BSidesTLV 2023

Background and Motivation

Over the past few years, organizational networks have undergone a number of fundamental changes. By moving web services to the cloud, the DMZ becomes less attractive as a penetration vector. Additionally, advanced operating systems and new browsers make it difficult to exploit client vulnerabilities. Meanwhile, IOT devices have become more common in networks (IP phones, smart TVs, etc.).
Since most IOT devices are not directly exposed to the Internet but, nevertheless, communicate with cloud services, vulnerabilities that allow to infiltrate the device from the cloud become attractive to an attacker. Furthermore, these vulnerabilities can often be exploited in order to infiltrate internal networks.

Research Description:

Our research revealed a vulnerability in a device manufactured by an OEM, and we exploited it to gain full control of thousands of devices around the world (without exposing them to the Internet or gaining direct access to them). By exploiting these vulnerabilities, we were able to not only control the devices (screenshots, camera photos, microphone eavesdropping, etc.) but also to use them as a pivot for infiltrating corporate networks. Applying a novel “TCP over MQTT” tool that we developed, enabled the use of the MQTT server as a tunnel layer for communication with the devices.

Talk summary:

• Background and motivation (Cloud-to-Device attacks)
• MQTT - short background and technical explanation.
• Our research:
  -- In depth explanation of the vulnerability.
  -- Exploiting the vulnerability to take full control of the devices.
  -- Using the devices as a pivot for infiltrating corporate networks.
  -- Using The MQTT server as a tunnel layer for communication with the devices.
  -- (Optional - How to use any exposed MQTT broker in the internet as a proxy or as a CnC server).
  -- Disclosure process.