Owntracks - Creeping on IoT with MQTT

It seems that IoT is everywhere these days. While many people love to see what things can be done with IoT, some see much of it as a privacy (maybe even safety) concern. I was recently contacted by a friend asking to do an evaluation of their IoT setup for their house and see if someone could easily spy on them or potentially even harm them.

In this post, I'll show how IoT (to me) became horrifying.


Before I begin, I was authorized to perform testing on my friend's connection. Always get consent before poking things you do not own. ;)

Enumeration

Probably one of the first things that anyone does on a pentest is enumerates. In my case, a single IP was in scope and a basic nmap scan was performed. Upon the scan results were what I expected; open http, ssh, and alt-http (8080). Something else caught my eye. That thing was port 1883, or MQTT. I knew some basic things about MQTT, however, nothing functional to where I could actually do anything with it.

MQTT

First off, what is MQTT? As stated by mqtt.org, MQTT is:

A machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport. It is useful for connections with remote locations where a small code footprint is required and/or network bandwidth is at a premium.

In other words, MQTT is a lightweight messaging protocol for things to communicate over.

Think of MQTT almost as an IRC for IoT. An MQTT broker essentially takes in data from a sensor that publishes it. A client (an app, DB server, other thing, etc.) is subscribed to a channel of interest/whatever is programmed. For example, a client can subscribe to "/home/sensors/temperature" and listen for new events to then take the data in, parse it, then display it as an easily-human-readable format. This is a VERY high level description.

I won't bore you with MQTT. If you're really interested in MQTT, go ahead and do some Google searches.

Owntracks?

Upon doing some enumeration, and finding out that NMAP actually has MQTT enumeration scripts (handy), I found that my friend was running his own Owntracks server which uses MQTT.

What the heck is Owntracks? Owntracks is a location diary/way for you to track your phone and save where you've been. A neat idea, however, it seemed a bit unrealistic that I could possibly connect to this thing. Could I really just subscribe to his MQTT server and view location data? There were questions and I needed answers. I later on found that the answer to all my questions was yes.

Creeping

So, how was I to even interface with this internet-exposed MQTT server? I'm not an IoT dev. Well, just as we can usually expect with python, there's a python module for that! Paho-MQTT (from the Eclipse team) allows you to easily script an MQTT client in under 100 lines of code.

Link to the module:

After some fumbling around with python and paho, I was able to get a working MQTT client. With the NMAP MQTT enumeration script, I was able to get that my friend was publishing data to "/owntracks/**/iphone".

Upon subscribing to that channel with our python paho MQTT client, I was presented with JSON data. Again, MQTT brokers are used for apps and whatnot. After importing the JSON module in python and doing some cleaning, I was able to get the following output:

Look at that. Check-in date, latitude, and longitude. We are now officially creeping on someone's location data.

While I was not able to directly compromise my friend's infrastructure, I was able to really violate some privacy and see where he had been going. The nice part about MQTT is that you can just keep the client connected and store whatever is published.

Just a side note: There are several hundred systems show on Shodan.

Code

Sharing is caring! Here is a quick PoC for pulling Owntracks information via MQTT on GitLab:

Additionally, here is an embedded iframe paste of it from pastebin:

Thoughts

When you start looking at what can be done with MQTT, it becomes truly frightening. Not only from the privacy perspective, but also the fact that someone can potentially cause physical destruction of your equipment. Go ahead and do a Shodan search for things running on port 1883. Imagine the possibilities ;). I'd be willing to bet the number continues to grow.

This post was with just Owntracks for the example. If you're interested in seeing more MQTT hackery, let me know on Twitter (@protoxin_).


Go out, have fun , and HACK THE PLANET! (responsibly, of course).

Until next time,
ProToxin

Join EFF!