2023-06-29, 10:50–11:15 (Europe/Oslo), Smolarz
By infiltrating a device manufactured by a big IoT OEM, we gained full control of thousands of devices across the globe. By exploiting vulnerabilities that we discovered, we were able to not only control the device, but also to use it as a pivot for infiltrating corporate networks.
Background and Motivation
Over the past few years, organizational networks have undergone a number of fundamental changes. By moving web services to the cloud, the DMZ becomes less attractive as a penetration vector. Additionally, advanced operating systems and new browsers make it difficult to exploit client vulnerabilities. Meanwhile, IOT devices have become more common in networks (IP phones, smart TVs, etc.).
Since most IOT devices are not directly exposed to the Internet but, nevertheless, communicate with cloud services, vulnerabilities that allow to infiltrate the device from the cloud become attractive to an attacker. Furthermore, these vulnerabilities can often be exploited in order to infiltrate internal networks.
Our research revealed a vulnerability in a device manufactured by an OEM, and we exploited it to gain full control of thousands of devices around the world (without exposing them to the Internet or gaining direct access to them). By exploiting these vulnerabilities, we were able to not only control the devices (screenshots, camera photos, microphone eavesdropping, etc.) but also to use them as a pivot for infiltrating corporate networks. Applying a novel “TCP over MQTT” tool that we developed, enabled the use of the MQTT server as a tunnel layer for communication with the devices.
- Background and motivation (Cloud-to-Device attacks)
- MQTT - short background and technical explanation.
- Our research:
-- In depth explanation of the vulnerability.
-- Exploiting the vulnerability to take full control of the devices.
-- Using the devices as a pivot for infiltrating corporate networks.
-- Using The MQTT server as a tunnel layer for communication with the devices.
-- (Optional - How to use any exposed MQTT broker in the internet as a proxy or as a CnC server).
-- Disclosure process.
Elad is a cyber security researcher with over a decade of experience in military and civil industries, both from the attackers and the defenders perspective. Over the years, he has specialized in organizational network security, IoT security, Web and Web3. He is currently working at dWallet Labs as a senior security researcher.