I discovered a very similar vulnerability in Mysa smart thermostats a year ago, also involving MQTT, and also allowing me to view and control anyone's thermostat anywhere in the world: https://news.ycombinator.com/item?id=43392991
Also discovered during reverse-engineering of the devices’ communications protocols.
IoT device security is an utterly shambolic mess.
That is terrifying. Messing with thermostats could be enough to kill vulnerable people.
Yes. An excerpt from my initial email to Mysa's security contact…
> I stumbled upon these vulnerabilities on one of the coldest days of this winter in Vancouver. An attacker using them could have disabled all Mysa-connected heaters in the America/Vancouver timezone in the middle of the night. That would include the heat in the room where my 7-month-old son sleeps.
I’m not super familiar with MQTT. I wonder how common this is..
MQTT is a very simple pub/sub messaging protocol.
It's used in a enormous number of IoT devices.
The "IoT gateway" service from AWS supports MQTT and a whole lot of IoT devices are tethered to this service specifically.