Attacks on Availability of IoT Middleware Protocols: A Case Study on MQTT

Yıl 2023, Cilt: 4 Sayı: 2, 16 - 27, 30.06.2023

Mustafa Muhammed Şimşek , Emrah Atılgan

https://doi.org/10.53608/estudambilisim.1297052

Cited By: 2

Öz

The Internet of Things (IoT) encompasses a technological ecosystem that improves the daily lives of individuals by increasing productivity, safety, comfort, health and sustainability. In addition, the IoT brings a variety of benefits to many industries, including increased efficiency, productivity and cost savings. However, the proliferation of IoT technologies has revealed many security vulnerabilities, especially in the middleware layer. In this article, we presented possible attacks on availability of middleware layer messaging protocols. In the research, a comprehensive case study was carried out, especially focusing on the MQTT (Message Queuing Telemetry Transport) protocol. We performed Man-in-the-Middle (MitM), Denial of Service (DoS) and Brute-Force attacks in our experimental environment. The effects and results of the attacks made in cases where the connection to the MQTT protocol is made with a user name and password, and when the user name and password are not used are examined. The results of the attacks that emerged in the different scenarios created were evaluated and the precautions to be taken to protect against the attacks were discussed.

Anahtar Kelimeler

Internet of Things, MQTT, ESP8266, MitM Attacks, DoS Attacks, Brute Force Attacks

Nesnelerin İnternetinde Ara Yazılım Protokollerinin Hazır Bulunurluğuna Yapılan Saldırılar: MQTT Üzerine Bir Vaka Çalışması

Öz

Nesnelerin İnterneti, üretkenliği, güvenliği, konforu, sağlığı ve sürdürülebilirliği artırarak bireylerin günlük yaşamlarını iyileştiren teknolojik bir ekosistemi kapsar. Buna ek olarak, Nesnelerin İnterneti birçok sektöre artan verimlilik, üretkenlik ve maliyet tasarrufu dahil olmak üzere çeşitli faydalar sağlar. Ancak Nesnelerin İnterneti teknolojilerinin yaygınlaşması, özellikle arayazılım katmanında birçok güvenlik açığını ortaya çıkarmıştır. Bu makalede, ara yazılım katmanı mesajlaşma protokollerinin kullanılabilirliğine yönelik olası saldırıları inceledik. Araştırmada özellikle MQTT protokolüne odaklanılmış ve kapsamlı bir vaka çalışması yapılmıştır. Deney ortamımızda Ortadaki Adam, Hizmet Reddi ve Kaba Kuvvet saldırılarını gerçekleştirdik. MQTT protokolüne bağlantının kullanıcı adı ve şifre ile yapıldığı durumlar ile kullanıcı adı ve şifre kullanılmadığı durumlarda yapılan saldırıların etkileri ve sonuçları incelenmiştir. Oluşturulan farklı senaryolarda ortaya çıkan saldırıların sonuçları değerlendirilerek, saldırılara karşı korunmak için alınması gereken önlemler tartışılmıştır.

Anahtar Kelimeler

Nesnelerin İnterneti, MQTT, ESP8266, Ortadaki Adam Saldırıları, Hizmet Reddi Saldırıları, Kaba Kuvvet Saldırıları

Kaynakça

• [1] Kevin, A. 2009, That 'Internet of Things' Thing, RFiD Journal, 22(7), 97-114.
• [2] Oral, O., Çakır, M. 2017. Nesnelerin İnterneti Kavramı ve Örnek Bir Prototipin Oluşturulması. Mehmet Akif Ersoy Üniversitesi Fen Bilimleri Enstitüsü Dergisi, Özel Sayı 1, 172-177.
• [3] Hintaw, A. J., Manickam, S., Karuppayah, S., and Aboalmaaly, M. F. 2019. A brief review on MQTT’s security issues within the internet of things (IoT), Journal of Communication, 14(6), 463–469, doi: 10.12720/jcm.14.6.463-469.
• [4] Chen, F., Huo, Y., Zhu, J., and Fan, D. 2020. A Review on the Study on MQTT Security Challenge, In 2020 IEEE Int. Conf. Smart Cloud, SmartCloud, 128–133, doi: 10.1109/SmartCloud49737.2020.00032.
• [5] Upadhyay, Y., Borole, A., and Dileepan, D. 2016. MQTT based secured home automation system, 2016 Symp. Colossal Data Anal. Networking, CDAN 2016, 14–17, doi: 10.1109/CDAN.2016.7570945.
• [6] Assaig, F. A. A., Khalifa, O. O., Gunawan, T. S., Halbouni, A. H., Hamidi, E. A. Z., and Ismail, N. 2022. Development of A Lightweight IoT Security System, In 8th Int. Conf. Wirel. Telemat. ICWT 2022, doi: 10.1109/ICWT55831.2022.9935476.
• [7] Firdous, S. N., Baig, Z., Valli, C., and Ibrahim, A. 2017. Modelling and evaluation of malicious attacks against the IoT MQTT protocol, In IEEE Int. Conf. Internet Things, IEEE Green Comput. Commun. IEEE Cyber, Phys. Soc. Comput. IEEE Smart Data, iThings-GreenCom-CPSCom-SmartData, 748–755. doi: 10.1109/iThings-GreenCom-CPSCom-SmartData.2017.115.
• [8] Andy, S., Rahardjo, B., and Hanindhito, B. 2017. Attack scenarios and security analysis of MQTT communication protocol in IoT system. In 4th Int. Conf. Electr. Eng. Comput. Sci. Informatics. 19–21, doi: 10.1109/EECSI.2017.8239179.
• [9] OASIS, MQTT Version 5.0. 2019. OASIS Standard.
• [10] Florea, I., Rughinis, R., Ruse, L., and Dragomir, D. 2017. Survey of Standardized Protocols for the Internet of Things. In 21st International Conference on Control Systems and Computer, CSCS 2017, 190–196. doi: 10.1109/CSCS.2017.33.
• [11] Shelby, Z., Hartke, K., and Bormann, C. 2014. The constrained application protocol (CoAP). No. rfc7252.
• [12] Dürkop, L., Czybik, B., and Jasperneite, J. 2015. Performance evaluation of M2M protocols over cellular networks in a lab environment. In 2015 18th International Conference on Intelligence in Next Generation Networks, ICIN 2015. 70–75. doi: 10.1109/ICIN.2015.7073809.
• [13] Prayogo, S. S., Mukhlis, Y., and Yakti, B. K. 2019. The Use and Performance of MQTT and CoAP as Internet of Things Application Protocol using NodeMCU ESP8266. In 4th Int. Conf. Informatics Comput. ICIC 2019. doi: 10.1109/ICIC47613.2019.8985850.
• [14] Farooq, M. S., Riaz, S., Abid, A., Abid, K., and Naeem, M. A. 2019. A Survey on the Role of IoT in Agriculture for the Implementation of Smart Farming. IEEE Access, 7, 156237–156271, doi: 10.1109/ACCESS.2019.2949703.
• [15] Kuladinithi, K., Bergmann, O., Thomas Pötsch, Becker, M., and Görg, C. 2011. Implementation of coap and its application in transport logistics. In Extending Internet to Low Power Lossy Networks, 1–7.
• [16] Krimmling, J., and Peter, S. 2014. Integration and evaluation of intrusion detection for CoAP in smart city applications. In IEEE Conf. Commun. Netw. Secur., CNS 2014. 73–78, doi: 10.1109/CNS.2014.6997468.
• [17] Uy, N. Q., and Nam, V. H. 2019. A comparison of AMQP and MQTT protocols for Internet of Things. In 6th NAFOSTED Conference on Information and Computer Science, NICS 2019. 292–297. doi: 10.1109/NICS48868.2019.9023812.
• [18] McAteer, I. N., Malik, M. I., Baig, Z., and Hannay, P. 2017. Security vulnerabilities and cyber threat analysis of the amqp protocol for the internet of things. In 15th Aust. Inf. Secur. Manag. Conf. AISM 2017, 70–80, doi: 10.4225/75/5a84f4a695b4c.
• [19] Keophilavong, T., Widyawan, and Rizal, M. N. 2019. Data transmission in machine to machine communication protocols for internet of things application: A review. In International Conference on Information and Communications Technology, ICOIACT 2019, IEEE, 899–904. doi: 10.1109/ICOIACT46704.2019.8938420.
• [20] Naik, N. 2017. Choice of effective messaging protocols for IoT systems: MQTT, CoAP, AMQP and HTTP. In IEEE Int. Symp. Syst. Eng. ISSE 2017. 1–7. doi: 10.1109/SysEng.2017.8088251.
• [21] Luzuriaga, J. E., Perez, M., Boronat, P., Cano, J. C., Calafate, C., and Manzoni, P. 2014. Testing amqp protocol on unstable and mobile networks. Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), 8729, 250–260. doi: 10.1007/978-3-319-11692-1_22.
• [22] Krishna, C. S., and Sasikala, T. 2019. Healthcare Monitoring System Based on IoT Using AMQP Protocol. Lecture Notes on Data Engineering and Communications Technologies, 15, 305–319. doi: 10.1007/978-981-10-8681-6_29.
• [23] Ramana, S. 2022. A Three - Level Gateway protocol for secure M - Commerce Transactions using Encrypted OTP, no. Icaaic, 1408–1416.
• [24] Javied, T., Huprich, S., and Franke, J. 2019. Cloud based Energy Management System Compatible with the Industry 4.0 Requirements, IFAC-PapersOnLine, 52(10), 171–175. doi: 10.1016/j.ifacol.2019.10.018.
• [25] Bartolomeo, G., and Kovacikova, T. 1996. Hypertext Transfer Protocol, Identif. Manag. Distrib. Data, 31–48. doi: 10.1201/b14966-5.
• [26] Wukkadada, B., and Wankhede, K. 2018. Comparison with HTTP and MQTT In Internet of Things (IoT). In International Conference on Inventive Research in Computing Applications (ICIRCA 2018), IEEE, 249–253.
• [27] Jaafar, G. A., Abdullah, S. M., and Ismail, S. 2019. Review of Recent Detection Methods for HTTP DDoS Attack. Journal of Computer Networks and Communications, 2019, Article ID 1283472.
• [28] Pardo-Castellote, G. 2003. OMG Data- Distribution Service: Architectural Overview. In 23rd International Conference on Distributed Computing Systems Workshops, 200-206. doi: https://doi.org/10.1109/ICDCSW.2003.1203555.
• [29] Du, J., Gao, C., and Feng, T. 2023. Formal Safety Assessment and Improvement of DDS Protocol for Industrial Data Distribution Service. Futur. Internet, 15(1). doi: 10.3390/fi15010024.
• [30] MQTT Version 3.1.1. http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.pdf (accessed Mar. 19, 2023).
• [31] Bandyopadhyay, S., and Bhattacharyya, A. 2013. Lightweight Internet protocols for web enablement of sensors using constrained gateway devices. In Int. Conf. Comput. Netw. Commun. ICNC 2013, 334–340. doi: 10.1109/ICCNC.2013.6504105.
• [32] Mishra, B., and Kertesz, A. 2020. The use of MQTT in M2M and IoT systems: A survey. IEEE Access, 8, 201071–201086. doi: 10.1109/ACCESS.2020.3035849.
• [33] Soni, D., and Makwana, A. 2017. A Survey on MQTT: a protocol of internet of things (IoT). In International Conference on Telecommunication, Power Analysis and Computing Techniques (Ictpact - 2017), 173–177.
• [34] Kant, D., Johannsen, A., and Creutzburg, R. 2021. Analysis of IoT security risks based on the exposure of the MQTT Protocol. Electronic Imaging, 2021(3), 96-1. doi: 10.2352/ISSN.2470-1173.2021.3.MOBMU-096.
• [35] Chen, D., and Varshney, P. K. 2004. QoS support in wireless sensor networks: A survey. In Int. Conf. Wirel. Networks, ICWN’04. 233, 1–7.
• [36] Bender, M., Kirdan, E., Pahl, M. O., and Carle, G. 2021. Open-source MQTT evaluation. IEEE 18th Annu. Consum. Commun. Netw. Conf. 1-4. doi: 10.1109/CCNC49032.2021.9369499.
• [37] Ugalde, D. S. 2018. Security analysis for MQTT in Internet of Things. Master Thesis. 53p. Stockholm.
• [38] Atilgan, E., Ozcelik, I., and Yolacan, E. N., MQTT Security at a Glance. 2021. In 14th International Conference on Information Security and Cryptology, ISCTURKEY 2021, Ankara, 138–142. doi: 10.1109/ISCTURKEY53027.2021.9654337.
• [39] Setiawan, F. B. 2021. Securing Data Communication Through MQTT Protocol with AES-256 Encryption Algorithm CBC Mode on ESP32-Based Smart Homes. In Int. Conf. Comput. Syst. Inf. Technol. Electr. Eng. (COSITE). 166–170. doi: 10.1109/COSITE52651.2021.9649577.
• [40] Manullang, I. T. 2021. The Implementation of XChaCha20-Poly1305 in MQTT Protocol, no. 13517044.
• [41] Sadio, O., Ngom, I., and Lishou, C. 2019. Lightweight Security Scheme for MQTT/MQTT-SN Protocol. In 6th Int. Conf. Internet Things Syst. Manag. Secur. IOTSMS 2019, 119–123. doi: 10.1109/IOTSMS48152.2019.8939177.
• [42] Pallavi, A., and Hemlata, P. 2012. Network Traffic Analysis Using Packet Sniffer. Int. J. Eng. Res. Appl. 2(3), 854–856.
• [43] Wireshark. https://www.wireshark.org/ (accessed Mar. 25, 2023).
• [44] Hertzog, R., O’Gorman, J., and Aharoni, M. 2017. Kali Linux Revealed. Mastering the Penetration Testing Distribution
• [45] Shah, M., Ahmed, S., Saeed, K., Junaid, M., Khan, H., and Ata-Ur-Rehman. 2019. Penetration testing active reconnaissance phase - Optimized port scanning with nmap tool. In 2nd Int. Conf. Comput. Math. Eng. Technol. iCoMET 2019. doi: 10.1109/ICOMET.2019.8673520.
• [46] Nagpal, B., Sharma, P., Chauhan, N., and Panesar, A. 2015. DDoS tools: Classification, analysis and comparison. In 2nd Int. Conf. Comput. Sustain. Glob. Dev. INDIACom 2015, 342–346.
• [47] Hping3, 2023. https://www.kali.org/tools/hping3/ (accessed Apr. 16, 2023).
• [48] Valea, O., and Oprisa, C., Towards Pentesting Automation Using the Metasploit Framework. 2020. In IEEE 16th Int. Conf. Intell. Comput. Commun. Process. ICCP 2020, 171–178. doi: 10.1109/ICCP51029.2020.9266234.
• [49] Özdemir, D., and Çavşi Zaim, H., Investigation of Attack Types in Android Operation System. 2021 J. Sci. Reports - A, no. 46, 34–58.
• [50] Nachreiner, C. 2003. Anatomy of an ARP Poisoning Attack. (Accessed July 6, 2023).