Intercepting MQTT communications

rakhirhif8963 · Post by **rakhirhif8963** » Thu Feb 06, 2025 8:36 am

During the research, we identified the following entry points for attackers to compromise the backbone network:

backbone network service servers;
virtual machines and containers;
network equipment;
base stations.
Types of attacks
In each of these areas, attackers can use different tactics to disrupt the steel plant. Here are some of them.

In modern production management systems, data from IIoT sensors and devices is transmitted to the MQTT server, which routes it to the logging server and the analytical system. There are two protocol versions for data transmission: MQTT and MQTTS. In the first case, data is transmitted in plain text, in the second, it is encrypted similar to http/https. It is noteworthy that unencrypted data exchange is often used by critical IIoT devices installed directly on the executive equipment. Substitution of latvia mobile database data from these devices allows an intruder to surreptitiously interfere with the technological process and disrupt production.

Modbus/TCP interception
The Modbus protocol is still widely used in equipment control networks. TCP port 502 is used for data transmission, and if a VPN is not enabled between remote sites and the control network, or if Modbus servers are directly connected to the campus network, an attacker can replace data in protocol packets and disrupt production.

PLC attacks
If the PLC is not protected from read/write, an attacker can load a malicious version of the firmware and control the operation of this controller. But even if the PLC is protected, the attacker has the ability to reboot the PLC to sabotage production.

APN - Security through secrecy
An Access Point Name (APN) is used to identify the gateway between a mobile phone or device network and another network, which is typically the Internet. A common misconception among industrial security professionals is that using a separate APN necessarily means using a separate network, completely separate from other network traffic. However, this is not always the case, and APN users should check with their individual service provider.