00:00:00.000,00:00:25.559 [Dial up modem sound] >> Yeah, you don't need to hear that, that's uh [Laughs]. So, 00:00:25.559,00:00:30.564 welcome to DEF CON 24, you guys having fun? [Applause] And as you can see my name is Lucas, 00:00:34.434,00:00:39.439 and I work for a company called Fortconsult, and it's no secret, however that we're going to talk 00:00:42.509,00:00:47.781 about something called MQTT today. Some of you might have heard of it, some of you might 00:00:47.781,00:00:52.786 not, so, um I think it's going to be awesome anyway. So, please do enjoy, guys. [Long pause] So, 00:01:03.363,00:01:08.368 who am I? My name is Lucas; I've been pen-testing stuff basically since the age of 12. And I work 00:01:11.705,00:01:16.710 for companies such as Sony Ericsson and, and IO Active. Of course there will also be a QA 00:01:19.980,00:01:23.784 afterwards if you guys want to step up and talk to me about the stuff I'm going to present 00:01:23.784,00:01:28.789 today. I've spent a lot of time in un-hackable environments, so um, I got some experience in, in 00:01:35.829,00:01:40.834 web application pen testing fuzzing, as well as uh network pen tests. [Long pause] oh. Of 00:01:47.774,00:01:52.779 course it's going to act-up right? So what are we going to talk about today is IOT, and IOT 00:01:56.116,00:02:01.054 is like a word that use as cyber, so IOT can be anything. Um. But it's mostly devices or 00:02:05.025,00:02:10.030 intelligent devices that we hook up. I feel like it's a little bit dangerous, and I started 00:02:12.532,00:02:18.639 looking up stuff I had at home, and that how I stumbled upon these protocol I'm going to 00:02:18.639,00:02:23.644 speak about today. [Long pause] So, MQTT; what is it? It was invented in 1998 and 99 by Andy 00:02:36.623,00:02:41.628 Stanford-Clark and Arlen Nipper. I think uh, Andy worked for IBM back in the day, and they wanted 00:02:44.097,00:02:50.337 to create a new protocol to combat basically slow connection speeds. And that can be anything 00:02:50.337,00:02:56.476 from satellite connection to low modem. It should had a quality of service, which means that you 00:02:56.476,00:03:01.415 could prioritise all the stuff as well. The MQTT stood for MQ Telemetry Transport, and the MQ 00:03:07.287,00:03:13.193 is of course something IBM something-something product back in the days. Today it's royalty 00:03:13.193,00:03:20.200 free as of 2010. It's been approved as an OASIS standard, since October 29th 2014, what 00:03:20.200,00:03:26.640 that means I have no clue. But what I do know is that of this July it was also approved as an 00:03:26.640,00:03:31.645 ISO standard. Current version of course is 3.1.1. So, what we know as a server, the MQTT calls 00:03:41.822,00:03:46.827 a broker and this broker has clients connected to it. These clients, however, listen to what 00:03:49.830,00:03:54.301 the other clients are sending in. So it's basically a two-way communication even if it's 00:03:54.301,00:04:00.173 stated as a client. Now, the data it puts in could be anything, so we'll see in a 00:04:00.173,00:04:05.212 moment what that could be. Of course, it's also dependant on how, how the client is set-up. 00:04:05.212,00:04:07.214 For instance, we have a good example here where we can see in my home attic and in my home 00:04:07.214,00:04:12.219 attic I have sensor 1 - and those are called topics. I tend to think of them as IRC 00:04:15.555,00:04:20.560 channels, basically. So, join a channel and then join a sub-channel, and it's easier for 00:04:24.798,00:04:31.705 me to keep track of. And you can name those anything, for instance the oh-long-johnson or 00:04:31.705,00:04:36.710 oh-don-piano but you should mostly remember that as well, right. There's also the hash tag 00:04:41.047,00:04:45.352 and you guys that are probably developing for MQTT right-now thinks that "Ahh, hash tag – 00:04:45.352,00:04:50.357 yeah" but, we'll get to that in a minute. So, how does this work? I hope you appreciate the 00:04:52.893,00:04:58.265 nice graphics – it took me like forever to make the stuff [laughs] So, uh for instance we 00:04:58.265,00:05:04.638 could have a logistic packet delivery and it sends data to the MQTT server which is known 00:05:04.638,00:05:11.378 as the broker. That one can contain like all the packet information such as the weight, 00:05:11.378,00:05:16.383 as well as uh where it's heading coordinates to GPS, etc. etc. Address, recipient address. The 00:05:20.187,00:05:25.425 uh, it can also communicates to the transport truck, so you have to do that wirelessly to 00:05:25.425,00:05:31.731 transport truck knows what kind of package is being transmitted and they can make adjustments 00:05:31.731,00:05:37.971 accordingly. I know the graphics is a little bit "ah, man" so, uh let me upgrade that for you, 00:05:37.971,00:05:42.976 right. [Laughs] It's kinda hard when the, when the presentation was harder than the actual uh 00:05:48.815,00:05:55.589 finding, right? So this is the MQTT according to Tech Target. And, as you can see on the 00:05:55.589,00:06:02.362 screen it's transport logistics, logistics as well as security industrial and medical and 00:06:02.362,00:06:07.367 healthcare. And, this picture got me scared. And you guys should probably be scared too. 00:06:11.738,00:06:17.510 Imagine, what if there's a protocol that would allow anyone to read the data being 00:06:17.510,00:06:24.317 transmitted, or even perhaps manipulate the data being sent in. And you see this kind of 00:06:24.317,00:06:29.322 stuff up here. That's a diaper change for sure. So, what kind of software are we talking 00:06:36.529,00:06:42.669 about? The ah common and free commercial MQTT software that's out there, the most common one 00:06:42.669,00:06:49.509 is probably the IBM – Websphere – as well as mosquito and Hive MQ. Those are the most common 00:06:49.509,00:06:54.514 ones that I saw out there. This is the MQTT manual by the way, and I'd like you to keep this in 00:07:01.488,00:07:06.493 mind. Right, this is directly, the link below goes to MQTT manual in that section, and 00:07:08.862,00:07:13.867 describes exactly. There are a number of threats that the solutions provider should 00:07:13.867,00:07:18.872 consider. [Laughs] Sorry I'm laughing, because it's a – devices could be compromised. 00:07:21.741,00:07:27.781 Data at resting clients, and servers might be accessible. There is also the possibility of 00:07:27.781,00:07:33.787 denial of service and timing attacks. And, communication, listen to this, "could be 00:07:33.787,00:07:38.792 intercepted; altered; rerouted or disclosed" and further they say that MQTT is often deployed 00:07:43.596,00:07:48.935 in hostile environments. And we all know Internet is, is pretty uh pretty nice, right? There's 00:07:48.935,00:07:53.940 nothing going on there. So, querying the Shodan for this, you can see that Shodan has, uh 00:07:57.610,00:08:04.117 you can see my search query just port 1883, which is the MQTT unencrypted port. And the top 00:08:04.117,00:08:10.957 countries here are China, The United States, as well as Singapore and Japan and Germany, 00:08:10.957,00:08:15.962 for a total of 17 thousand 711 devices at the time when I wrote it - it can change. The data 00:08:18.865,00:08:23.870 that Shodan has about the MQTT is basically this – you only see the topics and I wanted a little 00:08:27.707,00:08:32.712 bit more than that. So um, let's just scan the f- entire Internet, right? Because that's 00:08:35.782,00:08:40.787 what you do when you want to find something. So, according to the vendor you're not suppose to 00:08:45.392,00:08:50.397 subscribe to the hash tag, because that takes up a lot of memory and your MQTT client 00:08:53.600,00:08:58.605 might crash, of course. And the hash tag indicates everything. By that I mean everything inside 00:09:03.643,00:09:09.783 a topic. So for instance we have something and something and then I have the hash tag. And yes, if 00:09:09.783,00:09:15.789 you are a developer you see the first slash, which is probably very wrong on me and not 00:09:15.789,00:09:20.860 recommended according to the manual, but yeah. Dude, its an ANSII, a typo and it takes time 00:09:20.860,00:09:25.865 to change, so - enjoy it. Anyway, that one gives you access to everything inside this 00:09:28.168,00:09:33.173 topic, right. And Shodan just didn't have that information. I made a small script, and this is 00:09:39.979,00:09:46.719 very, very freaken lame. I made a small script that actually subscribes to the hash tag sign. 00:09:46.719,00:09:51.724 And I call it Hodor because of you know, I'm not going to spoil it man – if you haven't seen 00:09:55.462,00:10:00.467 Game of Thrones man – I'm not going to spoil it trust me. This, this is my reaction by the 00:10:02.802,00:10:08.308 way. [audience laughs] It's pretty accurate, it doesn't look like me or does it, I don't 00:10:08.308,00:10:13.313 know. Blue hair and yeah [laughs]. And first of all it's the "oh my freaken god. what 00:10:21.855,00:10:28.194 kind of stuff did I get here?" And this is the first thing I found at Shodan, So just took it 00:10:28.194,00:10:34.434 and just threw my Ruby-script at it and I got like get voicemails. There is a session 00:10:34.434,00:10:39.439 ID, I found out later that this session ID is actually tied to their webmail. If it works - I 00:10:42.942,00:10:49.749 don't know. [laughs] There's also a base64 chunk in there, and inside the base64 chunk you 00:10:49.749,00:10:54.954 can see that there is the username as well as the mobile phone number, the name of the 00:10:54.954,00:10:59.959 person, the address, everything I would need to conduct a nice social engineering attack. 00:11:02.795,00:11:08.167 Further down, which is not included, this is also their voice message and auto-response 00:11:08.167,00:11:13.172 for the email. In this case, someone was at uh sick leave and should have return 26th of June. 00:11:23.783,00:11:27.520 [Long Pause] So, this is just me showing how the script actually works, it's uh, for those who 00:11:27.520,00:11:33.760 haven't touched MQTT. I hope the resolution is all right. Basically, what you do, just 00:11:33.760,00:11:38.765 execute the Hodor script, and this is a, is a public test server by the way. And you can 00:11:40.833,00:11:45.838 see all the data that it's gathering. [Long Pause] And of course, this is a test server, 00:12:01.921,00:12:06.926 so don't worry. I would like to specially thank Archie who does the, does the Arch strike 00:12:10.029,00:12:13.933 distro. He was with me last night at my hotel room, and thought my Ruby-script kind of 00:12:13.933,00:12:19.939 sucked. [Laughs] So he made a awesome-awesome python script that hopefully is way faster 00:12:19.939,00:12:25.778 than my ruby script and it's in a couple of hours is probably going to be on the Arch-Strike 00:12:25.778,00:12:30.783 repo for those interested, so thank you very much Archie. [Long Pause] Let see [Mumble] 00:12:42.629,00:12:47.634 Here's how it looks with the MQTT FX, and the MQTT FX is for OSx. And it allows you to 00:12:50.036,00:12:55.608 actually subscribe. And if you find a nice uh topic – like I did – you can see in the test 00:12:55.608,00:13:02.248 server here are the GPS coordinates of ferries. But however, this is a test-server 00:13:02.248,00:13:07.253 so we shouldn't worry, right? The problem with the UI version is that if you just subscribe to 00:13:12.925,00:13:17.497 the hash tag sign, what will happen is that it will consume so much memory and hang the 00:13:17.497,00:13:22.502 application, because there's so much data going. So, what if we just reverse engineered the 00:13:25.772,00:13:31.511 protocol? Cause, you know, I don't like reading manuals [Laughs]. Who does right? So, uh 00:13:31.511,00:13:36.516 what I did was take the hash tag sign and actually in WireShark just captured the negotiation 00:13:39.519,00:13:45.158 and then I thought to myself – is there a tool that I can use, that I can actually send this 00:13:45.158,00:13:51.431 hash tag sign into while scanning the entire internet? So, I know this guy Rob Graham, 00:13:51.431,00:13:55.334 I don't know if you've heard of him? But, even if you haven't – give this guy an applause 00:13:55.334,00:14:01.641 because Masscan is fucking awesome. So, come on guys [Applause] come on. He deserves 00:14:01.641,00:14:08.581 it, he deserves it. He deserves it a lot, because this, this tool made it way easier for me. 00:14:08.581,00:14:13.920 But, there was one problem. I've seen people use the Hello-string, which I'm going to 00:14:13.920,00:14:18.925 talk about in a bit. But they never seem to got it working. So the Kraken only obeys its' 00:14:21.127,00:14:26.132 master, or does it? So Masscan is able to send data via the hello-string and the only proof 00:14:30.803,00:14:36.109 it works is from Mr. Graham. He did the clam AV-scan – I think it's still on his Twitter and 00:14:36.109,00:14:41.114 his blog. And he actually got it to work. But no one else seems to get it to work. So, um I did 00:14:43.616,00:14:48.621 like Robert Graham describes by setting the IP tables to drop everything on port 6000 and of 00:14:51.591,00:14:56.596 course uh telling that to Masscan as well. And you can see I have uh kind of capsulated the 00:15:00.299,00:15:05.304 bracket signs around port 1883, and that is basically the thing that made it work. So you have 00:15:08.608,00:15:14.781 the full, the full strings used in the bottom as well. The below one is the base64 string of the 00:15:14.781,00:15:19.786 hash tag sign. Did you think I got any data, by the way? Masscan the entire Internet, I 00:15:26.592,00:15:31.597 took it for a 1, 2 days scanning the entire Internet. This is what I found: 2.8 million 00:15:35.568,00:15:39.939 results, which I had to throw into ELK, which is Elasticsearch, Logstash and 00:15:39.939,00:15:44.944 Kibana. And that sucked, dude. That sucked. So, if someone here is from any of those three, 00:15:47.146,00:15:53.219 please make it easier because you know, doing ROP is way easier than this. And, what kind 00:15:53.219,00:15:58.224 of data did I find? In this case it's an emergency response system. I can't tell you which 00:16:00.960,00:16:07.066 country, but as you can see we have a case of infectious lassa fever - 1411 people are 00:16:07.066,00:16:12.071 infected. And there is an expected 6.2 meter flood. Nice, nice I wouldn't want to be down 00:16:14.340,00:16:19.345 there because they also have a case of maybe infectious malaria, 599 people infected. 00:16:21.581,00:16:26.586 Now, I don't know if this is a test server, I certainly hope it is. So, the big question is: Can 00:16:29.288,00:16:34.293 we send data to it? Can I say 3133 people were infected with the Zombie virus at DEF CON? 00:16:40.399,00:16:44.804 And, where will that data end up? Will the Doctor get a pager saying that: "Yo man, there is 00:16:44.804,00:16:49.809 like a zombie virus at DEF CON. We need to go man." So, before we found out if it's going to 00:16:56.015,00:17:00.453 get worse dude, it's going to get so much worse. So, using the Kibana Logstash, I was able to 00:17:00.453,00:17:06.125 map a lot of the MQTT devices, you see. And the MQTT devices you can get like the 00:17:06.125,00:17:11.130 geo-location. So you can see where there are the most MQTT devices. And uh, I took 00:17:14.634,00:17:19.505 Australia as an example cause the world map was huh. You can actually zoom in and see who 00:17:19.505,00:17:24.510 owns the IP, who actually, what kind of data is in there. So, the actual data that Masscan 00:17:27.313,00:17:32.318 captured during my scan. Really nice. It takes a lot of CPU power for uh 2,8 million 00:17:35.588,00:17:40.593 devices. Now, not all of them were of course MQTT, but um. I found stuff like a distance 00:17:43.996,00:17:49.001 sensor, just out of the blue because it's fun. Um, And the distance sensor, this one is 00:17:51.771,00:17:57.610 probably measuring distance between packet and those rubber gateways the packages go 00:17:57.610,00:18:04.083 through. That's just my guess. So, what kind of device types? That is the trick question that 00:18:04.083,00:18:10.957 everybody is asking. So, what device types did you find? Well, I would love to share but 00:18:10.957,00:18:16.729 everything is custom. I mean, they built it in their own way, their clients respond in their 00:18:16.729,00:18:21.867 own way so it's kind of hard for me to say that "yeah there are 10 thousand devices of this type 00:18:21.867,00:18:27.106 that is a heartbeat sensor or that is a medical device, because there were so many. But, 00:18:27.106,00:18:32.078 if you're awesome and if you do big data stuff, and if you can fix that, that would be freakin 00:18:32.078,00:18:37.083 cool. Here we go: it's starting. I'm just going to get a drink guys. Cheers. Whoo. So, in this 00:18:53.332,00:18:58.337 case we have a pipeline pressure control server. And, as you can see I've censored out a lot of 00:19:00.706,00:19:05.711 stuff, like the FTP username and password. I've also censored out some other the server name of 00:19:07.847,00:19:12.852 course. But you can also see that the pipe pressure and the decimal signs, so that's a bit 00:19:16.188,00:19:21.193 scary. Well, can I change that maybe? That would be cool. And I don't know what's going on in 00:19:24.463,00:19:29.568 the below thing here but it seems to be tracking someone called "Ramon". I don't know if 00:19:29.568,00:19:36.142 this is government, I will probably know after the talk [Audience Laughs]. But, they 00:19:36.142,00:19:42.081 were tracking GPS locations for someone in some kind of vehicle, travelling at a speed and I 00:19:42.081,00:19:48.954 actually followed that thing on a map. So, uh what it is I don't know. Hopefully it's just test 00:19:48.954,00:19:53.959 equipment, right? Cars, how about cars? There's actually – you can see the speed, 81km/h 00:20:05.538,00:20:11.310 and I followed that with the GPS coordinates and it was travelling on a highway. There's 00:20:11.310,00:20:16.315 also something called sv-break [Laughs] yeah. And below that we have something even worse. And 00:20:22.054,00:20:25.891 I've censored out a lot of stuff. As you can see it's actually when connecting to the 00:20:25.891,00:20:30.896 MQTT or gathering the data, what I saw was usernames and passwords to their entire 00:20:33.732,00:20:38.738 infrastructure, customer database as well as member registration system, to the 00:20:43.109,00:20:49.949 JIRA, to the source codes, and that was just plain open MQTT. And the thing is if you do an 00:20:49.949,00:20:55.087 Nmap scan if you try to connect to it like with netcat or any other tool, it would just close 00:20:55.087,00:21:00.860 the port because you're not sending the correct string. So, that's what Masscan did and my 00:21:00.860,00:21:05.164 Ruby script does is it sends the correct string in order to get the data, so if you were doing a 00:21:05.164,00:21:10.736 scan right now you wouldn't find much, I mean with Nmap, unless I mean someone here is working on 00:21:10.736,00:21:15.741 an Nmap script right now? That would, that would be freakin awesome. Let's get back to more 00:21:21.347,00:21:26.352 of those later; it's going to get much worse. You guys remember the question I asked: 00:21:32.958,00:21:38.964 "Can we send data to it?" Now, I probably know a couple of developers in here that says: 00:21:38.964,00:21:43.969 "Yes"; "No"; "Maybe"; "Not to mine" of course. This is a screen slide demo, right. So 00:21:48.841,00:21:55.347 what we have here is I connect to a public free server – in this case it's probably 00:21:55.347,00:22:00.286 iot.eclipse.org - which is a test server for the MQTT protocol. And what I do here is 00:22:03.389,00:22:08.394 I subscribe to the 'yes we can' topic. I then publish 'yes we can' of course to the 'yes we 00:22:12.131,00:22:17.136 can' topic. And what you get is of course 'yes we can'. I'm listening with my Ruby script. 00:22:20.639,00:22:25.644 So that means – hold up – what, what does that mean, really? That means we not only can 00:22:31.517,00:22:36.522 listen in, we can send data to it. So, all those things you saw like the car, like the break, 00:22:43.095,00:22:48.100 and all the other things we can send data to it, and how does that react? It's all up to the 00:22:50.502,00:22:55.507 client, really. How it reacts, because the client can be set to actually do nothing, or it can 00:22:57.943,00:23:02.881 say if the radiation is below 6, then you need to do nothing, if it's above 6 turn on the fans. 00:23:08.354,00:23:13.359 If I say that the radiation level is always going to be zero, now we're talking people 00:23:16.061,00:23:21.066 that might get hurt. Now we're talking structural damage, now we're talking things that are 00:23:23.903,00:23:28.907 automated that will go to, got to hell, basically. And of course some developers might 00:23:32.278,00:23:37.583 argue that: "Yeah there is a way to protect it, there is a way to actually do something about it 00:23:37.583,00:23:42.588 and..." but I haven't seen it. I also did a scan for MQTT servers, having username and 00:23:45.624,00:23:51.697 passwords, and MQTT servers actually having encryption, because that is actually 00:23:51.697,00:23:56.702 supported whoa – I found two [Audience Laughs]. So, two guys are actually doing it the 00:24:00.973,00:24:06.979 correct way. Of course, these numbers might change, so if you're in the same route as me, 00:24:06.979,00:24:13.185 and can actually do like a scan, then those numbers might have gone up or gone down. Hopefully 00:24:13.185,00:24:18.190 they have gone up. So, what kind of protection are we talking, because sure we're at DEF CON 00:24:30.336,00:24:34.406 and I can say "Yeah we can break it, we can hack it, we can tweak it, we can do whatever we want 00:24:34.406,00:24:39.678 with it, this is mine now" but, in real life we need to talk a little bit about protection as 00:24:39.678,00:24:44.683 well. And, um of course you can enable username and password support, which you should. You 00:24:50.756,00:24:55.761 can use encryption such as TLS 1.4, that's for the official release, so it's not the best 00:24:57.896,00:25:02.835 but it might be downgradable, especially if you're on the same network of course. But what they 00:25:07.506,00:25:13.479 really need to do is segmentation and trust, so it only accepts from certain IPs. 00:25:13.479,00:25:18.183 That a, one way to do it, you should combine these of course, you should have like a username 00:25:18.183,00:25:23.889 and password as well as the encryption and of course the segmentation. And, if you can, 00:25:23.889,00:25:30.429 an IOT type gateway. But that's not always the case. Remember that MQTT was designed to be 00:25:30.429,00:25:37.302 small, efficient and no matter the bandwidth, be able to send data to its clients. So having a 00:25:37.302,00:25:42.307 big clunky IOT device that is supposed to be a, a gateway for encryption might not be the 00:25:46.445,00:25:51.450 correct purpose, right? So, what else can we find in here? This is an ATM. What you can see here 00:26:04.163,00:26:09.802 is, which I highlighted in green is the operating system, which is Windows 5.1. You can see what 00:26:09.802,00:26:14.807 type of hardware they're running. You can see how much money there is in the ATM. You 00:26:17.643,00:26:23.982 can see how much commission it takes out. How many bills, counts, errors, error messages. 00:26:23.982,00:26:28.987 I mean this... You can even see the modem that they're using and remember, we can write to it. So 00:26:37.029,00:26:42.034 what would happen if I said that the disk space is now zero or that it is now out of bills? I 00:26:46.038,00:26:51.043 mean you can only imagine what can and will happen. It's kind of crazy. I mean when I saw this 00:26:53.645,00:26:58.650 one, I..., this was the last thing I kind of saw when I dug through my - my scan and this 00:27:00.786,00:27:05.791 is, [Pause]. I would understate it if I said it was bad [Laugh]. So, secure chat messaging 00:27:15.100,00:27:20.105 everyone. How many have a secure Android app that they do like secure chatting on? Yeah, cool, 00:27:22.407,00:27:27.412 I hope it's one of the better ones because this is not good man. I don't know what the 00:27:30.282,00:27:34.186 message says because it's not my language so if it's any profanity [chuckles] please 00:27:34.186,00:27:39.191 forgive me. It could mean anything, but there is a message. And this is uhm... I've 00:27:43.328,00:27:48.133 been listening into entire conversations, both in English and in whatever language that 00:27:48.133,00:27:53.739 is, between people and it's not only the message it's the IMEI number, it's the mobile phone 00:27:53.739,00:27:58.744 number, it's the username, it's the registered email, everything is here in the MQTT. I'm just 00:28:02.581,00:28:07.586 going to put on my, uh walking mic. [Pause as he puts on the mic] So is this better, guys? 00:28:25.837,00:28:32.244 Can you hear me? Yeah awesome. So... as you can see there is a lot of text messaging going back 00:28:32.244,00:28:37.249 and forth, um, once again remember you can still interact with it. That means that I 00:28:41.954,00:28:46.959 possibly could send a message from one user to another stating something like "Hey I need a 100 00:28:50.062,00:28:55.601 dollars in my account. Here is my account number." And they would get it through the app, of 00:28:55.601,00:29:00.539 course. Alright, let's go through what I call the "Whoops list" and this is basically what 00:29:11.116,00:29:16.655 I found - a little bit about what I found. So, you decide to connect your company to that 00:29:16.655,00:29:21.660 MQTT broker you have, publicly - not good. You thought that running on EBS emergency system 00:29:24.062,00:29:30.802 was an awesome idea, let's do it, we can do the [unclear]. The news server retrieves it's news 00:29:30.802,00:29:35.807 from the MQTT broker, I've seen people subscribing to CBS, CNN and getting the latest news. 00:29:38.076,00:29:43.081 Now, again, remember we can interact with it... 31337 zombies at DEF CON. Stay 00:29:46.818,00:29:51.823 indoors, close your doors. It's going to get nasty. Or even attaching 15 thousand ATM's to a 00:29:58.163,00:30:03.168 publicly open MQTT server. How I know that? That's just because you can query the MQTT server as 00:30:07.305,00:30:12.310 well - how many clients are connected? And with the ATM's that I found – 15 thousand that 00:30:14.413,00:30:19.418 will trust my user interface. I had to use my leet Ruby script to actually listen in and there 00:30:22.721,00:30:29.227 were 15 thousand ATM's connected. How about running your earthquake alarm system 00:30:29.227,00:30:35.767 over MQTT? Of course the stuff in here I can't show because it's so sensitive they would 00:30:35.767,00:30:40.772 kick me off stage. How about taking MQTT retrieved data and pushing that directly into a SQL 00:30:45.610,00:30:50.615 server? Does that sound like a bright idea? Using public brokers for your entire company, 00:30:56.054,00:31:01.093 like using the iot.eclipse.org which is like a development slash test for your MQTT - and 00:31:01.093,00:31:07.566 using that as a real live system. It's like it's there right? Let's set it up, we can 00:31:07.566,00:31:12.571 use it. How about pushing software updates via MQTT to cars? I have seen software 00:31:19.377,00:31:24.382 updates for a certain car brand go through MQTT and all it does is pushes the URL in. And what 00:31:28.086,00:31:32.557 do I have to do? Well, remember we can write so I probably change the URL and download my 00:31:32.557,00:31:35.427 binary file instead. There's probably some safe checks...[laughs]...safe 00:31:35.427,00:31:38.663 sex...[laughs]...there's probably some safe checks. Why not installing an iPhone or 00:31:38.663,00:31:43.668 Android app to keep track of where you are at all times? I've seen that - there's a lot of 00:31:50.776,00:31:54.279 those out there. So I can keep track of where people are, how they're moving, when they're in 00:31:54.279,00:31:59.284 the car. How about exposing your entire Bitcoin wallet over MQTT when you do your transactions of 00:32:03.955,00:32:08.960 course - that's nice. So you probably set up your own MQTT server at home and when you do 00:32:11.029,00:32:15.901 transactions you, you like send it to that one and that handles your wallet, but you do it 00:32:15.901,00:32:20.906 without password and encryption - Nice! How about taking the MQTT data and just pushing it 00:32:25.277,00:32:31.616 directly to your home page? Does that sound like fun? Just taking the data you get from the MQTT 00:32:31.616,00:32:36.621 in any topic and just like pushing it onto your home page. Or putting username passwords 00:32:38.890,00:32:45.397 and URL's and IP's inside the MQTT. Especially to your development servers. There were 00:32:45.397,00:32:50.402 a lot of those out there. What else did I find? Prisons. The ability to open prison doors. 00:33:04.282,00:33:08.386 [Audience Laughs]. I could see the commands being transmitted to the MQTT with the cell doors: 00:33:08.386,00:33:13.391 "XYZ - OPEN", "Cell door XYZ - CLOSE". If I could send data into that - how many of you guys 00:33:16.795,00:33:22.834 have seen Mr. Robot - [audience comment] - never heard of it? Awesome dude. If you've seen 00:33:22.834,00:33:26.872 season 1, should I spoil it? Yeah come on, you have to have seen season one. If you've seen 00:33:26.872,00:33:31.676 season 1 he actually has to hack a cop car in order to get access to the prison where he's going 00:33:31.676,00:33:36.681 to open - dude, man - MQTT will do it for you [Audience laughs]. So how about, um, car firmware 00:33:43.054,00:33:48.059 or entertainment system? You can see in the entertainment system what they're doing. I also saw 00:33:50.061,00:33:55.066 someone watching a YouTube video. I could change that [Audience chuckles]. Yeah I hear 00:33:57.636,00:34:02.574 your imagination just running wild right now [Presenter laughs]. So, um, fitness bands. 00:34:05.076,00:34:10.081 God knows I need one, but uh, [Audience member laughs] there was a certain brand out there 00:34:13.251,00:34:19.090 that it communicated that I saw. There's also medical equipment. I don't know is this is test or 00:34:19.090,00:34:24.095 not, I, freaking god, hope it's a test server, but you can see the insulin being inserted, you 00:34:26.197,00:34:31.970 can see like the heartbeat of the patient, you can see I mean like everything that has to do 00:34:31.970,00:34:36.808 with the oxygen in the mask and how much oxygen is actually comes through. They send that 00:34:36.808,00:34:41.813 over MQTT unencrypted, and I - please let it be a test server. Session tokens - like web 00:34:45.150,00:34:50.155 application session tokens. And if, if you are unaware you can actually reuse those by actually 00:34:53.058,00:34:58.063 posting those to your own proxy or whatever you are using. Bitcoin information. There's a 00:35:01.566,00:35:05.370 lot of this out there. Especially when people are doing personal and private 00:35:05.370,00:35:10.742 transactions. You know like in Bitcoin you can say like I would like to but one Bitcoin, uh, and 00:35:10.742,00:35:14.512 I'm in this neighborhood and it hooks you up with another guy that's in the same neighborhood 00:35:14.512,00:35:19.050 and you can go physically shake hands and say: "Hey, I want to buy Bitcoins from you.". Well 00:35:19.050,00:35:23.822 that was online; a lot of it was online. So if you're big and bulky you could probably go 00:35:23.822,00:35:28.827 there and get the Bitcoins yourself. Power meters - how much voltage is going through? 00:35:34.899,00:35:40.538 Not only that, but also the radiation meters - how much radiation, radiation there 00:35:40.538,00:35:46.945 currently is in a certain location. As mentioned before, we can write so if I change 00:35:46.945,00:35:53.852 that, what will happen? Is there someone inside a radiation level doing something and then I say 00:35:53.852,00:35:58.857 that the radiation level is zero? What will happen then? Are there fans turning off? People 00:36:01.226,00:36:06.231 use these as an industrial system thing - it's lightweight, it's fast. And I'm not bashing 00:36:06.231,00:36:12.570 MQTT, it's real nice, but it's - that was 1998, it's now 2016 I believe [laughs], I could be 00:36:12.570,00:36:17.575 wrong though. Air conditioning, humidity controls in server rooms. There's a lot of that. 00:36:24.182,00:36:29.187 Flight information - this one is sensitive. Flights going from; to; where; the speed; the 00:36:32.257,00:36:37.262 altitude; the flight number. What if I where to write flight XYZ is now at velocity zero, 00:36:42.701,00:36:49.007 altitude zero. Or we can do like CSI cyber did - there's like several airplanes going in 00:36:49.007,00:36:55.146 different directions. And I verified, those things go on a real physical, not physical - 00:36:55.146,00:37:00.952 that would be, like a real map online where you can track the airplanes. You can probably 00:37:00.952,00:37:05.957 change that. Geographical data like earthquakes etc. So they actually have a page that warns 00:37:09.294,00:37:12.864 you if there's and earthquake or where there has been an earthquake and you can actually 00:37:12.864,00:37:17.869 change the data in that one. Raw data. I found someone having a webcam and it was a base64 image 00:37:24.008,00:37:30.515 being sent all the time. So what I did was I took that base64 and just transcoded it, decoded it, 00:37:30.515,00:37:35.520 it's not even an encryption - come on. It was an image of a guy, so his webcam was on and 00:37:37.822,00:37:42.827 transmitting over MQTT. I see raw SQL statements being transmitted. I see commands 00:37:47.732,00:37:52.737 being transmitted to Windows servers, like CMD and what it's going to execute. Enough about a 00:37:55.640,00:38:00.578 rant, I think, I think you get it. I mean, cross-site scripting over MQTT. [Laughs] And this is 00:38:07.218,00:38:12.524 using the example code that some of the vendors have on how to actually push MQTT onto a home 00:38:12.524,00:38:17.695 page. So I just took that one out of the box and just put it up and just fired away. And we 00:38:17.695,00:38:22.700 got a cross-site scripting. And how about SQL injection – this snippet is actually from one of 00:38:29.240,00:38:35.980 the vendors as well. 'How to push your MQTT data into an SQL database'. And there is nothing 00:38:35.980,00:38:40.485 going on above, there is just this raw statement here that says like everything that comes 00:38:40.485,00:38:46.124 through the MQTT just push it into an SQL. That would indicate that you have an SQL injection 00:38:46.124,00:38:51.129 as well. So, while doing my efficient stuff, sitting down and thinking at the white 00:38:58.469,00:39:03.408 throne. MQTT is designed actually to be fast, proficient, and being sent to a lot of 00:39:05.643,00:39:10.648 clients at the same time so. How about if I build a botnet over MQTT? That would be nice, then 00:39:14.519,00:39:20.658 we could switch from IRC on our own botnets to MQTT instead. But, basically there is so many 00:39:20.658,00:39:26.598 public MQTT servers out there. And I mean thousands – you can just pick one. You can use 00:39:26.598,00:39:31.169 whichever you want; you can make an algorithm that actually changes which server you're 00:39:31.169,00:39:48.319 using. So, without further ado: We'll start with the single host backdoor, and here I am on the 00:39:48.319,00:39:57.362 public IOT Ellipse server, connecting to it. I have a channel, which I subscribe to 00:39:57.362,00:40:06.204 that backdoor online, and then I go to my little malware I made with a PDF icon and I double 00:40:06.204,00:40:18.449 click. And what you see is "what is thy bidding my master" over MQTT. I now add the hostname to 00:40:18.449,00:40:26.224 the topic as well, so I subscribe to that one. Of course with the get CMD and send CMD 00:40:26.224,00:40:31.229 topics as well. And then I send DIR and I get the response back over MQTT from the server. 00:40:44.042,00:40:48.513 [Applause] How about botnet style with multiple clients running over multiple operating 00:40:48.513,00:40:53.518 systems? See here I sign to the channels again, and then I have my Linux and I execute the, the 00:41:01.259,00:41:06.864 Python, which is compatible to EXE or ELF if you like. And you see "Love me long time" which is 00:41:06.864,00:41:11.869 my hostname. You also run the Windows one. Now the thing with botnets is that I didn't design 00:41:15.340,00:41:22.013 to actually receive any commands, I designed it to actually sending commands. So 00:41:22.013,00:41:27.585 what I do here is DIR, so I don't get a response back, but you can see I did the LS as 00:41:27.585,00:41:32.590 well, and the LS lists the file using the client. Now, what if I write notepad and I have wine 00:41:35.026,00:41:38.730 installed with having notepad running, you can see Notepad started on the Windows XP 00:41:38.730,00:41:43.735 machine of course. As well as, if you give it a couple of seconds, it started notepad on 00:41:47.905,00:41:52.910 Linux as well. That means that this protocol is designed to tens of thousands of machines, 00:41:55.813,00:42:00.752 to spread data efficiently. And now you can turn that into a botnet. Yeah, it's black – it's 00:42:11.329,00:42:16.334 supposed to be black. So, how are we on time? Anybody know? [Inaudible mumble] Alright, cool 00:42:21.873,00:42:26.878 we have some time for Q and A afterwards, so. So what left? We have about 59 000 brokers. We 00:42:31.282,00:42:36.287 have sensors, we have ATM's, we have cars, even airplanes. And we can change the data. So, I'm 00:42:38.790,00:42:43.795 going to leave you with one sentence before you go: Please do not expose MQTT over the 00:42:56.073,00:43:01.012 Internet. Thank you very much guys. [Applause] So if you guys wanted to ask questions, you can 00:43:09.821,00:43:16.394 just step up to the mic and ask me. Um, some of the data I have is very sensitive. So I might 00:43:16.394,00:43:21.399 not be able to share it with you. >> I got a question for you. Do you have any way of 00:43:27.805,00:43:32.477 telling what's a test server, and what's not? >> No, that's one of the problems as well. 00:43:32.477,00:43:37.582 It's hard to determine what is real and what is not. So, when I used it I used the public known 00:43:37.582,00:43:42.587 test servers to actually gather some of the test data that was used. But I would say most of, I 00:43:44.622,00:43:48.559 would say 60% is real life servers running, and then I'm counting low – there's probably 00:43:48.559,00:43:53.564 more, but about 60% I would say are real servers running. >> So, like, so the industry recommends 00:43:56.868,00:44:00.671 now that you use basically a proxy of some sort. So for example like the AWS IOT, yeah, 00:44:00.671,00:44:02.673 hardware device. >>Yeah, exactly, I would recommend to have like a IOT gateway or 00:44:02.673,00:44:04.675 something >> Yeah, IOT gateway with digital signatures. >> Yeah, but then again small 00:44:04.675,00:44:11.015 sensors like if you have a small Raspberry Pi or you have Arduino and you don't want this clunky 00:44:11.015,00:44:16.020 big-ass box you put in, then I mean what you do? You have TLS, you have username and password, 00:44:22.026,00:44:28.366 but I wouldn't expose it to the Internet anyway. >> Yeah, absolutely. >> Just a quick 00:44:28.366,00:44:33.371 update, please exit out the back, the back of the building only. Thanks >> Okay, so this is 00:44:35.573,00:44:40.144 more of a marketing thing, but according to the webpage this is actually SCADA right the 00:44:40.144,00:44:44.215 S-C-A-D-A, so you probably would have brought in a lot more attention if you had dealt that 00:44:44.215,00:44:48.886 off as a, or at least drew attention to the fact that SCADA is the, this is SCADA. >> Yeah 00:44:48.886,00:44:54.392 this is both used in SCADA and Raspberry Pi, and hobby projects as well as the medical equipment 00:44:54.392,00:44:59.497 as well as the industry as well as temperature and voltage control. IBM has their own stuff 00:44:59.497,00:45:04.435 and everyone has their own stuff >> All the things >> All the things