Lucas Lundgren sat at his desk as he watched prison cell doors hundreds of miles away from him opening and closing.
He could see the various commands floating across his screen in unencrypted plain text. “I could even issue commands like, ‘all cell blocks open’,” he said in a phone call last week. Without being there, he couldn’t know for sure if his actions would’ve had real-world consequences.
“I’d probably only know by reading about it in the newspaper the next day,” said Lundgren, a senior security consultant at IOActive, ahead of his Black Hat talk in Las Vegas last week.
It’s because those cell doors are controlled by a little-known but popular open-source messaging protocol known as MQTT, which lets low powered, internet-connected (IoT) sensors and smart devices communicate with a central server.