BSidesMCR 2018: Welcome Home: Internet Open Telemetry by Martin Hron

to everybody let's start with this topic this something is like on a lighter note than the previous one it's not extremely my domain of expertise as I work as a researcher at last--and marver analyst but this is kind of a personal and I will show you why so how many of you like know mqtt protocol I guess it's widely used and quite well known so let's dive into the presentation okay so welcome to the age of speed and security to start with some quote I particularly love this one which says a lot a computer lets you make more mistakes faster than any invention in human history with the possible exception of handguns and tequila security-wise

it's so true and I will show you how the bet configuration the miss configuration of the security can lead to a several leaks of private data and also can lead to physical let's say attacks at physical danger for the user or for the person who share the data so let's talk a bit about the IOT I personally don't like the term IOT because it's so blurry for me and I don't really know what the IOT is because basically everything that could be connected to the Internet is IOT so is it is it your computer IOT it's your mobile phone IOT device it's really really hard to distinguish what what the IOT really is I will speak more

about the security in general because I think you can just secure IOT devices without securing the rest of your interest so as I said this is kind of a personal story for me I bought a house so that they would thus turn over story and as a nerd I wanted to make the house smart so I started to research how how to how to do that I dreamt obviously of the home automation so you have a house where everything just happens and as a nerd I was confident enough that I'm able to achieve it in a DIY way Wow I will show you that that wasn't true and it was like my mental image of how it should

look like so some nice cabinet somewhere in house with all the technology and all the smart hubs and small devices nicely packed into into this right so but there was my mental image of how it should work right if you want to do a home automation and let's say at a bigger scale so for example for bigger house you have several options the first one is to use one vendor one solution from one vendor which is like devices usually live in a one cloud and are connected together everything just works perfectly or no my way you've got a bunch of devices from different vendors even the smart even a dumb devices and you need to connect them together somehow the

problem with the first approach for big houses you are limited in terms of variety of the devices so if you have for example some exotic device you will have a hard time to connect it to your existing solution so this was let's say these are my devices and my house at the moment I bought it so there some security there were some security cameras there was a heating eunuch which was using kind of weird binary and proprietary protocol and there was there was a very interesting thing there was a smart power breaker or switch box if you wish which which was based on optimal processor so it was kind of fun do you know based power breaker oh that was

interesting so so I had this devices and then you can for example have some exotic devices right like this one which supposed to be a smart cat figure I would say it's a little bit over complicated but why not so you have you have four different devices you need to connect them somehow the problem is obviously with you need a plan right so I I do one this this is my point I am not very good at drawing so forgive me but this was my patent right this was my mental image of how it should look like and this was my implementation okay like obviously it didn't meet the criteria but it worked when you are connecting

such a very idea of devices who you probably run into a problem of the standards and protocols so at the physical layer at the data link I I had a bunch of protocols like a Bluetooth rs-232 can IBAs Wi-Fi Ethernet almost almost everything the other problem is of the transport layer again there is a variety of standards and protocols like devices usually exchange data I think textual data Jason HTTP request XML binary oriented protocol and some proprietary protocols like it was in a case of the heating unit so to find the solution I I went through a research and I I went through a lot of pages and finally I have found the solution the

solution is called mqtt protocol this protocol is really really old it basically came from the era of SCADA and industrial protocols and it's abbreviation for a message queue telemetry transport it's very lightweight so it's easy to implement there is no standardization for the payload so basically it's just a binary block the thing is it's publisher subscriber model so think about it like an RSS feed for example so you subscribe to some topic and once any of the publishers publishes to get stupid you will get the payload we're very convenient for in Intel connecting to devices as I said it's payload agnostic so there is no standard for payload and actually there is no standard for size

payload for for size of a payload as well so that that can lead to some like problems because there is no standardization and every broker or server which implements this protocol behaves differently so the topics can be organized in a tree-like structure it's very similar to two directories so and you can use the wild-card wildcards it's very similar to to a file system usually operates through TCP on port 1883 there is a secure version which uses TOS at port 8080 83 and supports two very interesting things which is a last will and persistent topics basically the last will is when you are connecting to a server for the first time as a client you you could

basically send a last will to the server in case the connection the connection you drop for for some reason so if you lose the connection or if the client loses the connection with the server the server on behalf of the client publishes the last will this is used especially when when the instruct structure is mostly vilest and it's used as usually this is this is the last will usually tells the the other subscribers that the device went offline for some reason and the persistent topics it's kind of interesting basically when you publish to a persistent topic the payload stays in a server as a last state of that topic so anytime any new subscriber subscribes to that topic it immediately

gets gets the pilot okay as I said it can be organized into a tree light structure so it it really very it reminds the file structure so you can use slashes and and basically create a tree it has two wildcards the one is the one is the hash sign and the other one is plus sign basically the hash sign is very similar to asterisk in you know what's a file system notation and the plus sign is similar or basically it's another analogy to two question mark so for example subscription to this topic using the wild-card means that there can be any other lever or the word instead of the plus sign so which is interesting or it's logical but

this is this is like interesting for for purposes of attacker if you are subscribed to only hash sign without anything else the broker or the server delivers you every single topic that has had been that has been published to a server so by subscribing to this you can basically spy on the whole or you can get the whole traffic from the from the from the broker so the typical implementation of the home system is a society mixture of devices usually it uses a one line namespace so it's very convenient because you can create one namespace or 1/3 of your whole building or house it is it the MQTT broker the most popular one is mosquito and then it needs to

need to have some kind of business logic so that's that's that's the thing that does the automation usually this is this is provided by open source solutions like domotics open a JB on assistant and qtt - no Trent no droid and many others I will show you a few of them so this could be a like a typical setup of a smart home so you have a really bad advice is you breach them in case there is a different transport protocol or different layout of the data you can breach them somehow are usually soft by software or by some script to mqtt topic and the payload is usually a usually JSON and then the MQTT broker basically

works as a messenger and MQTT broker days of business logic connected which then does the automation maybe we missed something where was the security actually there is a security amputated brokers for example the mosquito is kind of secure solution you can set up the password you can say you can use the TLS you can even create a CL list so like access control lists to each topic but the problem is nobody does that so then it looks like this like the solution itself is secured by bubble implementation sucks and I want to show this video because it's my favorite [Music]

[Music]

[Applause]

okay so is it really that bad the answer is just a little bit better and it it gets worse because what I found when I was doing my research because I wanted to secure my perimeter is that many dashboards and many these business logics and these systems have no password sets by default there is no password there was no security there are like four in nine cases of mqtt servers available to connect on the internet so they have like public IP addresses and there are 32 km qtd servers open without any password set not a default password no password at all and if you remember you can subscribe to a hash sign right and then you start to get a very

interesting data so this will be a let's say a demo part I set up a rules for me for myself so no real exploits everything I will do you you can do on your own at at home without no tools whatsoever so useful so no cost no harm even if you are sometime tempted to do so so let's start you probably know Shogun right everybody everybody knows children so this is the good starting point to search for for MQTT servers it's easy as like typing mqtt collection code zero which means connected without any password because the show run is collecting the the banners on the internet and it's also able to connect a list of a topic

topics so if you if you do a search on amputee T you will see all the topics that were active on that server by the time okay so lets me show you let me show you first demo and actually be only two I'm like using four for this presentation is the mqtt fix which is a Java based implementation of mqtt client it's very like easy and convenient the problem is the phone is small and it can't be large so magnifier find glass okay so I have some servers already preset so you can see for example home with a lots of sensors I don't want to like really I don't I don't want to disclose the IP addresses but you can

find them by yourself on the Shogun I think it's like gdpr you know so let's connect to the server okay so now you can see we are connected actually it's somewhere now we can you can publish and what of our interest is a subscription so you can subscribe to hash sign either way and then you can see these are basically the topics and you can you can see what's being published so I can for example this is this is kind of interesting and I will show you later for example this topic it's retained so this is the like last state of the topic and if you click on that you will see the you will see the PI log down there

hmm battery level well it can be like one way to latitude GPS accuracy user err that's interesting and I will get to that later so you can see it's very easy to connect to mqtt server and start to get it start getting data from the server I can try another one there is one of the the home home automation smart boxes or software's for business logic which is called home assistant again we are connected yeah what's nice and on this software like in the new version there is it's hardly visible but there is a function that can collect just the topics name so I think it's this one so it will basically create reads or it

will create a list of all the topics it sees and you can see there is a lot of there is a topic all lights for example right here it's very easy to get the data it's usually very easy to read the data because usually they are using adjacent for effort like the transport or like the protocol is this so speaking of the business logic or the whole solution of open-source solutions for home automation there are like three main open source projects one is called domotics home assistant and open H a B the concept is very similar so it's usually one income on some server through Grandview titties subscribe it's basically connected to an amputee t

broker on the same server or on the other server it doesn't really matter and it basically consumes all the the topics being published and based on some internal logic and scripts then publishes and controls the devices it usually provide and provide some front-end or dashboard and as I said most of these dashboards are without any password like this one this is an example of domotics dashboard this one you can freely find on the internet again using the show done and you can see it's this is just an image but if you enter the IP address in your browser you will get a fully interactive control panel for someone's home including running shyamu robot vacuum cleaner so

this is really scary right okay Adam Duvall will be the short one I can show you an example example one of the dashboards this is kind of interesting because this dashboard it has a floor plan minute and this is really this will be real life I hope so okay so this is interactive you don't touch anything and you can you can see the floor plan here switches for lights and all the stuff even the camera preset view I don't want to touch that but scenes actually what's interesting on dramatics it needs or it requires to the user it's kind of strange it doesn't require the user to fill in the password and the username but it requires the

user to fill in the GPS coordinates to be able to provide a better forecast so if you go to a setup and the settings the actual blue was the connection so you can see the longitude and latitude again get connection isn't very very good but can you see it here so you have this exact spot of where the houses and something is really really rich here because I've seen the jacuzzi temperature here and the jacuzzi power switch well I haven't noticed that before right so this is this is basically how how this business logic or home automation system works and I have the one case study the this time it will be on the with the pictures

it's a case study of a home assistant I found her home assistant or some dashboard of a home assistant which was like properly secured the password was it was on the default password which was very surprising good surprising for me and so I wasn't able to again write but by running asharam query on the same ip address I found this open summer protocol without out and and with the home assistant complete configuration and installation folder basically sure to the internet what did I find there these files notice especially this one that's called security and this is the content rejected sorry but I found the HTTP pass password so it it was very easy to get to the dashboard

again but you can see there were a lot of API keys and any other different passwords for cloud services for example for a Google assistant project for a shyuum in gateway and even at the bottom there is an qtt username and password because on this on this particle IP there was a MQTT server but properly secured by the way that username and password was uncle de server yeah so i get a password and this is the dashboard you can even play a spotify somewhere in the house from here so it's and you have the bus lines just in case you want to go somewhere so it's it's really scary it's turned out that I wasn't the first who who like was there

I found this particular server its is the other one it's not this one but it's the other one server and there was this message from some white head sorry mate you have been hacked don't get depressed didn't change anything keep it as a lesson and change all passwords unfortunately he didn't take it as a lesson because the passwords are still valid and you can see the password and username for iCloud for example for ring so really scary and then I was browsing browsing through the home assistant forum because I was curious how was it possible that so many home assistant what's a dashboards are available and without password and I found this one so some someone like found found out

that he or she had been hacked so I went to a documentation for for the installation a setup of this software and it's pretty standard wiki page you can see like flash the downloaded image image a subdivide fire static IP in the SD card but what's interesting is last paragraph which says enable if the the Samba alone or the SSH at all come on watch it what what is like easier for for a user right enable to Samba I don't because then he or she can easily edit all the configuration files the problem is that in the documentation there is a default configuration of such a Samba on and as you can see like the guest is

true the Adams is true that means that you can access the other ones using the guest account and the configuration config directory to and a username and password is empty further in the documentation there was a like username and password and there was a mention like there wasn't mentioned like an empty password is not supported that's cool right finally someone is taking care of the security but further in the documentation was this guest log in without a username or password default is true ok now I will show you another application that uses mqtt and it's used as sub dashboard for a home automation it uses like why the concept is quite different and it's very

interesting it basically it's it's an iOS or Android application and you can create your own dashboard on your phone so basically you can control the MQTT topics directly from that from that application or receive the topics and create your own dashboard with the tiles like with light blog and numbers and sliders and things like that so you can basically create your UI what is interesting here is that storing such a configuration or layout of the dashboard is done by sending this configuration to MQTT server itself to a topic which is by default metrics metrics slash exchange and the topic is persistent so if you have a unsecure MQTT server and you find this topic on it it's very

likely that you can get the whole control panel very easily just for and qtt connection and this is how it looks like in this case this is my house I have no public IP address and this is the mqtt dashboard so it has like control tiles by pressing which you can basically control the whole house it's running on a tablet and then I found another mqtt server unsecured with this topic exposed so I try to connect to it sorry for audio this time without the audio so the only thing you have to do is input the IP address of the mqtt server because there is no username password right and then subscribe it's barely visible but basically you you

subscribe and wait for a matrix and you subscribe to a tropic matrix / exchange and after a while you will receive the whole configuration and the video is the video is not very good but I have a static image in annex so this is how it looks like that so basically you can get the complete control again just using the MQTT without any additional tools there supposed to be a demo with the mqtt dashboard but there is a problem with Android version I have no no clue how to present it because you need to write it on android or iOS device so I recorded a video so the other another application I found that to use this mqtt heavily is

it's called on tricks and what it's basic what is basically contracts because it allows you to spy on users of a mobile phones to such extent that you are able to get their position level level of their battery and you will get an instant update wherever the person or the phone moves so the original intention of the software is like a personal GPS tracker with possibility to share your position with the family for example or with the whole automation because that's exactly the software that the home automation needs for like be able to for example open your garage door when you are coming back home or increase the temperature in the house so it supports MQTT now I will show you

probably the scariest part of the presentation so how this time I will show you how how you can find it on show down right so the only thing you are searching for us it's a hopeful MQTT server with the topics searching quit all right that's it okay let's see what do we have here actually I've already Prasad it's an IP addresses because there they were quite interesting this one is interesting but because there there are multiple users connected to server just by I made a simple script which basically subscribes to the topic and displays the received data in what's a nice way find receipt

the bird can see this one so it connects to a server subscribe to the topic and then starts receiving the published topics from from the terror so you can see the timestamp there I think this one is okay this one is quite old probably active you can see the user which is basically the name of the topic but this is the how the topic looks like and you can see the the complete position and using your coat you can even get the approximate address for example and what's what is a really interesting IP address is the second one okay okay we don't we don't have the movement probably and what was okay this doesn't this doesn't work

obviously because because there is a probably night at the location but this IP address is mqtt server that basically shares information about some soldier at some our base in Europe maybe okay I'll keep it running maybe we'll see and to get further I created a little application web based application using Google Maps SDK let me show you this all around the server next to it which is basically just Google Maps super slow

okay let's let's get back to it later because still holding the page Wow why's it so slow and meantime I will show you another thing that I found on one of the mkdd servers it turned out that I found like basically by mistake I found some BTS station of some telco provider somewhere in Eastern Europe which publishes everything every telemetry from the BTS station even the images from the inside even the status of a lock of the BTS station even the status of access cards that mean use like to enter the BTS station and it's really really crazy the thing is even if you are using the MQTT server only for let's say monitoring some facilities so you are

publishing just the telemetry and it doesn't seem very what's a dangerous the thing is you can always publish to the server so you can basically point poisoned data and create a four-poster battery find OBS let's hope it will work because the connection is not stable so

okay that happens when you do a live demo that was probably cancel this one

try I will try one way skipping - to disconnect my VPN all right open Wi-Fi you have to chat you have you have a chance to sneak the traffic number now here we go so this is this is the application I was I was speaking of so this is basically just Google Google Maps and there is a server running and over period of one week I've collected GPS locations from one of these MQTT servers so you can get a nice view

it takes a while as it gets all the data from the database but you will probably see shortly the path being being drawn just give it a second and yeah here we go

so you can easily see someone's traveling around the America it's I think it's an East Coast the US and the most scary thing about this is that this same server is connected to a home automation with the open dashboard so you imagine the situation that you know exactly when where and when the user is not at home you can see the status of door locks the new sensors oh it's it's easy to misuse it right I have more like recordings but this one was very what's the interesting and because you because usually like people are like traveling around the same spot so it's not another interesting okay and about the BTS station and try to connect to it yeah we are connected

so now we are connected to some BTS station somewhere in Eastern Europe you can subscribe and you are getting all the telemetry that data the magnifying glass columns so you can you can see I JSON data being published on this generator or dislike' rotate and lots of thanks there is also the output from camera once for her I think one minute so and it it comes in an interesting format it comes as a binary blob its turn turn out that the binary blob is tar file and inside that tar file there's a JSON file with the description and the timestamps and the JPEG file so you can get easily the image I saved the image just to show you that

the payload to show you how it looks like so can so basically it looks like like this so it's it's a char file when you open it works out that side controller TMP which is probably the name of the software the side controller there's a description of the camera and what's the most interesting thing there is this JPEG file and open it you'll get this one okay so this is it to conclude this where the real-world example is how bad the situation is and how many servers are leaking data publicly what should we do about it properly educate people more about security but it's a never ending story right we know it educate vendors and developers that makes more sense to

me not to break the best practices and using security as a opt-out always when you install some software and please don't store password in a plain text never ever and stop saying that there is an IT security because there is only one security and if you screw up with the securing your perimeter there is no way how can you secure the IOT devices because in all these cases the IOT devices who are hidden inside the network and while probably while secured and as a bonus I found also this one but the server is already dying so okay thank you thank you very much does anybody have any questions

so thank you very much that Martin does anybody have any questions for him

I was pretty unfamiliar with all this before before the presentation did you find all this information in just a couple of places one manual one one websites or did it take quite a few weeks actually in the word and actually because it was my hell it's a part-time project it wasn't it's not my job so the research took almost one year but it wasn't like one year of like constantly searching for something basically all these things for I started with the show done and with the MQTT protocol itself because that was the first thing I had to implement in my house and I found out that default installation has no password set so I started to be curious

if there is like the usual case so I stopped actually before the Shogun I used my own scanner so I was scanning the whole internet and yeah and find out that this is not there like the rare case that's pretty common do you have any other questions super both thank you very much every please once again put your hands together from all set thank