A Chinese brand I looked at has most of their network equipment connect back via MQTT with TLS, for IoT things.
Except the agent had a pretty obvious command runner on one of the message handlers. I was a little afraid to ask them whether it was deliberate or just a really incompetently written backup update mechanism.
To be fair, I was looking for arbitrary command execution for my own purposes at the time...
I do get a decent chuckle when I see their OUI in scan results when out and about now. (About ~0.12% of the recorded results in Wigle it seems)
Except the agent had a pretty obvious command runner on one of the message handlers. I was a little afraid to ask them whether it was deliberate or just a really incompetently written backup update mechanism.
To be fair, I was looking for arbitrary command execution for my own purposes at the time...
I do get a decent chuckle when I see their OUI in scan results when out and about now. (About ~0.12% of the recorded results in Wigle it seems)