Attack Scenarios And Security Analysis Of MQTT .
View metadata, citation and similar papers at core.ac.ukbrought to you byCOREprovided by Proceeding of the Electrical Engineering Computer Science and InformaticsProc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017Attack Scenarios and Security Analysis of MQTTCommunication Protocol in IoT SystemSyaiful Andy1, a, Budi Rahardjo2, b, Bagus Hanindhito3, cDepartment of Electrical Engineering, School of Electrical Engineering and InformaticsInstitut Teknologi Bandung, Bandung, IndonesiaaEmail: syaifulandy@gmail.com, b Email: rahard@gmail.com, c Email: hanindhito@bagus.my.id123Abstract—Various communication protocols are currentlyused in the Internet of Things (IoT) devices. One of the protocolsthat are already standardized by ISO is MQTT protocol (ISO /IEC 20922: 2016). Many IoT developers use this protocol becauseof its minimal bandwidth requirement and low memoryconsumption. Sometimes, IoT device sends confidential data thatshould only be accessed by authorized people or devices.Unfortunately, the MQTT protocol only provides authenticationfor the security mechanism which, by default, does not encryptthe data in transit thus data privacy, authentication, and dataintegrity become problems in MQTT implementation. This paperdiscusses several reasons on why there are many IoT system thatdoes not implement adequate security mechanism. Next, it alsodemonstrates and analyzes how we can attack this protocol easilyusing several attack scenarios. Finally, after the vulnerabilities ofthis protocol have been examined, we can improve our securityawareness especially in MQTT protocol and then implementsecurity mechanism in our MQTT system to prevent such attack.A. MQTT ProtocolMQ Telemetry Transport (MQTT) is a messaging protocolusing a publish/subscribe mechanism which is originallydesigned by Andy Stanford-Clark and Arlen Nipper. It iscurrently in the OASIS (Organization for the Advancement ofStructured Information Standards) standard.Currently, the MQTT protocol also has standard defined inISO/IEC 20922: 2016 (Information technology - MessageQueuing Telemetry Transport (MQTT) v3.1.1). This protocolis used widely for IoT system that has limited resourcesbecause of several reasons: lightweight, small bandwidthrequirement, open and straightforward to be implemented [6].Figure 1 shows the example of the usage of MQTTprotocol. Publish and subscribe operations can be analogizedlike client and server models. The central server in MQTT isnamed broker that acts as the recipient of the message fromthe client which is, essentially, the entire node involved in thecommunication process [7]. The message itself can be in theform of publish or subscribe topic. Furthermore, all thedevices connected using this protocol can become publishersand subscribers. Usually, in MQTT architecture, severalsensors periodically publish the results of their measurements(i.e. payload data) to a topic address. Every device that hasbeen registered as a subscriber to a specific topic will receive amessage from the broker each time the topic is updated.Keywords—attack; MQTT; protocol; scenarioI. INTRODUCTIONInternet of Things (IoT) or inter-machine communication(M2M) over the internet is a concept that allowscommunication between devices over the Internet. The numberof IoT devices is growing rapidly where Cisco IBSG predictsthe number of IoT devices will reach 50 billion by 2020 [1].Moreover, Gartner predicts, by 2020, the internet of thingsdevices will be made up of 20.4 billion units [2]. IoT plays amajor role in smart city implementation like smart home, smarttransportation, and smart parking.Nowadays, many protocols are used as a communicationprotocol in the IoT devices. Five of the most prominentprotocols used for IoT is Hypertext Transfer Protocol (HTTP),Constrained Application Protocol (CoAP), ExtensibleMessaging and Presence Protocol (XMPP), Advanced MessageQueuing Protocol (AMQP), and MQ Telemetry Protocol(MQTT) [3]. Some considerations that must be taken intoaccount when we choose the protocol are energy efficiency(total consumed energy for the given execution time),performance (total transmission time it takes to send messagesand receive their acknowledgments), resource usage (CPU,RAM, and ROM usage), and reliability (ability to avoid packetloss, i.e. QoS) [4]. Moreover, when advanced functionalities(e.g. message persistence, wills, and exactly once delivery),reliability, and ability to secure multicast message are highlyconsidered, MQTT protocol is one of the best options [5].978-1-5386-0549-3/17/ 31.00 2017 IEEEFig. 1. An example of MQTT protocol use case.B. Security Requirement and Attack SurfaceInformation security is also an important thing to considerduring making the decision of the protocols because some ofthe communication protocols in the IoT devices do not have acomprehensive information security mechanism. According toa book published by ISACA [8], the object of informationsecurity consists of three components: data confidentiality, dataintegrity, and data availability. There is also access levels600.
Proc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017security requirements such as authentication, authorization, andaccess control which are explained in [9]. In fact, MQTTprotocol is one of the protocols that do not yet have overallsecurity mechanism because it only has authenticationmechanism without encryption capabilities.B. Vast number of devicesThe significant number of connected devices appears tocreate more vulnerabilities [16]. For IT department, it iscumbersome to manage many different types of devices [17]especially when the security mechanism is applied to IoTsystem. For example, by using username and password toauthenticate, the IT department will have to put much effort tomaintain the security credentials (e.g. change the passwordperiodically).There are various considerations for IoT developer whowants to design security solutions in the IoT communicationprotocol. Firstly, the limitation of the IoT device itself (e.g.compute performance and low power consumption) thatrequire a lightweight security protocol with small codefootprint. Secondly, the heterogeneous environment whereeach of connected device may use different protocol anddifferent security mechanism. Lastly, the reliability of networkwhich may forces as to use security mechanism with minimumoverhead [10].C. Lack of security awarenessThe lack of security awareness makes a developer mayprefer to choose functionality over security when trade-offsmust be done [18]. On the other hand, according to theBitdefender survey study [19] at US, Romania, Germany,Australia, France, and UK, only less than 50% of people fromeach country that aware of almost all security awarenessparameters (e.g. privacy concerns, losing control of smartdevice, frequency of a software update). Another study fromHP Fortify states that 70% of devices use unencrypted networkservice [20].By understanding the security requirement for IoT devices,we can now discuss the attack surface in IoT. Attack surface isa vulnerability that can be accessed and exploited in a system[11]. In [9], attack surface in IoT is divided into local networkand public network. The local network is analog to internalattack where the attacker is on the same network as the IoTdevices while the public network is analog to external attackwhere the attacker might reside anywhere in the public networkto attack the IoT system [9].III. ATTACK SCENARIOS ON MQTT PROTOCOLIn this section, we will discuss how an attack can be carriedout on the MQTT protocol.Last year, a major incident related to IoT system wasreported by RSA where the hackers had hijacked many IoTdevices and provided access to compromised IoT devices andcameras in criminal forum [12]. Moreover, there was adistributed denial of service (DDoS) attack tokrebsonsecurity.com site performed by botnets embedded inthe IoT devices. Finally, taken from data owned by ThreatResearch Akamai team [13], there were reportedly millions ofIoT devices used as proxies to route victims traffic to malicioussites.First, we assume that we do not know anything about thevictim system that we want to attack (i.e. no prior knowledgeof the infrastructure, defense mechanisms, and communicationchannels). This type of assumption is called black boxpenetration testing [21]. The attack is begun by performinginformation gathering that can be accomplished by usingShodan, Masscan, or NMAP [22]. For this paper, Shodansearch engine will be utilized.By inputting string “ port:1883 “MQTT” ” in search boxinside Shodan, we perform searching on MQTT protocol onport 1883, the default MQTT broker port that doesn’t use TLSmechanism for security purpose, to find available brokerserver. The search result provided in figure 2 shows at thatmoment (April 27, 2017), there were 24998 brokers withdefault port successfully indexed by Shodan.II. BACKGROUNDThis section explains several reasons for why IoTimplementation in the world does not use security mechanism.A. Resource Constrained DeviceThere are many devices categorized as a constrained devicewhich, according to RFC 7228 [14], is further divided intothree classes based on their RAM and ROM as follows.TABLE I.ClassClass 0Class 1Class 2CLASS IN CONSTRAINED DEVICE (RFC 7228)RAM (Data Size) 10 KB 10 KB 50 KBFlash (Code Size) 100KB 100KB 250KBBecause of the very limited computing performance, mostof the resource constrained devices, especially class 0 device,cannot handle most of the security approaches [15], notably themechanism which has heavy computation such as running TLSfor transport security.Fig. 2. Result of MQTT broker on port 1883 in Shodan601
Proc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017Using this assumption, the attacker can perform trafficanalysis on that network to extract valuable information fromdata in-transit of MQTT protocol in the form of plain text, suchas:a. IP broker (usually public IP address)b. Name of topicc. Data payloadd. Port number of MQTT that IoT system useFig. 3. MQTT connection code in Shodan Page search resultTo demonstrate this scenario, an Espectro board (based onESP 8266 board) will act as a publisher and is on the samewireless network as the attacker computer which runs KaliLinux operating system. Meanwhile, subscriber and broker areon the another network. Publisher device publishes to topic“outTopic”, with message payload “hello world”, while, forthis demonstration, the subscriber will subscribe to all topic (#).Besides the result shown in Figure 2, there is also MQTTconnection code on the right of each broker that is provided inFigure 3. All the brokers that have connection code of “0” areeasier to be attacked because this kind of broker does not useany client authentication mechanism thus anonymous publisheror subscriber can connect to this broker freely.The attacker will use Wireshark and Ettercap to perform theattack. An attacker that is in the same network with a publishercan sniff and modify the data in transit thus he can exploit thedata privacy, authenticity, and integrity of MQTT packet.For the first scenario, we can start to subscribe to all topicsin that broker (subscribe to #) which may give us confidentialdata to be analyzed later. This attack scenario is illustrated inFigure 4.A. Data privacyData privacy in MQTT message is absolutely an issuesince, by default, MQTT does not provide any dataencryption. Whether the broker system uses authenticationmechanism or not, the attacker can still sniff the data in transiteasily. Figure 6 gives a screenshot of attacker’s Wiresharkpacket capture that shows the MQTT topic and message of thedata in-transit from the publisher device earlier.Fig. 4. Attacker can subscribe to all topic messageAnother scenario can be initiated by publishing data to thebroker who does not have authentication mechanism which isillustrated in Figure 5. Street lamps act as subscriber where thelegal publisher can publish a message to control the streetlamps. On the other hand, since the broker does not have anauthentication mechanism, an attacker can subscribe to thebroker to get any message that is used to control the streetlamps. By analyzing the control message, the attacker canpublish his message to take over the street lights. This kind ofscenario can also be used by an attacker to publish spam dataso that both broker and subscriber get flooded and may resultin denial of service.Fig. 6. Published message that captured in WiresharkB. AuthenticationIf the broker uses client authentication mechanism byusing username and password, the attacker could not act aspublisher or subscriber as long as the attacker does not knowthe username and password (i.e. MQTT connection code willbe 5 if we don’t provide username-password, or 4 if badusername or password is supplied). In the case of our scenario,the attacker is in the same network with the publisher. Thusthe attacker can sniff the traffic on the network while waitingfor a “Connect” packet from the publisher is in transit so thatthe username and password that are used to connect to thebroker can be revealed.During the authentication process, there is a header in thepacket known as KeepAlive which indicates how long the IoTdevice (publisher/subscriber) remains connected to the broker.Therefore, when the KeepAlive time is expired, the device(publisher/subscriber) will resend the “Connect” packet torestart the connection. Figure 7 shows the “Connect” packetfrom the publisher that has been sniffed by the attacker.Fig. 5. Attack scenario from attacker’s publisherThe first and second scenarios are a generic scenario thatcan be applied both in the local network and public network.The next scenario that will be discussed has the assumptionthat the attacker is connected to the same network with IoTsystem (e.g. at publisher network or broker network).602
Proc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017Fig. 10. Result of change in topic nameD. Port ObscurityThe official IANA port number used by MQTT is 1883 forthe regular MQTT and 8883 for MQTT using SSL / TLS.However, a broker administrator can configure to use the nonstandard port on the system. Unfortunately, if the securitymechanism only depends on the MQTT protocol itself, theattacker can still easily observe packets that pass through thenetwork.Fig. 7. Result of sniffing the MQTT Connect command packetC. Data IntegrityAnother possible attack is targeting the integrity of data intransit. The attacker who has already known the data packetsby sniffing the traffic can modify the data in transit. In thisscenario, the attacker wants to change the topic name from“outTopic” to “outTopuc”. To do so, the attacker makes afilter file (named owned.filter) which will filter the packet datain transit that has TCP port 1883 and destination address tobroker IP. After the packet that matched the filter criteria isidentified, it will also search the string “outTopic” and replaceit with “outTopuc” as seen in figure 8. Next, Etterfilterapplication is used to compile “owned.filter” file which willgive an output file named “owned.ef”.For example, the attacker can use Wireshark to sniff thepacket and apply data filtering by selecting Edit menu Findpacket Type MQTT String and Packet Byte. Thisfiltering can be done because, in the MQTT, there is a variableheader containing the MQTT protocol name that is sent alongwith the “Connect” packet by the client (publisher orsubscriber) to the server (broker). Figure 11 shows MQTTdata packet in port 1884 from Wireshark application.#owned.filterif (ip.proto TCP && tcp.dst 1883 && ip.dst 'IP Broker' &&search(DATA.data, "outTopic")) {replace("outTopic", "outTopuc");msg("payload replaced\n");}Fig. 8. Filter file to filter MQTT packetFinally, by using Ettercap application running at thespecific interface in which the attacker used to connect to theinternet, the attacker uses the compiled filter to modify thepacket after successfully performed ARP poisoning to makeanother network connection going through the attackercomputer. This step is given in figure 9.Fig. 11. MQTT packet in port 1884E. Botnet over MQTTBotnet over MQTT had been presented during Defcon 24event, which demonstrated BotMaster sent a command to botsover MQTT protocol [23]. A botnet is a network consisting ofmany bots--a new type of malware installed on a compromisedcomputer--which then can be controlled by BotMaster [24].We can obtain a broker using Shodan search engine as wehave done before and transform it to become free brokerserver that connects attacker to victim’s device. By using thisscenario, the attacker can hide from any investigation becausehe uses the unsecured broker as an arbiter to communicatewith the botnet.etterfilter owned.filter -o owned.efettercap -T -q -i eth0 -F owned.ef -M ARP /// ///Fig. 9. Command to run ettercap with specific parameterFigure 10 shows published message topic that has beensuccessfully altered and has been received in subscriberdevice. Because the subscriber subscribes to all topic, it stillreceives the message. Furthermore, the attacker can changethe message to execute another interesting attack in thisprotocol. One of the interesting scenarios happens whenattacker identifies someone who sends a link to download afirmware update for some devices over MQTT. The attackercan change the link in such way that the victim devices installmalicious firmware that transforms them into botnets.As we can see in figure 12, BotMaster acts as commanderto a botnet and uses a certain broker to control many IoTdevices (botnet) at once with only one published message in aspecific topic. BotMaster can also receive victim status andsubscribe to the status of every IoT device (botnet). Thisscenario is very efficient especially if BotMaster wants to giveone command to all botnet at once (e.g. launch a DDoS attack,send a large amount of spam or phishing emails [24]).603
Proc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017[5][6][7][8][9]Fig. 12. Botnet command and control scenario using MQTTIV. CONCLUSION[10]MQTT is one of the protocols used in IoT system whereseveral scenarios to attack this protocol has been discussed inthis paper. The first scenario takes places in the public networkwhere we can scan the network by using Shodan search engineto search MQTT public server to make denial of service attackto devices (clients) connected to that broker or get/sendincorrect data to its clients. This public broker can become agood candidate to control the botnet because of the nature ofMQTT publish and subscribe. Then, from the local network, anattacker can sniff and modify packet data from the network toattack data privacy, data integrity, and MQTT authenticationmechanism. Moreover, using nonstandard port (port obscurity)does not improve the security of MQTT at all.[11][12][13][14][15]For mitigation purpose, a security mechanism for MQTTprotocol must be implemented such as TLS, which is a goodchoice if the IoT devices that are used is an unconstraineddevice. Besides using TLS, Singh et.al. [25] have proposedanother security mechanism based on ECC which focuses ondata confidentiality with less resource requirement compared toTLS. Furthermore, Mektoubi et.al [26] have performed a studycomparing RSA and ECC to protect the data confidentialityand provide good non-repudiation. In the case of constraineddevices, Niruntasukrat et.al. [3] have tried to make a securitymechanism that focused on authentication and authorization ofthe devices to broker while Katsikeas [27] uses AESencryption that focuses on confidentiality and messageauthenticity. Security mechanism of MQTT protocol,especially for resource constrained device still needdevelopment because each research that has been done stillhave certain focus which not yet CES[1][2][3][4]D. Evans, “ The Internet of things: how the next evolution of the Internetis changing everything,” Cisco Internet Business Solution Group WhitePaper, April 2011.Gartner. (2017, February 7). Gartner Says 8.4 Billion Connected"Things" Will Be in Use in 2017, Up 31 Percent From 2016. 17.A. Niruntasukrat, C. Issariyapat, P. Pongpaibool, K. Meesublak, P.Aiumsupucgul and A. Panya, "Authorization mechanism for MQTTbased Internet of Things," 2016 IEEE International Conference onCommunications Workshops (ICC), pp. 290-295, 2016.D. H. Mun, M. L. Dinh and Y. W. Kwon, "An Assessment of Internet ofThings Protocols for Resource-Constrained Applications," 2016 IEEE40th Annual Computer Software and Applications Conference(COMPSAC), pp. 555-560, 2016.[24][25][26][27]604N. De Caro, W. Colitti, K. Steenhaut, G. Mangino and G. Reali,"Comparison of two lightweight protocols for smartphone-basedsensing," 2013 IEEE 20th Symposium on Communications andVehicular Technology in the Benelux (SCVT), 2013, pp. 1-6.Banks, A. and Gupta, R, ”MQTT version 3.1.1,” OASIS Standard, 2014.Prada, A., & dkk, “Communication with resource-constrained devicesthrough MQTT for control education,” 11th IFAC Symposium onAdvances in Control Education ACE, pp 150-155, Bratislava, Slovakia,2016.ISACA Volunteer Member, “Cybersecurity Fundamentals StudyGuide,” ISACA, 2015.M. M. Hossain, M. Fotouhi and R. Hasan, "Towards an Analysis ofSecurity Issues, Challenges, and Open Problems in the Internet ofThings," 2015 IEEE World Congress on Services, New York City, NY,2015, pp. 21-28.M. Iqbal and M. Bayoumi, “Secure End-to-End key establishmentprotocol for resource-constrained healthcare sensors in the context ofIoT,” International Conference on High Performance Computing &Simulation (HPCS), pp. 523-530, 2016.W. Stallings, “Cryptography and Network Security Principles andPractice 7th Edition,” Pearson, England, 2017.S. Alasmari and M. Anwar, “Security & Privacy Challenges in IoTbased Health Cloud,” International Conference on ComputationalScience and Computational Intelligence, pp. 198-201, 2016.Caltum, E. and Segal, O, “Exploitation of IoT devices for LaunchingMass-Scale Attack Campaigns,” Akamai Threat Research, October2016.C. Bormann, M. Ersue, and A. Keranen, “ RFC 7228 Terminology forConstrained-Node Networks,” IETF, May 2014.J. King and A. Ismail,”Distributed Security Mechanism for ResourceConstrained IoT Device,” Informatica 40, pp 133-143, 2016.Anonym. (2016, January 15). Iot Security Awareness. InfoSec Institute[Online]. Available: awareness/Anonym, “IoT Security: Protecting The Networked Society,” EricssonWhite Paper, February 2017.Ernst and Young, “Mobile device security: Understandingvulnerabilities and managing risks,” Insight on governance, risk andcompliance, January 2012.Bitdefender, “Security Awareness in the Age of Internet of Things,” ABitdefender Study White Paper, 2016.Anonym, “Internet of Things research study,” Hewlett PackardEnterprise, 2015.F. Alisherov, and F. Sattarova, “ Methodology for Penetration Testing”,International journal of Grid and Distributed Computing, Vol 2 No 2,June 2009.L. Markowsky and G. Markowsky, “Scanning for Vulnerable Devices inthe Internet of Things,” The 8th IEEE International Conference onIntelligent Data Acquisition and Advanced Computing System:Technology and Applications, September 2015.L. Lundgren, “Light Weight Protocol Serious Equipment CriticalImplications”, Defcon 24, 2016.H. R. Zeidanloo and A. A. Manaf, "Botnet Command and ControlMechanisms," 2009 Second International Conference on Computer andElectrical Engineering, Dubai, 2009, pp. 564-568.M. Singh, M. A. Rajan, V. L. Shivraj and P. Balamuralidhar, "SecureMQTT for Internet of Things (IoT)," 2015 Fifth InternationalConference on Communication Systems and Network Technologies,Gwalior, 2015, pp. 746-751.A. Mektoubi, H. L. Hassani, H. Belhadaoui, M. Rifi and A. Zakari,"New approach for securing communication over MQTT protocol Acomparison between RSA and Elliptic Curve," 2016 Third InternationalConference on Systems of Collaboration (SysCo), Casablanca, 2016, pp.1-6.S.Katsikeas, “A lightweight and secure MQTT implementation forwireless sensor node”, 2016Technical University of Crete.
HP Fortify states that 70% of devices use unencrypted network service [20]. III. ATTACK SCENARIOS ON MQTT PROTOCOL In this section, we will discuss how an attack can be carried out on the MQTT protocol. First, we assume that we do not know anything about the victim system that we want to attack (i.e. no prior knowledge
actually functions in a real attack, what level of service you are able to provide while under attack, and how your people and process react to and withstand an attack. In this guide we present three options for simulating a DDoS attack in your own lab: Tier 1 — Simulating a basic attack using open-source software and readily available .
Additional adversarial attack defense methods (e.g., adversarial training, pruning) and conventional model regularization methods are examined as well. 2. Background and Related Works 2.1. Bit Flip based Adversarial Weight Attack The bit-flip based adversarial weight attack, aka. Bit-Flip Attack (BFA) [17], is an adversarial attack variant
In DDoS attack, the attacker try to interrupt the services of a server and utilizes its CPU and Network. Flooding DDOS attack is based on a huge volume of attack traffic which is termed as a Flooding based DDOS attack. Flooding-based DDOS attack attempts to congest the victim's network bandwidth with real-looking but unwanted IP data.
Magic standard attack, and 1 Speed counter-attack (diamond shape indicates counter-attack, circular shape indicates standard attack). The Crypt Bat may only initiate an attack form in which it has a standard attack available. In this case it’s Magic. Let’s res
Maximum Loss Attack De nition (Maximum Loss Attack) The maximum loss attack nds a perturbed data x by solving the optimization maximize x g t(x ) max j6 t fg j(x )g subject to kx x 0k ; (2) where kkcan be any norm speci ed by the user, and 0 denotes the attack strength. I want to bound my attack kx x 0k I want to make g t(x ) as big as possible
Attack Name 2. Attack Cost: Cost to play the card (Can be Gauge, Force or nothing) 3. Range: Which spaces the attack hits 4. Power: An attack’s outgoing damage 5. Speed: Determines who will resolve their attack first. 6. Armor: The attack’s defense against incomi
3 CONTENTS Notation 10 Preface 12 About the Author 18 PART ONE: BACKGROUND 19 Chapter 1 Computer and Network Security Concepts 19 1.1 Computer Security Concepts 21 1.2 The OSI Security Architecture 26 1.3 Security Attacks 27 1.4 Security Services 29 1.5 Security Mechanisms 32 1.6 Fundamental Security Design Principles 34 1.7 Attack Surfaces and Attack Trees 37
TARGET Questions & Answers 1 Mark Salient Features : Prepared as per the New Textbook for the year 2018. Complete 1 mark questions for all chapters. In-text, S, HOT Board Expected Questions (BEQ) & Answers. Useful for Public Exam 2019. SURA PUBLICATIONS Chennai HIGHER SECONDARY FIRST YEAR Sigaram Thoduvom ECONOMICS This material only for sample orders@surabooks.com For More Details 9600175757 .
