TY - GEN
T1 - MQTTactic
T2 - 45th IEEE Symposium on Security and Privacy, SP 2024
AU - Yuan, Bin
AU - Song, Zhanxiang
AU - Jia, Yan
AU - Lu, Zhenyu
AU - Zou, Deqing
AU - Jin, Hai
AU - Xing, Luyi
N1 - We would like to thank our shepherd and the anonymous reviewers for their insightful comments. This work is supported by the National Natural Science Foundation of China (No. 62372191). Yan Jia is supported by the National Natural Science Foundation of China (No. 62102198) and China Postdoctoral Science Foundation (No. 2021M691673, No. 2023T160335). Luyi Xing is supported in part by NSF CNS-2145675 and CCF-2124225.
PY - 2024
Y1 - 2024
N2 - IoT messaging protocols are critical to connecting users and IoT devices. Among all the protocols, the Message Queuing and Telemetry Transport (MQTT) is arguably the most widely used. Mainstream IoT platforms leverage MQTT brokers, server side implementation of MQTT, to enable and mediate user-device communication (e.g., the transmission of control commands). There are over 70 open-source MQTT brokers, which have been widely adopted in production. Any security defects in those open-source MQTT brokers easily get into many vendors' IoT deployments with amplified impacts, inevitably endangering the security of IoT applications and millions of users. We report the first systematic security analysis of open-source MQTT brokers in the wild. To enable the analysis, we designed and developed MQTTactic, a semi-automatic tool that can formally verify MQTT broker implementations based on generated security properties. MQTTactic is based on static code analysis, formal modeling, and automated model checking (with off-the-shelf model checker Spin). In designing MQTTactic, we characterize and address key technical challenges. MQTTactic currently focuses on authorization-related properties, and discovered 7 novel, zero-day flaws practically enabling serious, unauthorized access. We reported all flaws to related parties, who acknowledged the issues and have been taking actions to fix them. Our thorough evaluation shows that MQTTactic is effective and practical.
AB - IoT messaging protocols are critical to connecting users and IoT devices. Among all the protocols, the Message Queuing and Telemetry Transport (MQTT) is arguably the most widely used. Mainstream IoT platforms leverage MQTT brokers, server side implementation of MQTT, to enable and mediate user-device communication (e.g., the transmission of control commands). There are over 70 open-source MQTT brokers, which have been widely adopted in production. Any security defects in those open-source MQTT brokers easily get into many vendors' IoT deployments with amplified impacts, inevitably endangering the security of IoT applications and millions of users. We report the first systematic security analysis of open-source MQTT brokers in the wild. To enable the analysis, we designed and developed MQTTactic, a semi-automatic tool that can formally verify MQTT broker implementations based on generated security properties. MQTTactic is based on static code analysis, formal modeling, and automated model checking (with off-the-shelf model checker Spin). In designing MQTTactic, we characterize and address key technical challenges. MQTTactic currently focuses on authorization-related properties, and discovered 7 novel, zero-day flaws practically enabling serious, unauthorized access. We reported all flaws to related parties, who acknowledged the issues and have been taking actions to fix them. Our thorough evaluation shows that MQTTactic is effective and practical.
KW - IoT Security
KW - Logic Flaw
KW - MQTT
UR - https://www.scopus.com/pages/publications/85192562451
UR - https://www.scopus.com/pages/publications/85192562451#tab=citedBy
U2 - 10.1109/SP54263.2024.00013
DO - 10.1109/SP54263.2024.00013
M3 - Conference contribution
AN - SCOPUS:85192562451
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 2385
EP - 2403
BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 20 May 2024 through 23 May 2024
ER -