Posted on March 19th, 2019
How to Find Servers Using MQTT and AMQP Protocols
We recently added MQ Telemetry Transport (MQTT) and the Advanced Message Queuing Protocol (AMQP) protocols to our data set. Here’s a quick rundown of what these protocols are used for, what security risks they carry with them, how to search for servers and devices that use MQTT and AMQP, and how to secure those servers.
What is MQTT?
MQTT is a machine-to-machine messaging protocol created in 1999 by Dr. Andy Stanford-Clark of IBM and Arlen Nipper of Arcom. Their goal in the beginning was to create a messaging protocol that was lightweight enough to ease the load on network bandwidth. The official definition from mqtt.org:
MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
IBM published a report in 2014 about how the MQTT protocol could be utilized for the IoT explosion. The problem they identified is that IoT devices must rely on a huge number of signals that required a standardized mode of communication. MQTT could be used for IoT devices to connect to each other, without relying on all the devices coming from a single vendor and without overloading existing bandwidth restrictions. IBM asserted in their report that MQTT could be used to “democratize devices,” essentially allowing consumers and businesses to use the Internet-connected devices for their exact needs without getting locked into interconnectivity issues where devices couldn’t communicate with or work with each other.
Many developers agreed with their assertion and MQTT was quickly adopted as one of the most popular communication protocols for Internet-connected devices, as well as mobile applications and home automation products.
What is AMQP?
Created in 2003 by John O’Hara at JPMorgan Chase, the AMQP protocol serves as a communication protocol for machine-to-machine messaging, to replace existing middleware, which was somewhat restrictive in terms of compatibility. The official definition from https://www.amqp.org:
The Advanced Message Queuing Protocol (AMQP) is an open standard for passing business messages between applications or organizations. It connects systems, feeds business processes with the information they need and reliably transmits onward the instructions that achieve their goals.
AMQP is used similarly to MQTT — it serves as a communication protocol between systems to allow for interoperability and reliability. The primary distinction is that while MQTT is most often associated with IoT device communication, AMQP is used more broadly as a communication protocol between a wide variety of business devices (think databases and critical systems).
AMQP, just like MQTT, is used primarily to allow devices from different vendors to talk to each other, work together, and be more easily managed. According to VMWare’s blog post on communication protocol, companies like JP Morgan use AMQP to process 1 billion messages a day. NASA uses it for Nebula Cloud Computing. Google uses it for complex event processing.
As you can imagine, MQTT and AMQP are very widely used with a huge variety of devices, use cases, and both in the consumer and enterprise space. With our unique global perspective, we were able to collect data about both the MQTT and AMQP protocol so that you can find devices and servers using them and ensure that they’re secured against attacks.
64K servers using MQTT protocol, 57K unencrypted
Just like any other protocol, MQTT and AMQP come with vulnerabilities and the security risks those can present may be significant, especially when it comes to corporate environments. Primarily, security issues derive from configurations lacking encryption and authentication. Without proper configurations and basic security measures in place, anyone can eavesdrop on the communications between the devices running on these protocols.
Of the 64,025 servers we found using the MQTT protocol, 57,217 devices are not using TLS (port 1883), meaning they’re unencrypted and could be spied on anywhere in the middle of the communication chain. Here’s the positive: 15,020 using TLS (port 8883) and are encrypted at the very least. Still, that leaves around 80% of the MQTT servers unencrypted.
To determine which of these MQTT servers are exposed and vulnerable, we ran a reportusing the string “connection accepted” in the “connack.connect_return” field, which just means that these devices would connect with us for our scans.
For the purposes of highlighting just those most vulnerable, note that 35,397 hosts accept anonymous connections. In other words, there are no authentication requirements whatsoever to gain access to these 30K+ services running on MQTT protocol. Yikes:
Raw Data
TODO: Insert Table: https://censys.io/blog/find-mqtt-amqp-protocol
View report in Censys
Considering the significant security risks these devices present, let’s dig into how you can find them with Censys and secure any that are owned by your employees or otherwise tied to your network and business.
102K servers running AMQP
In total, we found 102,247 services using AMQP protocol (port 5672), with both the US and China combined accounting for over half of all AMQP detections. To search for servers running AMQP that are associating themselves with your business, simply use the AMQP tag and add your autonomous system (AS) number. For example, to search for AMQP brokers at the University of Michigan:
https://censys.io/ipv4?q=tags%3Aamqp+AND+autonomous_system.asn%3A+36375
What to do if you find servers running these protocol tied to your business (or your home network)
Both the MQTT and AMQP tags can be useful for locating devices that you know, of course, but also in finding those you weren’t aware were online but tied to you or your organization. IoT devices are known to be optimized for cool features, often leaving security as an afterthought. With that in mind, it’s good to continually check for new internet-connected devices regularly and ensure that they’re secured.
For servers running MQTT and AMQP protocols, specifically, we recommend:
- Make sure your message brokers employ strong encryption, and that any AMQP broker or MQTT is wrapped in TLS sockets to ensure message confidentiality, integrity checks, and optional authentication. Because these channels move sensitive data, TLS can provide necessary authentication and authorization guards.
- Put these services behind a firewall. Isolating them is basically the only sure way to ensure that your adversaries aren’t going to gain access through these servers or devices and get at confidential data.
