The use of publicly accessible MQTT brokers is prevalent across numerous verticals and technology fields. I was able to identify systems related to energy production, hospitality, finance, healthcare, pharmaceutical manufacturing, building management, surveillance, workplace safety, vehicle fleet management, shipping, construction, natural resource management, agriculture, smart homes and far more.

Hackers have been sounding alarms about this for years, but the message has not reached many parts of the Internet. Many of these systems are clearly involved in high-power and potentially dangerous operations, and I think it is a safe bet that miitaries have been probing these systems for years and have likely found many soft spots which could be used for battle.

Over the past year, I have spent a bit of time analyzing exposed MQTT brokers on the Internet. In this post, I will outline some of these findings including examples of data disclosures I was able to identify as well as others I could not. For a brief recap of MQTT, check out my post about a connected lock.

My MQTT discovery process was initially seeded by a Shodan export with some limited masscan to supplement my host set. My first step was to design a scanning harness. I considered incorporating standard Linux tools or something like paho-mqtt, but ultimately both of these methods have some performance trade-offs and added complexity.

Instead, I went the most direct route that I could and made a short Python script to send raw packets for the MQTT handshake and dump responses to a file. The script was configured to call recv up to 100 times given a two-second timeout. The goal here was to get enough data to recognize an interesting broker while avoiding excessive resource consumption.

Although sometimes it is easy to identify an organization associated with an open (Read more...)