Lucas Lundgren sat at his desk as he watched prison cell doors hundreds of miles away from him opening and closing.
He could see the various commands floating across his screen in unencrypted plain text. "I could even issue commands like, 'all cell blocks open'," he said in a phone call last week. Without being there, he couldn't know for sure if his actions would've had real-world consequences.
"I'd probably only know by reading about it in the newspaper the next day," said Lundgren, a senior security consultant at IOActive, ahead of his Black Hat talk in Las Vegas last week.
It's because those cell doors are controlled by a little-known but popular open-source messaging protocol known as MQTT, which lets low powered, internet-connected (IoT) sensors and smart devices communicate with a central server using little bandwidth -- letting prison guards remotely control the locks on a cell door. The protocol is used everywhere -- by hobbyists at home, but also in industrial systems like gauges and equipment sensors, electronic billboards, and even medical devices.
But all too often, the servers that listen to devices and send commands aren't protected with a username or password, allowing anyone with an internet connection to look into one of the 87,000 unprotected servers, according to Lundgren's port scans.
"It's a scary situation," he said. "Not only can we read the data -- that's bad enough -- but we can also write to the data."
Lundgren has seen heart monitors and insulin pumps that are constantly updating data over the protocol so that a doctor can read it remotely on a web page and make alterations, he said. "If I wanted to be malicious, I could probably change the insulin or something, and see what happens," he said.
Throughout his scans, he found servers from all over the world, running everything from home automation and alarm systems, to nuclear power plants, a particle accelerator -- and even an oil pipeline.
"I can see the pressure flow back and forth," said Lundgren. He wasn't sure of the pipeline's location, but said he could see usernames and passwords to its entire industrial control system.
"If you can push more oil through, you could injure people," he said.
Lundgren also found a server operating in a German train station. He could see when trains run, which track they're on, and when they arrive.
"I don't know what the impact could be if I changed it," he said. "The best case scenario is that the devices just update the boards," said Lundgren -- though, he couldn't be sure if the data aggregated down to the actual tracks.
In the worst-case scenario, an attacker could've manipulated where trains go on each track, potentially causing a crash.
Among his finds were sex toys, blood pressure machines, air humidity sensors, and earthquake alert systems, he said.
In one of the slides at his Black Hat talk, he described how a user-modified Tesla vehicle was leaking its real-time geolocation and other vital statistics.
But Lundgren will be the first to launch a defense for the protocol -- laying blame at the hands of its users.
"To blame MQTT isn't fair -- the protocol isn't the problem," he said. "You should always use encryption, and a username and a password on the server," he said. "The majority don't bother." Several significant data breaches and exposures have resulted from leaving servers unprotected, including database servers that've been held to ransom, and Amazon cloud storage units that have been raided, among others.
He said that companies like Amazon, IBM, and Microsoft -- some of the big names with cloud-based MQTT solutions, which he recommends -- force you to set up the servers properly.
"Security is in your hands," he said.