Cloud

7/10/2017
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Devices Plagued by Lesser-Known Security Hole

Internet of Things devices are security-challenged enough, but they're also being massively exposed on the public Internet - this time via MQTT communications, a researcher will show at Black Hat USA.

An oft-forgotten 90s-era communications protocol now becoming prevalent in the Internet of Things realm can easily be manipulated via the public Internet to snoop on and even sabotage power plant equipment, ATM machines, and other connected devices.

Security researcher Lucas Lundgren via an Internet scan last year found around 65,000 IoT servers using the Message Queuing Telemetry Transport (MQTT) worldwide on the public Internet wide open to attack with no authentication nor encrypted communication, findings he revealed last August at DEF CON. Later this month at Black Hat USA in Las Vegas, Lundgren plans to demonstrate how an attacker could compromise exposed MQTT-based servers and issue phony commands in order to alter their operation or outcomes of their IoT-attached equipment.

Lundgren also will release a brute-force hacking tool during his Black Hat session Taking Over the World Through MQTT - Aftermath. The tool, which was written by a friend of Lundgren's, raises the stakes and cracks MQTT servers that actually employ recommended username and password protection. According to Lundgren, of the tens of thousands he first scanned, just two at the time were protected with authentication, and he was able to access many of them by subscribing to their so-called hashtag feeds that are basically their communications channels.

MQTT is a lightweight, machine-to-machine messaging protocol created in 1999 as a way for low-bandwidth communication such as satellite, and since has emerged as a staple for IoT devices that require infrequent or intermittent Internet access.

Lundgren struck oil – nearly literally in one case where he spotted an oil pipeline server in the Middle East that was exposed online – after finding an open port on a server last year that led to his ultimate, massive discovery of tens of thousands of open MQTT servers – including airplane coordinates, prison door controls, connected cars, electricity meters, medical devices, mobile phones, and home automation systems. He was able to read in plain text the data sent back and forth between those IoT devices and their servers.

"We could see prison doors open and close," says Lundgren, a researcher with IOActive.

The unauthenticated, exposed MQTT servers also are vulnerable to server-side attacks, such as cross-site scripting and SQL injection, that then can allow an attacker to inject his or her own nefarious messages to the IoT devices, Lundgren says. "I can write to those [message] brokers and could alter their data," he says, such as overriding sensors on a radiation monitor in a nuclear plant, for example, he says.

Among his findings was an exposed MQ Web-based IoT demonstration of connected cars by IBM, he says. Lundgren says user-controlled data there isn't properly "sanitized," so an attacker could send phony messages from the connected cars or anyone viewing the demo. IBM as of this posting was investigating the issue.

In another find, Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server" there, he says, declining to name the vendor at this time.

Another danger with MQTT servers: they often are used for firmware updates in IoT, so an attacker could rig a firmware update with malicious code, for example.

So how does the MQTT exposure differ from all of the other IoT vulnerabilities and weaknesses constantly being unearthed? "This one is so simple. It's right in front of you," he says.

The Middle East oil pipeline server he spotted exposed its oil flow as well as usernames and passwords to the PLC devices. You wouldn't need Stuxnet or any sophisticated malware to reroute the flow of oil in the pipeline or other industrial systems exposed via weakly configured MQTT servers, he notes. 

"You just need freeware tools to connect to it and you can send and manipulate data," says Lundgren, who plans to reveal more findings at Black Hat.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.