MitM Attacks and IoT Security: A Case Study on MQTT

Öz

The number of devices connected to the Internet has increased with the development of Internet of Things (IoT) technologies. It is foreseen that this situation will increase daily, and the concept of the IoT will become more popular. However, security vulnerabilities in IoT devices have not been eliminated, and these devices are vulnerable to attacks because their resource-limited features increase security concerns. The security problem of the Message Queuing Telemetry Transport (MQTT) protocol, which is widely used in the IoT field, is of great importance. In this study, a smart-home system application that provides communication between devices using the MQTT protocol has been developed. A Man in the Middle (MitM) attack, which is one of the first attacks that come to mind when it comes to privacy violation, was carried out, targeting data packets between users with a temperature sensor used in the application.

Anahtar Kelimeler

• IoT Security
• Attack Detection
• MitM Attacks
• IoT
• MQTT

Kaynakça

1. C. C. Sobin, “A Survey on Architecture, Protocols and Challenges in IoT,” Wireless Personal Communications, vol. 112, pp. 1383-1429, 2020. doi: 0.1007/s11277-020-07108-5
2. O. Yavuz, “Nesnelerin İnterneti (IoT) ve Güvenliği,” btkakademi.gov.tr, 2023. [Online]. Available: https://www.btkakademi.gov.tr/portal/course/nesnelerin-interneti-iot-ve-guvenligi-10625. [Accessed July 2, 2023].
3. M. B. Younes and N. N. El-Emam, “Information Security and Data Management for IoT Smart Healthcare,” In Intelligent Internet of Things for Smart Healthcare Systems, CRC Press, pp. 69-80, 2023.
4. A. J. Hintaw, S. Manickam, M. F. Aboalmaaly, and S. Karuppayah, “MQTT Vulnerabilities, Attack Vectors and Solutions in the Internet of Things (IoT)”, IETE Journal of Research, vol. 69, no. 6, pp. 3368-3397, 2023. doi: 10.1080/03772063.2021.1912651
5. H. Wong, L. Tuo, “Man-in-the-Middle Attacks on MQTT-based IoT Using BERTBased Adversarial Message Generation”, KDD’20 Workshops: the 3rd International Workshop on Artificial Intelligence of Things (AIoT), 2020, San Diego, CA.
6. B. Erdem and O. Yaman, “KNN Based Intrusion Detection Method for IoT Applications Using MQTT Protocol,” Fırat University Journal of Science and Technology, vol. 1, no. 1, pp. 225-229, 2022.
7. M. M. Şimşek and E. Atılgan, “Attacks on Availability of IoT Middleware Protocols: A Case Study on MQTT”, Eskişehir Türk Dünyası Uygulama ve Araştırma Merkezi Bilişim Dergisi, vol. 4, no. 2, pp. 16-27, 2023. doi:10.53608/estudambilisim.1297052
8. S. Tian, V. G. Vassilakis, “On the Efficiency of a Lightweight Authentication and Privacy Preservation Scheme for MQTT”, Electronics, vol. 12, no. 14, 3085, 2023. doi: 10.3390/electronics12143085

9. A. N. Kaya and E. N. Yolaçan, “Attacks nn The MQTT-Based IoT System Detection Using Machine Learning,” Journal of Engineering and Architecture Faculty of Eskişehir Osmangazi University, vol. 30, no. 2, pp. 159-170, 2022.
10. A. H. Farea and K. Küçük, “Enhancement Trust Management in IoT to Detect ON-OFF Attacks with Cooja,” International Journal of Multidisciplinary Studies and Innovative Technologies, vol. 5, no. 2, pp. 123-128, 2021.
11. A. Varma and S. UniKrishnan, “Effect of Payload Security in MQTT Protocol Over Transport and Application Layer”, IOP Conference Series: Materials Science and Engineering, vol. 1166, 012019, 2021. doi:10.1088/1757-899X/1166/1/012019
12. MQTT, “MQTT: The Standard for IoT Messaging,” mqtt.org, 2022. [Online]. Available: https://mqtt.org. [Accessed July 2, 2023].
13. F. Chen, Y. Huo, J. Zhu, and D. Fan, “A Review on the Study on MQTT Security Challenge,” 2020 IEEE International Conference on Smart Cloud (SmartCloud), Washington, DC, USA, 2020, pp. 128-133, doi: 10.1109/SmartCloud49737.2020.00032.
14. M. Bender, E. Kirdan, M. -O. Pahl, G. Carle, “Open-Source MQTT Evaluation,” 2021 IEEE 18th Annual Consumer Communications & Networking Conference (CCNC), Las Vegas, NV, USA, pp. 1-4, 2021, doi: 10.1109/CCNC49032.2021.9369499.
15. Amazon, “MQTT Protokolü Neden Önemli?,” amazon.com, 2023. [Online]. Available: https://aws.amazon.com/tr/what-is/mqtt/. [Accessed July 22, 2023].
16. HiveMQ, “HiveMQ | Public Broker | MQTT Dashboard,” hivemq.com, 2023. [Online]. Available: https://broker.hivemq.com/. [Accessed July 22, 2023].
17. ArduinoModules, “KY-015 Temperature and Humidity Sensor Module,” arduinomodules.info, 2021. [Online]. Available: https://arduinomodules.info/ky-015-temperature-humidity-sensor-module/. [Accessed July 25, 2023].
18. F. T. Akgul, “Ultrasonik (Ultrasonic) Sensör Nedir? Nasıl Çalışır?,” robotistan.com, 2021. [Online]. Available: https://maker.robotistan.com/ultrasonic-sensor/. [Accessed July 25, 2023].
19. IPCisco, “Address Resolution Protocol (ARP),” 2020. [Online]. Available: https://ipcisco.com/lesson/address-resolution-protocol-arp/. [Accessed Aug. 1, 2023].
20. Rauf, “[TR] ARP Nedir ve ARP Spoofing Nasıl Yapılır?,” 2021. [Online]. Available: https://pwnlab.me/tr-arp-nedir-ve-arp-spoofing-nasil-yapilir/. [Accessed Aug. 2, 2023].
21. M. Brown, “System Setup and Scripts For Various MitM Activities,” 2022. [Online]. Available: https://github.com/nmatt0/mitmtools. [Accessed Aug. 2, 2023].