According to Forrester's latest report, "The State of IoT Security 2023," MQTT-based IoT devices are becoming the number one carrier and target of hacker attacks.
The security of IoT devices has "congenital flaws" in design. If default passwords are used for a long time , they are extremely vulnerable to hacker attacks. Additionally, with IoT mission-critical systems rapidly increasing the roles and identities assigned to IoT devices that are closely associated with them, these IoT devices are becoming a favorite high-value target for hackers .
In the second half of 2022, 34.3% of computers in the industrial field will be affected by attacks . In the first half of 2021 alone, there will be as many as 1.5 billion attacks on IoT devices . More than 40% of IoT systems have blocked malicious objects.
01
MQTT protocol application scenarios
The MQTT protocol is designed for a large number of environments with limited computing power, low bandwidth, and unreliable networks, and its applications are very extensive. At present, the supported server programs are also abundant, and system languages such as PHP, JAVA, Python, C, and C# can also send relevant messages to MQTT.
Here are a few of our concerns:
1. Use the publish/subscribe message mode to support one-to-many message publishing;
2. The message is transmitted through the TCP/IP protocol;
3. Simple packet format;
4. The default port is TCP 1883; WebSocket port 8083, the default message is not encrypted; the default port 8883 is the MQTT protocol encrypted by TLS.
There are three roles and one main concept in the MQTT protocol. The three roles are publisher (PUBLISHER), subscriber (SUBCRIBER), broker (BROKER), and another main concept is topic (TOPIC).
The sender of the message is called the publisher, and the receiver of the message is called the subscriber. Both the sender and the subscriber will connect to BROKER when publishing or subscribing messages. BROKER is generally the server, and the container where BROKER stores messages is the topic. Publishers send messages to topics, and subscribers need to "subscribe to topics" before receiving messages. In each subscription, the subscriber can receive all the messages of the topic.
Its MQTT protocol flow chart is as follows:
02
Attack points of the MQTT protocol
According to the MQTT protocol and the full link characteristics of the Internet of Things, the following attack points can be expanded:
Authorization: Anonymous connection issues, anonymous access means that anyone can publish or subscribe to messages. If there are sensitive data or instructions, it will lead to information leakage or malicious instructions initiated by malicious attackers;
Transmission: Unencrypted by default, it can be attacked by man-in-the-middle. The user name and password for its authentication can be obtained;
Authentication: Weak password problem, because it can be blasted, if a weak password is set, there will also be security risks;
Application: The plaintext configuration of the subscriber end leaks its authenticated user name and password;
Vulnerabilities: The flaws in the server-side software itself can be exploited, or improper parsing of content by the subscriber or server can cause security holes, which will cause the entire system to suffer.
Exploitation of MQTT protocol attack points
At present, there are open source utilization tools for MQTT, and here is mainly the powerful and easy-to-use mqtt-pwn tool. The Github address is https://github.com/akamai-threat-research/mqtt-pwn
MQTT anonymous access
Some MQTT server software enables anonymous access by default. If the administrator has no awareness of network security or is lazy, anyone can directly access it as long as it is open to the public network.
Use the connect command of mqtt-pwn to connect. connect -h displays help information, and the same is true for other commands. When using it, read more help and documents, and you will be familiar with it soon. For anonymous services, just connect -o host directly. Of course, this command also supports entering user name and password. If no connection exception is displayed, the connection is successful. After the connection is successful, you can use system_info to view system information.
Next, you can view topic information and other content. At this time, execute discovery first, wait for the display of scan #1 has finished, then execute scans -i serial number, and execute the topics command to see the topic information. Among them, discovery can use the -t parameter to set the timeout period. The topics command can use the -l parameter to set the number of items to view.
You can enter messages to view the content of the topic. Use -l to limit the number of entries, -i parameter to view the content of a heads-up message, etc.
MQTT username and password blasting
Metasploit has an MQTT blasting module. After actual testing, the effect is not ideal. Here is still mqtt-pwn for introduction. mqtt-pwn has the function of bruteforce, and brings a simple dictionary, which can burst
Broken MQTT username and password.
bruteforce --host host --port -uf user_dic -pf pass_dicThe default port is 1883, and the user and password dictionary will be in the resources/wordlists folder of mqtt-pwn by default.
For example, execute bruteforce --host 127.0.0.1 to brute force. After the blasting is successful, you can use the above content to connect and operate, just add the user name and password options when connecting.
mqtt-pwn also supports more functions, such as Owntracks (GPS Tracker), Sonoff Exploiter, etc. If you are interested, you can go to the documentation to test it yourself.
In actual usage scenarios, we can capture authentication information from traffic through man-in-the-middle hijacking. The following is the content of the wireshark capture packet.
In addition, since the mqtt client is currently implemented in multiple languages, there is also webscoket's mqtt in the web application. This makes it possible to obtain verified information through web page source code or network requests.
03
Security Recommendations for the MQTT Protocol
1. Do not enable anonymous access. Set up identity authentication for the server (BROKER), and add username and password verification.
2. According to the actual situation, priority is given to using TLS/DTLS to encrypt and transmit data to prevent man-in-the-middle attacks.
3. Securely transmit the payload after encryption.
4. Use the latest server program to set up MQTT cloud service.
5. Do not upload the implemented code to code disclosure platforms such as Github.
Past recommendation
☞ IDC China 2022 IoT Platform Evaluation Report
☞ IoT Platform Trends in 2022: Privatization
☞ 5 lessons worth sharing about IoT startup failures
☞ Selection and comparison of four domestic IoT platforms
☞ Is the [IoT platform] of cloud vendors not popular?
