There is a popular message protocol called MQTT. Its designed for lightweight M2M/IoT connectivity. I used it in my home to run my lights for example (using e.g. Sonoff-Tasmota and other devices I’ve built myself). It works really well to have devices self-register and report relatively high bandwidth sensor statistics. In fact, this is what that sous-vide ran.
Now, MQTT is not a protocol with a ton of security. You have one broker, and all the devices find it. You can have a username/password on it, but it would be the same for all devices (so as soon as one is compromised, all are). Also, its not HTTP, and not commonly deployed with TLS (because the devices don’t have certificate stores etc, it would not be meaningful). That means even if you bother with a password you will be snoopable.
So, lets have a bit of a snoop around and see if any mqtt brokers pop their heads up. Sure enough, its pretty common. Lets pick one at random and see if we can connect and watch the message stream:
mosquitto_sub -v -h 222.117.10.204 -p 1883 -t '#'
yes we can, a continual stream of responses comes back. Lets take one message and dump it out:
{ "DATA": { "UKEY": "TTNU1372314SU02-2017-04978", "STS": "S", "ALARM_FLAG": "Y", "ALARM_GRADE": 3, "SG_ORDNO": "SU02-2017-04978", "REPORT_TIME": "20171128134520", "USER_ID": "01012344321", "LON": 126.9720319, "ALT": 70.9000015258789, "REPORT_COUNT": 39082, "NUMBER_PLATE": "14구9999", "SG_CONTNO": "TTNU1372314", "BEACON_NO": "C0:0C:82", "ACCURACY": 18.06999969482422, "TEMP_GRADE": 1, "SPEED": 0, "BEARING": 0, "LAT": 37.4057689, "BEACON_GRADE": 3, "SENSOR_VALUE": 0, "USER_NAME": "홍길수", "USER_MOBILE": "010-8378-XXXX", "SPEED_GRADE": 1, "TEMPERATURE": "0" }, "TYPE": "MALARM_INFO" }
It helpfully gives you its very precise GPS lat/long coordinates, we can then see it on Google maps, and also Street View. Its got a mobile phone number, lets give it a call (country-code 82)…. Ring Ring… Korean answering machine. [I removed the last few digits from above in case you want to try!]
The machine also has an HTTP server on it, using HTTPS. Its certificate is signed: “Subject: C=KR, ST=Gyeonggi-do, L=Anyang-si, O=Korea Maritime Dangerous Goods Inspection & Research institute, CN=hsm.komdi.or.kr”. The only thing the web site has to say is “It Works!”. But the parent organisation is here. The server also runs monitorapp on port 8443 which is a type of Web Application Firewall.
Now, this all seems pretty innocuous. But, one could probably do some damage. Maybe commercial espionage (watch my competitors shipments by location, number of devices). I could write messages to the queue, either masquerading as one of these sensors, or, creating millions of sensors that each publish only once, and blow up their trending database.
Since the format is JSON, i could see if there is some parsing issues like buffer overflow etc. There is more than one CVE against JSON parsers, its not impossible to imagine getting control of the machine in some fashion.
Now, MQTT is not evil. And, its very well designed for the task of having lots of devices disperse to the corners of the Internet and stream back home. But perhaps it needs a normalising firewall that can do e.g. rate limit, json normalisation, information hiding, etc. Like a WAF for MQTT.
The HTTP ecosystem has a lot of devices (load balancers, ssl proxies, application firewalls, etc). Maybe those will start to grow for MQTT?
Maybe this would be a great new product area? An MQTT widget that is somewhat analogous to that value chain for HTTP? What do you think?
Leave a Reply