MQTTactic: Security Analysis and Verification for Logic Flaws in MQTT Implementations

IoT messaging protocols are critical to connecting users and IoT devices. Among all the protocols, the Message Queuing and Telemetry Transport (MQTT) is arguably the most widely used. Mainstream IoT platforms leverage MQTT brokers, server side implementation of MQTT, to enable and mediate user-device communication (e.g., the transmission of control commands). There are over 70 open-source MQTT brokers, which have been widely adopted in production. Any security defects in those open-source MQTT brokers easily get into many vendors’ IoT deployments with amplified impacts, inevitably endangering the security of IoT applications and millions of users. We report the first systematic security analysis of open-source MQTT brokers in the wild. To enable the analysis, we designed and developed MQTTactic, a semi-automatic tool that can formally verify MQTT broker implementations based on generated security properties. MQTTactic is based on static code analysis, formal modeling, and automated model checking (with off-the-shelf model checker Spin). In designing MQTTactic, we characterize and address key technical challenges. MQTTactic currently focuses on authorization-related properties, and discovered 7 novel, zero-day flaws practically enabling serious, unauthorized access. We reported all flaws to related parties, who acknowledged the issues and have been taking actions to fix them. Our thorough evaluation shows that MQTTactic is effective and practical.