Presented at Black Hat Europe 2018
Dec. 6, 2018, 2:45 p.m.
Two popular machine-to-machine (M2M) protocols—MQTT & CoAP—are slowly forming the backbone of many IoT infrastructures, including critical industry environments. They are used to provide data connectivity for practically any kind of "machines". We found out that these protocols are affected by security and privacy issues that impact several market verticals, applications, products, and brands.
This talk provides a security analysis of MQTT & CoAP at the design, implementation, and deployment level. We found issues in the design specifications, vulnerable product implementations, and hundreds of thousands unsecured, open-to-the-world deployments. These issues show the risk that endpoints could be open to denial-of-service attacks and, in some cases, full control by an adversary. Despite the fixes in the design specifications, it is hard for developers to keep up with a changing standard when a technology becomes pervasive. Also, the market of this technology is very wide because the barrier to entry is fairly low. This led to a multitude of fragmented implementations.
We analyzed the source code of the most common MQTT implementations, and discovered common flaws—mostly originating from misinterpretation of the standard. In particular, we found issues in how multibyte strings, UTF-8 characters, and regular-expressions are parsed. Combined with standard features that force servers to retain messages and clients to request acknowledgement the delivery of every message, such bugs can lead to persistent denial of service. Our findings have been acknowledged by the MQTT Technical Committee, which released a note to help identify the risks.
Alongside this, we've analyzed hundreds of millions MQTT & CoAP messages obtained from hundreds of thousands server. Despite previous efforts that tried to raise awareness, we still found exposed data related to various industry sectors and sensitive information, including credentials and network infrastructure details. Moreover, we found out that MQTT is being used beyond messaging, to transport binary data, most likely for OTA update purposes, which certainly raises a red flag.
Using MQTT & CoAP as a concrete example of modern M2M technology, we will provide recommendations at various levels (standardization bodies, vendors, developers, and users) in the hope to see a significant reduction in the number of insecure deployments in the future, and a more responsible position by standardization bodies.
- Post-doctoral Researcher, EURECOM
Davide Quarta is a freshly graduated Ph.D. from Politecnico di Milano, where he worked under the supervision of Stefano Zanero and Federico Maggi in the NECST Laboratory, researching Industrial Robots, with a sprinkle of reverse engineering and a sprinkle android malware analysis on the side. In the meantime he really enjoyed teaching and co-advising. He spent 6 months of his PhD at UCSB, where he spent his time working on TEEs, playing CTFs, and co-organizing iCTF. He has been working on and off as a freelance consultant since 2012, collaborating with several national security firms including Secure Network, and Truel.IT. His favorite sports include gymnastics and reverse engineering: he spends most of his space time hunting bugs, tumbling in the gym, and playing or organizing CTF competitions. <br>
- Senior Threat Researcher, Trend Micro, Inc.
Federico Maggi is a Senior Threat Researcher with Trend Micro's Forward-Looking Threat Research (FTR) team, an elite team of researchers fighting against cyber criminals and scouting the future of the Internet to predict the future evolutions of cybercrime. His research interests, mainly developed during his MSc and PhD, revolve around various topics under the "cyber security" and "cyber crime" umbrella terms, such as threat analysis and intelligence, malware analysis, mobile security, fraud analysis and detection, web- and social-network security and data visualization. Before joining Trend Micro, Federico was an Assistant Professor at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano in Italy. Federico has given several lectures and talks as an invited speaker at international venues and research schools. He also serves in the review or organizing committees of well-known conferences.