MQTT Security Assistant

The data parsing and exfiltration is responsible for recording messages and topics in the network (with Pyshark) and on MQTT topics (with Paho). This enables MQTTSA to exploit client credentials (extracted from MQTT CONNECT packets) and detect the leakage of sensitive data (such as credit cards, phone numbers and emails) by using a pre-defined set of regular expressions.

To allow the interception of credentials (i.e., perform Credential Sniffing), the user is required to run the tool in the clients or broker network and set the network interface parameter -i to, e.g., wlan0 or eth0.

By subscribing to the # and $SYS/# topics, MQTTSA intercepts, respectively, messages from clients and the internal control messages of the broker. The second messages are particularly important to enable the Broker Fingerprinting module to identify the broker type and version.

If the user does not enable the option “ni” (that restricts the tool to execute non-intrusive attacks), the module will finally attempt to publish a default test message (that can be modified through the -m parameter) in each of the topics previously intercepted (eventually exloiting sniffed credentials); when successful, the topic is added to a “writable topics” list that is passed to the Data Tampering module.

The Authentication bruteforcing module implements a classic password bruteforce attack in case the value of return_code is "4" and the tool is launched with a username and a wordlist of passwords. To the best of our knowledge, no dictionary of credentials specific to MQTT are currently available; we have thus derived one from Metasploit.

The Data Tampering module attempts to crash the broker or discontinue the IoT service by triggering missing input validation. It is executed only when launching the tool with the parameter --md and if the Data Parsing and Exfiltration module was able to recod at least one writable topic (see above). It also attempt to exploit specific vulnerabilities, such as CVE-2017-76507.

The Denial of Service module mounts a DoS attack by publishing considerably large files (up to 10mb) and performing several concurrent requests from a single process with multiple threads (100 by default). The idea is to evaluate the delay in the target MQTT broker upon receiving a substantial number of client requests (rather than inducing a permanent failure).

Notice that clients will be disconnected if the delay exceeds the keep_alive value configured in the broker: this accounts for the maximum time a broker will wait before closing the connection with a non-reachable client. Interestingly, this strategy can be exploited not only to mount DoS attacks but also to spoof the credentials of an authenticated clients by forcing their disconnection and then listening for CONNECT packets.