Tracie Martin - IoT's Little Protocol with Big Vulnerabilities

all right thanks for being patient good morning thanks for joining me on this early early early morning um my name is tracy martin i am a principal security engineer for the internet of things i've worked in security for about 20 years doing a whole bunch of odd jobs i've done sort of everything from compliance to incident response to building tools to oceans i've done just about everything and now i've found myself in the internet of things um i run defendcon or i did in the before times when we had uh real conferences in person so hopefully next year once everybody's vaccinated and healthy we'll start that up again i'm a veteran of the united states air

force i do osent as a hobby which i guess makes me kind of weird i participate in a bunch of different ocean groups and i i do some ocean talks based on my experience at nato i also do photography and i raise a small child which is why i never ever ever sleep um this should go without saying but the views in this don't represent my employer they're my views so if i say something that you think is stupid or you disagree with me uh it's not the views of my employer it's just my odd random musings on the world

and we have a freeze there we go sorry okay so first of all we need to talk about what is the internet of things and there's a bunch of definitions and you know it's funny because this is a hotly debated topic in the in the community but the way i define it and the way most people define it is it's anything that has a physical sensor anything that acts in the physical world that's then connected to the internet uh if you have been paying attention at all you'll know that this market is growing uh there's a hundred billion dollars in market revenue for the first time in 2017 and it's supposed to be 1.6 trillion by 2025.

so one of the big factors that i got into internet of things is that it is such a growing space and there's so many people needed to secure this ever growing threat there's so much to learn and it's changing every single day devices are getting smarter and faster and permeating every facet of our lives and with that the security threats get bigger and bigger so what is mqtt this talk focuses on a very specific portion of the iot and it's a protocol called mqtt it was developed a long time ago for use in oil rigs it's designed predominantly for devices with a really small code footprint so what that means is unlike other communication protocols like http it

doesn't take as much overhead it's not as processing intensive and it has the idea that you can still ensure quality of message without actually having a really heavyweight handshake in between so it was created in 99 out of ibm and it was designed in a way that you have these oil rigs out in the middle of the ocean and they're connected over these satellite links that are really lossy and kind of go out and on off off and on all the time so we needed a protocol that was both stateless but also guaranteed to pass messages when one or the other of the server or the client was offline and so that's why they created mqtt

but the interesting thing is that kind of like http this was never designed with the idea of security in mind this was never designed in a way to be secure because they assumed that the people on the oil rig were trusted and they assumed that the people back at the plant that were getting the information were trusted and the satellite was mostly trusted so it was pretty much okay but then they started adapting this protocol for use in the internet of things and just like http that's when things started to get a little weird so the benefits are it's super scalable super super scalable it's you can support hundreds of thousands if not millions of

devices simultaneously um is packet agnostic which basically means i can send any kind of data over mqtt and it's like an envelope whatever i put in it it'll happily unpack it and go about its merry way it's really reliable for a low bandwidth protocol unlike udp for example which is a best effort delivery system you can actually set quality of service messages where mqtt will just keep trying to deliver until it finally gets through so if say a broker goes offline for days or months at a time i still know that those messages will get through because of the quality of service flag that i've set it's also decoupled and that means that the broker and the client don't have to

be online at the same time and this is really important if you're you know in the middle of a field in the sahara and you don't have reliable internet connection but you still need to get information on say your water sensors back to a centralized facility you can't guarantee that that sensor will always be online at the same time that the broker is online it's also super efficient you can pass a lot of information really really quickly and in a network that has high latency you're guaranteed that that message isn't going to get lost or garbled along the way all right so there's a couple key ideas um the first one that we need to talk about is something

called a publisher and you can think about this kind of like a device most publishers are devices uh you can think of it like a light bulb in your smart home so the light bulb will publish a message that says hey i'm on or hey i'm off or hey i'm overheating and that message goes to a broker who then pushes it to a subscriber so you can think of it or at least i think of it kind of like a mailman right so the mailman sits in the middle and he takes a letter from one person and he delivers it to another person and that's where the broker comes in it sits like a spoken hub and it's the hub

and so the hub then is responsible for making sure that everybody who publishes on a topic and everybody that subscribes to that topic gets their messages and topics are just categories of messages so you can think of them kind of like folders on a windows operating system so i might have a topic that is light bulbs and all the light bulbs will publish on my light bulbs topic i might have a topic that is sensors and that could be all my ir sensors in my network and the cool thing about topics is that they're multi-level so i could have sensors slash light bulbs where i would get everything that i published to sensors and only things published light bulbs if

i was a light bulb so this is kind of what it looks like in a really really simple version this is based on an ir sensor that i built uh at my house because i have a cat whose food is in the laundry room and i always always always forget to refill her water because i'm a terrible person and then i feel guilty so i put a little water sensor in her uh in her dish that lets me know and it sends an mqtt broadcast to my phone that says hey dummy go refill her water and so you just you can do this at home with just about anything there's a link at the end of this talk

that'll get you started it's actually really simple to set up mqtt is widely available there's a ton of free brokers that you can set up and it really helps you understand how this works in a larger context all right so use cases um it's really interesting once you start uh looking through this you'll start seeing that mqtt is surprisingly everywhere i don't think i realized how everywhere it was until i started working in this field but if you look you have automotive manufacturers that are using it you have home automation i think that's the use case that most people are familiar with right your light bulbs and your smart door locks at home use mqtt most likely

telecommunications large telecos use mqtt to manage all kinds of things industrial manufacturing all of these use mqtt to do all kinds of things in your daily life so let's look at some specific examples so we've all heard about the connected car and uh some of us are super excited i for one welcome our robot overlord so i'm pretty excited about connected cars but they almost all use mqtt and the reason they do this is because you never know where your car is going to be i can't guarantee that it's going to have cellular or wi-fi and i really need to make sure that those messages are going to get through at some point and that's why http or sms aren't really

suited for this because both of them require either concurrent connectivity or a reliability and delivery system that's going to be just too compute intensive so the car can publish to topics like speed or fuel level or oil life and there can be a subscriber like a phone um an app on your phone if you use uh ford for example they have a an app that tells you oh your oil life is at you know 30 days oh you know you need to go in for maintenance uh your speed has been too too high over the last 30 days you know whatever there's a whole bunch of different things that they can publish these two and so it's

surprising how often we see this but we don't even know that it's around all right and then home automation so this is probably the use case that most people are familiar with um you have a smart light bulb you have a smart door lock you have a smart cam in your you know living room and the same situation right the light bulb says hey i'm on and the broker goes cool i'm on and it sends a message to the subscriber and says hey the light bulbs are on and this works in reverse too the the phone can publish to that same topic and say hey turn the light off and the broker takes that message sends

it to the light bulb and the light bulb says okay cool i'll turn off oh come on what's really interesting is in industrial manufacturing and this is becoming more and more common there's still a lot of proprietary industrial protocols that are not mqtt but you're actually seeing a huge rise in mqtt applications in things like energy grid and manufacturing interconnected factories that do predictive maintenance and can foresee issues with devices downstream so if i'm building a car and my welding machine is about to go out of spec it can actually predict that the last i don't know 12 cars that i made may need extra inspection because my welding machine wasn't quite within spec so it's super powerful and it gives a

way for people to manage a bunch of devices across factories all over the globe but the bad thing is there's of course just like any other protocol a ton of different types of attacks first is denial of service and i think we're all pretty familiar with that poor often poor authorsy there's software vulnerabilities because the mqtt broker is just usually a java application so you know basically any java vulnerability that you can find and then a couple extra on top just for good measure and then of course the transport security the piece between the device and the broker is really vulnerable to interception so denial of service this is interesting in mqtt those of you who are old enough like me to

remember hub and spoke networking uh mqtt is basically a version of that and if you like me once upon a time when you were young and bright-eyed learned that the downfall of hub and spoke model was that if the hub goes down everybody goes down mktt kind of suffers from this as well because it is the central hub for all of the spokes of devices connected to it now there's ways you can get around this you can do concurrent brokers and you can do failover brokers but many people don't have this set up or don't have it set up correctly and even if they do have failovers you can seize all of the available broker connections by just spamming a

bunch of messages so if you look at like our light bulb situation i can say instead of the light bulb beaconing every couple minutes to say hey i'm on hey i'm on if i just go to the broker and spam the crap out of it and say hey hey hey hey hey hey the broker is going to get overwhelmed and then it can't actually respond to legitimate clients on the network that are publishing or subscribing to messages i can also spoof client ids um and this is kind of funny so you have to have a unique client id to connect to mqtt but depending on how your broker's configured i can just tell you that this is my

client id so if my client id is one two three i can come online as an attacker and say hey i'm device123 and it'll be like wait there's too many people with the same name one of you's got to get off and so it'll actually drop both connections and as an attacker i can reconnect before the original and then assume that client ids session so that it can't reconnect um multiple unauthorized subscribe and publish messages so this is kind of like um if you think of instead of just overwhelming it with messages try to subscribe to topics that i'm not allowed to so if i'm a light bulb and i try to subscribe to let's say my kitchen stoves topic

then the mpg broker is going to say nope can't do that not cool go away but if i do that over and over and over again the mqtt broker kind of melts down and it's like wait there's too many things happening and i can't handle all of these on auth requests and then there's malform packets basically like any application you can futz around with the actual packet and the packet header and once it hits the mqtt broker it it causes it to kind of stumble and go i don't know what to do with this i don't know what this is and so the more you do that the more likely it is that the mqtt broker will

fall over for authentication so we mentioned this before it was never designed to have authentication and so there's authentication now but it's not great uh most mqtt brokers use username and passwords um by default they're sent in the clear um so if i can talk to the broker if i can get on the network i can figure out what the username and passwords are um pretty easily i can also um the user usernames and client ids are pretty easily guessable especially by mass consumer electronics devices manufacturers they'll usually go off something like the serial number or the um device imei and so i can figure out kind of what's going on and and just guess that number and

that's how i can figure out what the username of usernames are and then if the passwords are easily guessable like say most home routers it's pretty easy to kind of figure out and go to the broker with that username and client id we also have this idea that it's better to do device certificates than username and password and that's true except when you do the same device certificate for every single device on your network so if you take for example a large television manufacturer who has the same device certificate for millions and millions and millions of tvs it only takes one television being attacked and most of these devices don't have protected memory so now i have that certificate and i can

connect to the mqtt broker and i can subscribe to anything because they only use one certificate poor authorization okay so poor authorization the idea is that you're supposed to restrict topics to the devices that need them it's pretty basic just like anything in a file system you should only have access to the files that you need to use for your day and a light bulb shouldn't be able to publish to turn the stow on right like that that that's a bad model but unfortunately per device per topic administration is really really cumbersome and so what happens is just like any dev who's you know shemad 777 you kind of get a lot of folks that just

sort of do a splat and so they're like oh just everybody can subscribe to anything and it's fine um and that leads to poor device segregation which means that if your light bulb gets compromised i could turn on your stove or if your stove gets compromised i could unlock your door and so that causes this cascading failure effect where if all of your smart devices aren't secure then none of your smart devices are secure and then of course software vulnerabilities if you go to the cvss database then you can see there's a bunch of mqtt broker uh vulnerabilities most of these brokers don't get patched reliably they're on incredibly old versions there's it's like just like any application

right there's rces out there they're still unpatched um i don't think there's a lot of focus on this right now and so i think we'll expect to see this increase as the adoption and notoriety of this protocol increase um there's also vulnerabilities in the data aggregation and facilitation dashboards so a lot of these use a web app or a phone app to do you know hey all your lights are on or hey your stove is off or hey your stove is on and they allow you to publish and subscribe from that dashboard so if you can compromise the dashboard because the web app is really terribly coded then you can also compromise a lot of information on the

network and then of course there's device side vulnerabilities right so a lot of manufacturers ship uh almost with a default linux kernel um and so they have a bunch of libraries and packages they don't actually need you know they have ssh enabled or they uh have telnet enabled on some of these uh it's they have much more power than they need for the device that they're creating but they don't lock it down so that's just a much bigger attack surface for for attackers to get to and then transport security uh this one seems to get the most uh attention i think in mqtt circles uh mainly because i mean let's be honest encryption is hard this is why you know

pgp is such a nightmare um encryption's hard if you're not one of the big vendors doing a system you know a a big cryptography rollout if you're not running a pki server it's hard to do your own crypto and do it well um and so a lot of people just opt not to encrypt the transit at all and so they assume that everybody on the factory floor has access to every machine so if you're thinking about it in an unconnected factory this makes total sense because the mqtt broker and the client can only be accessed physically by people who in theory have access to all that information the problem is with more things getting connected and more things connecting to

the cloud we now have this opportunity for attackers once they can get inside that network to then view and possibly manipulate all of the information that goes across that network and even if they do try to do cryptography they have really insecure cryptography because they're running on really low compute devices that can't handle modern encryption and there's a lot of work going into this right now um in nist to see if we can make better lightweight cryptography but a lot of times they reuse keys or they reuse seed values and so it becomes really easy to attack the crypto the cryptographic footprint um there's also as we mentioned a lack of certificate uniqueness and that means

that basically i know what your certificates are so i can pretty much bypass all of your transit security because i already i just need one cert um and so when i started looking at this i'm sure everybody's used showdown um and it i kind of started digging around i wonder if any mqtt brokers are listening and if i can ping them so you can go to showdown and you can try to connect to something called cis broker and this is just basically a way of saying hey mkg broker can you hear me and are you listening so this was done a while ago um and it returned about 38 000 brokers and if you think about that if every

broker could have a million devices connected to it and not all of them do i would say it's probably more common to have a handful of devices but even at 100 devices per broker that's a lot of potentially compromised devices that are just out on the public internet so what does this mean so if i have roughly 40 000 mptt devices which require absolutely no authentication so this isn't me brute forcing credentials or trying to you know do anything fancy like grab a certificate from a device and replay it or any of that this is just brokers on the internet listening to see what's happening um but what do we really do with that i

mean showdown's cool and you know i think at least for me i like to go and you know dork around and pretend like i can do massive things but really you need to have an attack vector now so i'm too cheap to pay for a subscription to show dan and i ran out of my daily search limit so started poking around and i found this great tool called mass scam so it is literally a tool designed to scan the entire internet um if you if you've used nmap it works on the same syntax um where nmap obviously is too slow to scan a ton of ip addressable devices mass scan given a big enough internet

pipe can literally scan the entire internet i think it said in 10 or 15 minutes like some absurdly low amount of time so what's cool is you can use this then to scan for mqtt brokers this is my public service announcements um and i know this is controversial but you really shouldn't scan the whole internet you should really only scan things you have permission to scan you know uh parts of the internet don't like to be scanned you can cause things to accidentally fall over uh you can end up with you know people in suits and glasses knocking on your door um but hypothetically if you worked for say a large cloud services provider and you had a

lot of ip addresses mascan would be a great tool to scan your infrastructure to see if any brokers were open or if you're doing a pen test on say um you know a factory or uh you know really anything you should be surprised how often mqtt brokers pop up this is another way to scan for mqtt brokers and see if they're replying back so i didn't scan the whole internet but i did make a typo um and so i did scan 16 million hosts on accident because apparently subnetting is hard um i wasn't paying attention anyway it happened um but the good news is now i have lots of data so you get to benefit from me being kind of

a dork um so i scanned on port 1883 and 8883 just to kind of see what was out there um and so i got about 225 000 hosts that were alive of those about 2 500 were squawking back on either port and about a thousand were squawking back on 1883 and the reason this is important is it if you think about attacking as a funnel you want to look at your easy stuff first and then get to your harder stuff as you have time um and so if the host is communicating on 1883 i know that there's no encryption and so i don't have to worry about getting over that barrier so that's where i focus my efforts if i

were doing a legit engagement i would probably go deeper into 883 and see if i could do my certificate compromise or um any of those things but for this exercise i really just wanted to see if there were any brokers i could access that wouldn't ask me for anything so along comes pajo mqtt so you can go download this it's just an mqtt um package that allows you to communicate with brokers um and you can send connect flags to these brokers and see if they respond and based on their response that kind of gives you an idea of how they're going to let you access them so the best the best one is connection zero connection accepted that means the

mqtt broker was like doors open come on in uh number one is less okay but that's all right it just means your your protocol versions are incompatible so you need to update and maybe they're on a down level protocol and you're on an up level protocol less easy but still doable number two is interesting because it means your identifier was rejected so in a lot of cases you'll see where they have client ids unique client ids but no password so this means you just need to do a better job of guessing the client id um again not easy but not impossible um number three is kind of a you know service unavailable you can come back and try later that's basically

it's a binary it's either up or down um number four gets a little harder because now i don't know if it's a bad username or a password so now i have to kind of fuss around and try that and then number five is just a flat out sorry go away um either they're doing some kind of device filtering or connection filtering and number five is just that area where i go you know this probably isn't going to give me enough time unless this is a really valuable asset so now that we kind of have a list of what we want to do and a list of ips that we want to target there's this great tool by akamai that's

called mqtt pwn and i cannot express to you in words how much i love this tool um and how much i wish i was smart enough to build something like this i just consume other people's tools because they're always just so much better than the crap i throw together but if you have a chance go download it it's so much fun it allows you to do brute forcing of credentials so if you get that bad username password it'll try a bunch of default and i think you can also add rainbow tables in there it's been a minute since i've done that um it also enumerates topics so if you connect to a broker you can see all of the topics

that you can subscribe to or publish or read um it also helps do reconnaissance um so there's a time it's a super powerful tool you could probably do an entire talk just on that but i'd highly recommend go checking it out um so this was just uh i tried to grab the most innocuous piece of the topic enumeration from one of the brokers that i connected to and this seemed to be it um this is basically just topics that for people that are connecting and connecting every minute every 15 minutes um and how many bytes are sent and received fairly innocuous but you can also get some really good good data from this um there are other

brokers that were uh you know cameras like their topics were security cameras or their topics were um you know industrial manufacturing pieces um so there are definitely things i would like to believe these are all test environments and that they're just internet facing because reasons but there are definitely some in this list that i was able to connect to that i don't think they were intended to be connected to from abroad so if you spend time doing this you'll find a lot of interesting things that are sort of accidentally on the internet so i've talked about mqtt and all of its use cases and all of its attack surface and i think it's really important

when we start to talk about concrete examples of where things can go wrong so i could talk to you about industrial manufacturing robots going rogue and you know charging a factory floor or i could talk to you about water plantations that you know do bad mixes and kill millions there's a lot of things i can talk to you about but really i want to focus on something that i think is really the most important use case and that's the internet of cows so i think this is the piece that i started doing iot research that broke my brain um we have connected cows to the internet and not just one cow hundreds of thousands of cows

and not just one sensor but multiple sensors per cow and i can't tell if this is utopia or if this is the sky net that our forefathers warned us about but uh there's a system and effective multiple systems that allow you to remotely steer cattle out on the ranches so if you think about it out in montana for example where you have herds that roam in really big areas it used to be that you had a you know cow herder that would kind of mind the cows now they wear these collars that nudge them in different directions and this geofence if they get too close to the area they're not supposed to be in it kind of shocks them and they go away

it's time to come back from the range it steers them back to the to the farm but they all use mqtt for these messages so you can imagine if you could take over those callers and start sending messages nope go left nope go right everybody go this way i mean you could run an entire herd of cattle through a small town and destroy a lot of stuff and i use this example because it's so funny and so ridiculous but it kind of speaks to how deeply embedded this protocol and iot is in our everyday lives things that you don't even think about are connected to the internet and are publishing and subscribing on mqtt topics right now

so we could create the internet of zombie cows and i think that would be really cool not for the cows please don't do that that's really mean to the cows but in theory be really cool the good news is that everything's moving to the clouds so everything is awesome which is kind of true so the good news about the cloud is that most cloud providers enforce tls um to connect to their broker service which means you have less people running unencrypted over the wire you have less people using default username and password to connect to the broker so that's that's a win um you have better mqtt broker defaults you're talking about companies who spend

a lot of money on application security have a really robust application security program and they make sure that the broker is patched and pen tested and updated and they they spend a lot of time thinking through threat scenarios on the broker that most people if they don't have a huge absence organization just don't have time to do there's also a lot more detection and automation behind identifying trouble so your cloud broker can send logs to their logging service and their alerting service it can send things to their security dashboard many bro many cloud providers have specific security tooling that you can run on your iot devices that shows a dashboard of hey you know this device was sending one

message an hour and now it's spending 300 an hour or hey this device over here has 75 failed login attempts in the last six seconds so there's a lot of detection and automation in the cloud that helps users do better at security it's also really a lot easier to do things like per device policies because you can piggyback off um like for example in aws you can piggyback off iam policies you can piggyback off specific device iot policies the cloud makes it easier because they provide the infrastructure but as we all know the cloud is just another person's computer so there are downsides to the cloud the clouds are highly configurable which is good um

but we're there's a lot of pressure to bring in legacy um customers people who haven't done this so the bar isn't always super high which means that you are in a sense getting into a group of folks who may not have the same security posture that you do for example in many cloud service providers part of their bootstrapping process is to default credential all the devices with the same certificate that's great for ease of use and you're supposed to go change it but the reality is that not everyone does so it can make it really easy to do bad things at scale um more and more devices are connecting that means that the paradigm from factories um you know where

everybody had a physical right to be there at a physical need to access those machines now you're opening it to the internet which may or may not share the same security model um systems may not be designed with the appropriate redundancy and and what i mean by that is now you have this paradigm of okay if i don't have internet connection my mqtt broker lives in a server somewhere in nebraska i'm in texas if the internet goes down what do i do for a backup i need i need something at the edge and so customers have to spend a lot of time really thinking through their use cases and what makes sense to make sure that

no matter what happens with the cloud connectivity they can still do their jobs on the ground so that was a lot of information in a very short amount of time but the things i want you to take away is that mqtt is lightweight widely adopted protocol for iot message publish and subscribe uh it can be insecure it's often misconfigured defaults with no auth and it doesn't support native encryption you can add encryption on top of it um you do need to make sure if you're connecting things to the cloud to encrypt over the wire and protect things like username and passwords and your certificates uh if you're building devices you need to make sure that there is a way to

protect those things in memory uh because you know the old paradigm if i can touch it i own it well everyone can touch your iot devices so you have to make sure that it's at least more difficult to get that information and have tight controlled per device certificates and per device hackles is the most crucial thing you can do to ensure that you have a secure iot deployment here is some resources um mass scan that's my website at the top it's super lame i i always say i'm gonna go back and fix it and i never do and i've just i've made my piece with the fact that it's just going to be super lame so but

my slides are there if you want to go get them from this talk and a few others uh mqtt pwn link is there um also if you want to get started um building like the sensor that i did earlier i think the instructables is actually a super good tutorial it's really well put together uh you can follow me on twitter at that security chick and i think that's it i think that's everything all right track two i'm in track two yes yes do i know any other big protocols used for iot um so modbus is a big one in the industrial space um and my boss has my favorite quote of the year and i i really want to do a talk with

this title he told me if anyone tries to connect modbus to the internet light them on fire so i think that's a great contact just in general um but yeah there's a ton of other protocols i wouldn't actually light people on fire that's it's a metaphor um but modbus is probably the one that i'm most familiar with um but there are others and to be honest i'm just getting into this space so 85 of what i deal with is mqtt and then um you have the upcoming lorawan um protocols that are that are coming in that are going to be fairly ubiquitous uh and there's a there's a bunch of others i can't think of off the top of my head

but yeah there's a ton of other protocols this one just seems to be the most common at least in my experience uh the what are the common mqtt implementations and use open source versions commonly used can they be fingerprinted by implementation um so hive is really popular um haha is really popular uh the one from eclipse uh those are the top two and then the clout the big cloud brokers uh use their own um that's a pivot it it's loosely based on pom-pom but it's it's a pivot so it's custom code um can you fingerprint them yes um if you do a scan i don't know if nmap has it built in i think you can

fingerprint it i haven't done it in a while so i don't remember exactly how i think the broker will return it in a banner it will tell you the broker if i recall correctly i'll have to go back and look honestly i spend too much time on the blue side man i've forgotten all the things yeah so we do have confirmation that it does look like a map felt like i remembered that but like i said i've spent way too much time i spent all day yesterday doing one powerpoint slide and i feel like i've come so far from you know where i thought my life was going but here we are i think we've all been there at one

point or another it looks like somebody commented and asked mosquito is a popular mqtt broker for smart homes is there a popular one that's used in the industrial space that people could look for um so there's actually a lot of mosquito in industrial um that's probably the most common one i've seen hive is also um it doesn't my experience people who roll their own who are like i've totally got this and i don't need anybody to tell me how to live my life they tend to do mosquito um and then people who uh are mindful that they need help tend to go with something like hive um just because it's more managed and it has a few more security features and

updates and i can link to that actually and also just a plug hive does a really great job um explaining the uh mqtt protocol they've got just a ton of really good information here blank not affiliated with hive just so we're clear i just i like their website not an ad anything else know more about cows so here's the funny thing it's not just steering cows they put sensors under cows tails to see if they're going into labor blew my mind wow that's crazy right like who does that they put sensors in their stomachs to see their acid levels and to see if like they're eating okay like we've got cows with more sensors than our cars

it's insane smart cows mark but they're not see cows themselves are not smart they're just connected yeah so so i think the question then becomes is like if they go off to slaughter do we have to worry about bits of sensors getting into the food chain i would guess not but i mean i suppose it could um most of the ones i've seen are in like ranching applications so less like meat cows more like ranch cows um i would assume that they either digest and we don't eat the stomach i i mean and i don't think well we do eat the tail but i don't think we eat the part under the tail where the

sensor goes this is my i grew up in a city i honestly don't know i as much as i know about cow i meant i i basically have gone to petting zoo so that's how much i know about cows okay well i think that's probably more than more than i know about cows and i grew up in middle of nowhere tennessee how popular is mqtt as an attack target interesting question i have been able to find zero data on this despite months of trying and so either i'm the only crazy person who thinks this represents a huge attack surface or it's being attacked and not publicized because people realize it's a huge attack surface or people aren't aware of it and so

they're just not attacking it right now i think this is my personal theory iot device security is such an enormous trash fire right now that it's just so easy to attack the device it's almost not useful to attack the broker in most implementations but just like um sorry i'm gonna be very microsofty for a minute as we shift the attacker you know target then they're going to move to higher value targets and so as you saw with well now you know the operating system is patched people pivoted to applications i think that as hopefully iot device security improves i think you're going to see that natural pivot to a connected broker because if i'm looking at it as an

attacker and the first thing i saw was okay sure i could take over your you know your smart camera at home and you know compromise it whatever then i have access to one feed and that's cool i mean that's like that's cool but i can take over a broker and have access to hundreds of millions of devices and that's really really cool and most brokers are shared so i think it represents a really interesting attack surface uh i think my question would be is do do we think do you think that the uh that it's not being attacked or do you think that we don't have visibility so people say we're not being attacked because they don't know if they're being

attacked

based on no data whatsoever my gut says it's not being attacked right now um and the reason i say that is there have been if you look um across cloud service providers there have been incidents where the broker fell over that wasn't malicious it was just you know service availability they pushed a patch they made a change whatever um and the broker fell over and you know hundreds of millions of customers were disconnected and usually when i see that happen you see this natural pivot in hacker circles that goes interesting they did this by you know updating a patch i wonder if i could do this by you know sending a bad packet or whatever so i i haven't seen that

and maybe i'm just not in the cool kids clubs anymore i don't know but i haven't seen any chatter on this anywhere so anything less cool than connected cows that you found that surprised you there's been a lot of iot security that has surprised me but not in good ways i think i'm overall surprised that multi-billion dollar companies that that manufacture devices uh really still haven't figured out even the basics of iot security um it amazes me that as i think it's made me more fearful as i walk around my house and look at my smart devices and go huh i'm i know your security posture and it's not good um i think i'm surprised

that we haven't seen more wide scale devastation quite honestly you know they do actually i feel like i read somewhere that there was some serial or some thing that had like a a little iot sensor in it so you could tell when you were getting out of serial and it would reorder it for you yeah um oh the other thing that surprised me uh if you've heard of fido i think it's called fido it's an internet connected dog caller so if your dog goes missing it can find it and report it back to you um that that was a used case i've never considered before i i don't know how internet connected i want my animals to be

yeah so chris brings up an interesting point and we've been actually having this very spirited debate uh at my day job my strong hypothesis is and i build security products for a living so my entire job is to sell security products to people and my strong hypothesis is that consumer electronics manufacturers have no incentive to buy these products because every single smart device in our homes has been compromised probably within the last 12 months uh and it doesn't seem to affect their bottom line that much people just sort of expect it and that's sad but it's not untrue wait like like multiple networked refrigerators because now i just want to know what the use case for all the refrigerators are

have you checked on your other neighbors are they still alive when you're too lazy to go open the fridge you just connect to the fridge to look inside to see that you still don't have anything that you didn't have before all right all right i would keep an eye on the basement one is all i'm saying that's how all the horror stories start well i suppose it depends you know okay see and this is now i have to tell the cannibal story now see this is this is where we're at once upon a time i'm gonna keep it really short i worked for nato and there was a guy and a girl who were having a

relationship and the guy was married and so they weren't allowed to because military blah blah blah so one day he was joking with her and she was like this is the most perfect thing that could ever happen meaning their relationship and he's like yeah but what if i told you i killed people and ate them every year on my birthday wouldn't that ruin it and she laughed and she thought that was really funny and then somehow she went home over the weekend and decided it was true so she called the federal police in belgium and they raided his refrigerator and took all of his meat to see if it was human that is a true story from my life that

is amazing yeah i never get to i never have an opportunity to tell the cannibal story and talk so this was exciting it's usually more of an after con in the you know lobby bar kind of an education well with four minutes to go before uh i think cat goes then i guess we will wrap up and thank you very much for the presentation the information on iot security and on mqtt and if anybody has any additional questions twitter discord anything else you want to plug uh no um i'm pretty responsive on twitter i'll hang out where do i hang out in discord hallwaycon or lobbycon i'm very confused as to the difference um i think

most people are chilling in lobby okay cool i'll hang out here for a little while and then i'll probably head over to lobbycon perfect thank you very much thanks thanks for having me