Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities

Internet of Things is a widely adopted and pervasive technology, but also one of the most relevant in cyber-security, given the volume and sensitivity of shared data and the availability of affordable but insecure products. In this paper, we propose a novel cyber-threat exploiting the Message Queue Telemetry Transport (MQTT) protocol to implement a tunneling attack. In IoT networks, sensitive and critical information are exchanged between devices or external systems to perform data analysis. For this reason, a tunneling threat could be adopted by a malicious user to steal information. In this context, a tunneling system based on MQTT can be considered since this communication protocol could be allowed to pass through enterprise firewalls because it is widely adopted in this IoT world. An attacker can exploit the MQTT protocol for various purposes such as steal information or access to not-allowed websites/servers. In particular in this work, we contribute in two main points: initially we demonstrate how the proposed threat is able to encapsulate messages through the MQTT protocol, by also comparing it with other tunneling systems exploiting different communication protocols. Obtained results show that exploiting MQTT for tunneling purposes is a good choice, compared to other communication protocols, especially for payloads up to 3000 bytes. Then, we propose and validate an initial machine learning based approach able to detect the proposed MQTT tunnel, by comparing different detection algorithms tested with and without a hyperparameter optimization, in terms of accuracy, F1 score and Receiver Operating Characteristic (ROC) curve. In this case, obtained results show that some algorithms are able to identify the attack, with an accuracy exceeding 95%, while others lack of such capability.