes, etc. So they actually have a page that warns you if there's an earthquake or where there's been an earthquake and you can actually change the data in that one. Raw data. I found someone having a webcam and it was a Bay 64 image being sent all the time. So what I did was took the Bay 64 and just transcoded it, decoded it. It's not even an encryption, come on. And it was an image of a guy. So his webcam was on and transmitting over MQTT. I see raw SQL statements being transmitted. I see commands being transmitted to Windows servers like CMD and what it's going to execute. Enough about a rant. I think you get it. I mean cross-site scripting over MQTT. And this is using the example code that some of the vendors have on how to actually push MQTT onto a home page. So you just took that one out of the box and just put it up and just fired away. And we got a cross-site scripting. And how about SQL injection? This snippet is actually from one of the vendors as well. How to push your MQTT data into an SQL database. And there's nothing going on above. It's just this raw statement here that says like everything that comes through the MQTT is just push it into an SQL. And that would indicate that you have an SQL injection as well. While doing my efficient stuff sitting down and thinking at the white throne, MQTT is designed to actually be fast, proficient, and being sent to a lot of clients at the same time. So how about if I build a botnet over MQTT? That would be nice. Then we can switch from IRC and our own botnets, you know, and just go over MQTT instead. But basically there's so many public MQTT servers out there. And I mean thousands. You can just pick one. You can use whichever you want. You can make an algorithm that actually changes which server you're using. So without further ado, we'll start with the single host backdoor. And here I am on the public IoT Eclipse server, connecting to it. I have a channel which I subscribe to which is the backdoor online. And then I go to my little mail where I made with a PDF icon and double click. And what you see is what is that beating my master over MQTT. I now add the host name to the topic as well. So I subscribe to that one. Of course with the get CMD and send CMD topics as well. And then I send dear and I get the response back over MQTT from the server. How about botnet style with multiple clients running over multiple operative systems. So you're assigned to the channels again. And then I have my Linux and I execute the Python which is compatible to EXE or ELF if you like. And you see me lobby a long time which is my host name. You also run the Windows one. Now the thing with botnet is I didn't design it to actually receive any commands. I designed it to actually send in commands. So what I do here is dear so I don't get any response back. But you can see I did the LS as well and the LS lists to file using the client. Now what if I write notepad and I have wine installed with notepad running. You can see notepad started on the Windows XP machine of course. As well as if you give it a couple of seconds. It started notepad on Linux as well. That means that this protocol is assigned to tens of thousands of machines to spread data efficiently. And now you can turn that into a botnet. Yeah, it's black. It's supposed to be black. So how are we on time? Anybody know? All right. Cool. We have some time for some QA afterwards. So what's left? We have about around 59,000 brokers. We have sensors. We have ATMs. We have cars. Even airplanes. And we can change the data. So I'm going to leave you with one sentence before you go. Please do not expose MQTT over internet. Thank you very much guys. So if you guys want to ask questions, you can step up to the mic and just ask me. Some of the data I have is very sensitive. So I might not be able to share with you. Question for you. Yes. Do you have any way of telling what's a test server and what's not? No, that's one of the problems as well. It's hard to determine what is real and what is not. So when I used it, I used the public known test servers to actually gather some of the test data that was used. But I would say most of, I would say 60% is real life servers running. And then I'm counting low. There's probably more. But about 60%, I would say our real servers running. So like, so the industry recommends now that you use basically a proxy of some sort. So for example, like the I AWS IoT. Yeah, exactly. I mean, hardware device, I would recommend to have like an IoT gateway or something in front. Yeah, I would take it with digital signature. Yeah, but then again, small sensors like you have a small Raspberry Pi or have like an Arduino and you don't want this clunky big ass box you put in. Then I mean, what to do? You have TLS. Yeah, you have username and password, but I wouldn't expose it to the internet anyway. Absolutely. Hey, just a quick update, please exit out the back, the back of the building only. Thanks. Okay, so this is more of a marketing thing. But according to the webpage, this is actually SCADA, right? The SCADA. So you probably would have bought in a lot more attention if you had dealt that up with or at least drew attention to the fact that SCADA is that this is SCADA. Yeah, it's both using SCADA and Raspberry Pi and hobby projects as well as medical equipment, as well as the industry, as well as temperature and voltage control. IBM has their own stuff and everybody has all the things all the things.