Attack over insecure MQTT - HendrikVE/swp-telematik-ws-20-21 GitHub Wiki

In this attack a second ESP is introduced to the network which spams the MQTT window sensor topic with a certain message. The normal ESP only publishes to the topic when the sensor status changes (so if the actual sensor opens or closes) or wakes up in intervals specified in the interval to poll sensor data option under the Sensor config to notify the Raspberry Pi. This interval is set to about 5 minutes and would be much larger if the ESP ran on battery.

This attack only works if the MQTT server is left unprotected. In our case the MQTT broker is password protected and the ESP needs a client certificate. For practical purposes we just give those to the evil ESP as well, which is functionally the same as if there would have been no protection. We can also imagine that these get leaked by accidentally publishing them to a github repo (The MQTT password is stored unencrypted in the sdkconfig file, spooky!), or that there is some easy default password.

The question then is what you will actually spam.

  • The obvious thing would be to spam CLOSED, with the hope that you can open the window with the single OPEN message being drowned out or overlooked. However, unless the OPEN message is totally lost (maybe possible with extremely high spam rate?), it will still reach the Pi and cause an alarm.
  • You can spam OPEN. The point is that every time OPEN reaches the Pi there will be an alarm. All these false positive alarms will then annoy the user of the smarthome system. They might think the alarm is broken, and turn it off or just ignore it. A proven technique of car thieves around the world.
  • Similarly, you could just randomly send OPEN or CLOSED to make the user lose trust in the alarm system.

You can enable the spamming in ESP32/window_alert with make menuconfig. Navigate to Spam Attack and enable it. You can chose the ESP and topic to be targeted. This is related to the way we have labeled MQTT topics in this project, with the labels looking like myhome/esp32-1/window-sensor-1 (we had three ESPs to work with, each one with possibly two window sensors). You can set spam interval in milliseconds. Default is 5 seconds between messages. Finally you can set spam type, which is one of the three types listed above