1883 - Pentesting MQTT (Mosquitto)

👉 Overview

👀 What ?

1883 is the standard port used by MQTT (Message Queuing Telemetry Transport) protocol, a lightweight messaging protocol for small sensors and mobile devices, optimized for high-latency or unreliable networks. Mosquitto is one of the most popular MQTT brokers. Pentesting (penetration testing) MQTT or Mosquitto involves testing for vulnerabilities that could be exploited by hackers.

🧐 Why ?

Pentesting MQTT or Mosquitto is important because it's commonly used in IoT (Internet of Things) devices, and these devices are often targeted by hackers due to their lack of security. An insecure MQTT broker could lead to unauthorized access, data leakage, and even remote control of the devices connected to it.

⛏️ How ?

To pentest MQTT or Mosquitto, you can use tools like Mosquitto_sub and Mosquitto_pub for subscribing to and publishing messages respectively. Start by finding the MQTT broker, then attempt to connect to it. Test if you can subscribe to a topic and receive messages. Then test if you can publish messages. If you can do either without authorization, the MQTT broker is insecure.

⏳ When ?

Pentesting should be performed on MQTT or Mosquitto during the development phase before deployment, and regularly thereafter to ensure continued security as new vulnerabilities may be discovered over time.

⚙️ Technical Explanations

MQTT, or Message Queuing Telemetry Transport, operates on a publish-subscribe model. The system's communication hub is the MQTT broker. Clients can subscribe to specific topics and receive messages published to those topics.

The MQTT broker's security is vital. If it's not correctly secured, anyone can connect to it, subscribe to any topic, and receive messages to which they should not have access. This situation poses a significant breach risk, as an unauthorized user could receive sensitive data sent over the network.

An insecure MQTT broker can also allow unauthorized users to publish messages. This ability could disrupt communication between devices connected to the broker. Worse still, it opens a potential avenue for injecting malicious code into the system, which could compromise the whole network's integrity.

To secure an MQTT broker, several measures should be implemented:

  1. Require Username and Password for Connections: To prevent unauthorized access, each connection should authenticate with a username and password. This requirement ensures that only authorized clients can connect to the broker.
  2. Use Secure Connections (MQTT over SSL/TLS): Data transmitted over the network could be intercepted by malicious actors. By using secure connections, data is encrypted, making it unreadable even if intercepted.
  3. Set Appropriate Permissions for Topics: Not all clients need access to all topics. By setting permissions, you can control which clients can subscribe to or publish on specific topics, limiting the potential damage if a client is compromised.
  4. Regular Updates and Patching: MQTT broker software, like any software, can have vulnerabilities. Regularly updating and patching the software ensures you are protected from known vulnerabilities.
  5. Regularly Test for Vulnerabilities: Regular penetration testing can help identify any security vulnerabilities in your MQTT setup. These tests should be performed during development and regularly after deployment.

By following these steps, you can significantly improve the security of your MQTT broker and the devices connected to it.

Here's a detailed example for educational purpose on how to secure an MQTT broker:

  1. Require Username and Password for Connections: You can set up a username and password for access to your MQTT broker. Using Mosquitto as an example, you can create a password file using the mosquitto_passwd command:

    mosquitto_passwd -c /etc/mosquitto/passwd user

    This command will prompt you to enter a password for the user 'user'. The '-c' option creates a new password file; if you want to add more users, you can omit this option.

  2. Use Secure Connections (MQTT over SSL/TLS): To encrypt the data that is transmitted over the network, you can use SSL/TLS. First, you need to generate certificates and keys using OpenSSL. You can create a Certificate Authority (CA) certificate and key with the following command:

    openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt

    Then, you can use the CA certificate to sign a server certificate and key:

    openssl req -new -out server.csr -keyout server.key

    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

    You can then configure Mosquitto to use these certificates by adding the following lines to the configuration file /etc/mosquitto/conf.d/default.conf:

    cafile /etc/mosquitto/ca_certificates/ca.crt

    certfile /etc/mosquitto/certs/server.crt

    keyfile /etc/mosquitto/certs/server.key

  3. Set Appropriate Permissions for Topics: You can limit access to topics by setting up an Access Control List (ACL). In the ACL file, you can specify which users can access which topics, like so:

    user user

    topic readwrite sensor/temperature

    This configuration allows 'user' to read and write to the 'sensor/temperature' topic. You need to specify the ACL file in the Mosquitto configuration file:

    acl_file /etc/mosquitto/acl

  4. Regular Updates and Patching: Updating Mosquitto can be done with the package manager of your operating system. For example, on an Ubuntu system, you can use the following command:

    sudo apt-get update && sudo apt-get upgrade mosquitto

  5. Regularly Test for Vulnerabilities: Once your MQTT broker is set up, you should test it for vulnerabilities. For example, you can use the Mosquitto clients to try to connect without a username and password, try to connect with SSL/TLS disabled, or try to access a topic that the user should not have access to.

    mosquitto_sub -h localhost -t 'test' -u 'wronguser' -P 'wrongpassword'

    mosquitto_pub -h localhost -t 'test' -m 'test message' --capath /wrong/path/to/ca_certificate

    mosquitto_sub -h localhost -t 'forbidden/topic' -u 'user' -P 'password'

    If any of these commands succeed, then there is a vulnerability in your setup.

By following these steps, you can significantly improve the security of your MQTT broker and the devices connected to it.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.