Cloud

7/10/2017
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Devices Plagued by Lesser-Known Security Hole

Internet of Things devices are security-challenged enough, but they're also being massively exposed on the public Internet - this time via MQTT communications, a researcher will show at Black Hat USA.

An oft-forgotten 90s-era communications protocol now becoming prevalent in the Internet of Things realm can easily be manipulated via the public Internet to snoop on and even sabotage power plant equipment, ATM machines, and other connected devices.

Security researcher Lucas Lundgren via an Internet scan last year found around 65,000 IoT servers using the Message Queuing Telemetry Transport (MQTT) worldwide on the public Internet wide open to attack with no authentication nor encrypted communication, findings he revealed last August at DEF CON. Later this month at Black Hat USA in Las Vegas, Lundgren plans to demonstrate how an attacker could compromise exposed MQTT-based servers and issue phony commands in order to alter their operation or outcomes of their IoT-attached equipment.

Lundgren also will release a brute-force hacking tool during his Black Hat session Taking Over the World Through MQTT - Aftermath. The tool, which was written by a friend of Lundgren's, raises the stakes and cracks MQTT servers that actually employ recommended username and password protection. According to Lundgren, of the tens of thousands he first scanned, just two at the time were protected with authentication, and he was able to access many of them by subscribing to their so-called hashtag feeds that are basically their communications channels.

MQTT is a lightweight, machine-to-machine messaging protocol created in 1999 as a way for low-bandwidth communication such as satellite, and since has emerged as a staple for IoT devices that require infrequent or intermittent Internet access.

Lundgren struck oil – nearly literally in one case where he spotted an oil pipeline server in the Middle East that was exposed online – after finding an open port on a server last year that led to his ultimate, massive discovery of tens of thousands of open MQTT servers – including airplane coordinates, prison door controls, connected cars, electricity meters, medical devices, mobile phones, and home automation systems. He was able to read in plain text the data sent back and forth between those IoT devices and their servers.

"We could see prison doors open and close," says Lundgren, a researcher with IOActive.

The unauthenticated, exposed MQTT servers also are vulnerable to server-side attacks, such as cross-site scripting and SQL injection, that then can allow an attacker to inject his or her own nefarious messages to the IoT devices, Lundgren says. "I can write to those [message] brokers and could alter their data," he says, such as overriding sensors on a radiation monitor in a nuclear plant, for example, he says.

Among his findings was an exposed MQ Web-based IoT demonstration of connected cars by IBM, he says. Lundgren says user-controlled data there isn't properly "sanitized," so an attacker could send phony messages from the connected cars or anyone viewing the demo. IBM as of this posting was investigating the issue.

In another find, Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server" there, he says, declining to name the vendor at this time.

Another danger with MQTT servers: they often are used for firmware updates in IoT, so an attacker could rig a firmware update with malicious code, for example.

So how does the MQTT exposure differ from all of the other IoT vulnerabilities and weaknesses constantly being unearthed? "This one is so simple. It's right in front of you," he says.

The Middle East oil pipeline server he spotted exposed its oil flow as well as usernames and passwords to the PLC devices. You wouldn't need Stuxnet or any sophisticated malware to reroute the flow of oil in the pipeline or other industrial systems exposed via weakly configured MQTT servers, he notes. 

"You just need freeware tools to connect to it and you can send and manipulate data," says Lundgren, who plans to reveal more findings at Black Hat.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.