Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/10/2017
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Devices Plagued by Lesser-Known Security Hole

Internet of Things devices are security-challenged enough, but they're also being massively exposed on the public Internet - this time via MQTT communications, a researcher will show at Black Hat USA.

An oft-forgotten 90s-era communications protocol now becoming prevalent in the Internet of Things realm can easily be manipulated via the public Internet to snoop on and even sabotage power plant equipment, ATM machines, and other connected devices.

Security researcher Lucas Lundgren via an Internet scan last year found around 65,000 IoT servers using the Message Queuing Telemetry Transport (MQTT) worldwide on the public Internet wide open to attack with no authentication nor encrypted communication, findings he revealed last August at DEF CON. Later this month at Black Hat USA in Las Vegas, Lundgren plans to demonstrate how an attacker could compromise exposed MQTT-based servers and issue phony commands in order to alter their operation or outcomes of their IoT-attached equipment.

Lundgren also will release a brute-force hacking tool during his Black Hat session Taking Over the World Through MQTT - Aftermath. The tool, which was written by a friend of Lundgren's, raises the stakes and cracks MQTT servers that actually employ recommended username and password protection. According to Lundgren, of the tens of thousands he first scanned, just two at the time were protected with authentication, and he was able to access many of them by subscribing to their so-called hashtag feeds that are basically their communications channels.

MQTT is a lightweight, machine-to-machine messaging protocol created in 1999 as a way for low-bandwidth communication such as satellite, and since has emerged as a staple for IoT devices that require infrequent or intermittent Internet access.

Lundgren struck oil – nearly literally in one case where he spotted an oil pipeline server in the Middle East that was exposed online – after finding an open port on a server last year that led to his ultimate, massive discovery of tens of thousands of open MQTT servers – including airplane coordinates, prison door controls, connected cars, electricity meters, medical devices, mobile phones, and home automation systems. He was able to read in plain text the data sent back and forth between those IoT devices and their servers.

"We could see prison doors open and close," says Lundgren, a researcher with IOActive.

The unauthenticated, exposed MQTT servers also are vulnerable to server-side attacks, such as cross-site scripting and SQL injection, that then can allow an attacker to inject his or her own nefarious messages to the IoT devices, Lundgren says. "I can write to those [message] brokers and could alter their data," he says, such as overriding sensors on a radiation monitor in a nuclear plant, for example, he says.

Among his findings was an exposed MQ Web-based IoT demonstration of connected cars by IBM, he says. Lundgren says user-controlled data there isn't properly "sanitized," so an attacker could send phony messages from the connected cars or anyone viewing the demo. IBM as of this posting was investigating the issue.

In another find, Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server" there, he says, declining to name the vendor at this time.

Another danger with MQTT servers: they often are used for firmware updates in IoT, so an attacker could rig a firmware update with malicious code, for example.

So how does the MQTT exposure differ from all of the other IoT vulnerabilities and weaknesses constantly being unearthed? "This one is so simple. It's right in front of you," he says.

The Middle East oil pipeline server he spotted exposed its oil flow as well as usernames and passwords to the PLC devices. You wouldn't need Stuxnet or any sophisticated malware to reroute the flow of oil in the pipeline or other industrial systems exposed via weakly configured MQTT servers, he notes. 

"You just need freeware tools to connect to it and you can send and manipulate data," says Lundgren, who plans to reveal more findings at Black Hat.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...