Introducing IOXY: an open-source MQTT intercepting proxy

TL;DR: IOXY is an open source MQTT intercepting proxy, developed by NVISO for our IoT pentest needs, and now available on GitHub. Features include a GUI, live packet interception and modification and MQTTS support.

The need for IOXY

In the web and mobile application worlds, intercepting proxies like Burp and OWASP ZAP occupy a central place in every pentester’s arsenal of tools. They make inspecting and manipulating HTTP traffic a breeze!

In the IoT world, MQTT is becoming one of the de-facto standards for the communication of edge devices with their cloud backend. Its growth is supported by its adoption by popular IoT cloud solutions, such as AWS IoT and Azure IoT.

When performing assessments on IoT solutions, we realized that despite MQTT’s recent spike in popularity, tools to pentest MQTT applications were lagging behind. For example, we couldn’t find a tool allowing us to easily intercept, inspect and interact with MQTT traffic…

This realization was the spark behind IOXY (IoT – Proxy), an MQTT intercepting proxy! It’s a tool we developed internally, and used successfully in IoT pentests. We decided to open source it, hoping it will prove useful to the IoT security community.

IOXY logo

IOXY features

IOXY can be placed between IoT devices using MQTT and their backend, in order to help testers inspect the communication and play with abuse cases. Without further ado, let’s look at its main features:

  • Multi-protocol support : IOXY supports the MQTT, MQTTS and MQTT over WebSockets protocols. Certificate-based authentication is also supported, as well as TLS ALPN;
  • Multi-broker support: it is compatible with many MQTT broker (and client) implementation out of the box;
  • GUI : a web-based GUI makes IOXY easier to use and configure (all functionality is also available via a CLI):
IOXY’s web-based GUI
  • Message interception & modification: with a flick of switch, you can capture MQTT messages, modify their contents and/or the MQTT topic on which they are posted, and then send them on their way:
IOXY’s packet interception and modification in action
  • Database storage : all messages going through IOXY are stored in an SQLite database, so that they can easily be searched by topic and/or payload.

A (very) quick look under the hood

IOXY is written in Go, and can be compiled for any architecture. We tried to make IOXY “broker-agnostic”, in other words compatible with as many MQTT brokers as possible out of the box.

Therefore, IOXY works by providing a termination point for the protocol encapsulating MQTT, for example TCP or TLS. When packages arrive, it simply forwards their MQTT contents to the broker. This way of functioning defeats the need of providing different MQTT client and broker implementations inside IOXY.

How to get it

IOXY is available on Github: https://github.com/NVISO-BE/IOXY .

The README file provides installation and usage instructions and the example use case will help you get more familiar with IOXY’s setup and operation.

The future of IOXY

We are very excited to share IOXY with the community, and we hope that it can grow as a community effort. From our side, we will be actively using it during our IoT assessments, and maintaining it to fix bugs and add more functionality. Please submit bug reports, feature requests and any other feedback through Github’s issue tracker. Finally, stay tuned for upcoming IOXY tutorials and interesting use cases!

About the author

Théo Rigas is an IT Security Consultant at NVISO. He has researched the security of connected alarm systems and is currently working on more IoT and embedded device security projects. Outside of his Research work, he performs Web, Mobile and IoT security assessments for NVISO.

Join the Conversation

1 Comment

Leave a comment

Leave a Reply

%d bloggers like this: