Cloud

7/10/2017
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Devices Plagued by Lesser-Known Security Hole

Internet of Things devices are security-challenged enough, but they're also being massively exposed on the public Internet - this time via MQTT communications, a researcher will show at Black Hat USA.

An oft-forgotten 90s-era communications protocol now becoming prevalent in the Internet of Things realm can easily be manipulated via the public Internet to snoop on and even sabotage power plant equipment, ATM machines, and other connected devices.

Security researcher Lucas Lundgren via an Internet scan last year found around 65,000 IoT servers using the Message Queuing Telemetry Transport (MQTT) worldwide on the public Internet wide open to attack with no authentication nor encrypted communication, findings he revealed last August at DEF CON. Later this month at Black Hat USA in Las Vegas, Lundgren plans to demonstrate how an attacker could compromise exposed MQTT-based servers and issue phony commands in order to alter their operation or outcomes of their IoT-attached equipment.

Lundgren also will release a brute-force hacking tool during his Black Hat session Taking Over the World Through MQTT - Aftermath. The tool, which was written by a friend of Lundgren's, raises the stakes and cracks MQTT servers that actually employ recommended username and password protection. According to Lundgren, of the tens of thousands he first scanned, just two at the time were protected with authentication, and he was able to access many of them by subscribing to their so-called hashtag feeds that are basically their communications channels.

MQTT is a lightweight, machine-to-machine messaging protocol created in 1999 as a way for low-bandwidth communication such as satellite, and since has emerged as a staple for IoT devices that require infrequent or intermittent Internet access.

Lundgren struck oil – nearly literally in one case where he spotted an oil pipeline server in the Middle East that was exposed online – after finding an open port on a server last year that led to his ultimate, massive discovery of tens of thousands of open MQTT servers – including airplane coordinates, prison door controls, connected cars, electricity meters, medical devices, mobile phones, and home automation systems. He was able to read in plain text the data sent back and forth between those IoT devices and their servers.

"We could see prison doors open and close," says Lundgren, a researcher with IOActive.

The unauthenticated, exposed MQTT servers also are vulnerable to server-side attacks, such as cross-site scripting and SQL injection, that then can allow an attacker to inject his or her own nefarious messages to the IoT devices, Lundgren says. "I can write to those [message] brokers and could alter their data," he says, such as overriding sensors on a radiation monitor in a nuclear plant, for example, he says.

Among his findings was an exposed MQ Web-based IoT demonstration of connected cars by IBM, he says. Lundgren says user-controlled data there isn't properly "sanitized," so an attacker could send phony messages from the connected cars or anyone viewing the demo. IBM as of this posting was investigating the issue.

In another find, Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server" there, he says, declining to name the vendor at this time.

Another danger with MQTT servers: they often are used for firmware updates in IoT, so an attacker could rig a firmware update with malicious code, for example.

So how does the MQTT exposure differ from all of the other IoT vulnerabilities and weaknesses constantly being unearthed? "This one is so simple. It's right in front of you," he says.

The Middle East oil pipeline server he spotted exposed its oil flow as well as usernames and passwords to the PLC devices. You wouldn't need Stuxnet or any sophisticated malware to reroute the flow of oil in the pipeline or other industrial systems exposed via weakly configured MQTT servers, he notes. 

"You just need freeware tools to connect to it and you can send and manipulate data," says Lundgren, who plans to reveal more findings at Black Hat.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12716
PUBLISHED: 2018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its l...
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...