Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/10/2017
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IoT Devices Plagued by Lesser-Known Security Hole

Internet of Things devices are security-challenged enough, but they're also being massively exposed on the public Internet - this time via MQTT communications, a researcher will show at Black Hat USA.

An oft-forgotten 90s-era communications protocol now becoming prevalent in the Internet of Things realm can easily be manipulated via the public Internet to snoop on and even sabotage power plant equipment, ATM machines, and other connected devices.

Security researcher Lucas Lundgren via an Internet scan last year found around 65,000 IoT servers using the Message Queuing Telemetry Transport (MQTT) worldwide on the public Internet wide open to attack with no authentication nor encrypted communication, findings he revealed last August at DEF CON. Later this month at Black Hat USA in Las Vegas, Lundgren plans to demonstrate how an attacker could compromise exposed MQTT-based servers and issue phony commands in order to alter their operation or outcomes of their IoT-attached equipment.

Lundgren also will release a brute-force hacking tool during his Black Hat session Taking Over the World Through MQTT - Aftermath. The tool, which was written by a friend of Lundgren's, raises the stakes and cracks MQTT servers that actually employ recommended username and password protection. According to Lundgren, of the tens of thousands he first scanned, just two at the time were protected with authentication, and he was able to access many of them by subscribing to their so-called hashtag feeds that are basically their communications channels.

MQTT is a lightweight, machine-to-machine messaging protocol created in 1999 as a way for low-bandwidth communication such as satellite, and since has emerged as a staple for IoT devices that require infrequent or intermittent Internet access.

Lundgren struck oil – nearly literally in one case where he spotted an oil pipeline server in the Middle East that was exposed online – after finding an open port on a server last year that led to his ultimate, massive discovery of tens of thousands of open MQTT servers – including airplane coordinates, prison door controls, connected cars, electricity meters, medical devices, mobile phones, and home automation systems. He was able to read in plain text the data sent back and forth between those IoT devices and their servers.

"We could see prison doors open and close," says Lundgren, a researcher with IOActive.

The unauthenticated, exposed MQTT servers also are vulnerable to server-side attacks, such as cross-site scripting and SQL injection, that then can allow an attacker to inject his or her own nefarious messages to the IoT devices, Lundgren says. "I can write to those [message] brokers and could alter their data," he says, such as overriding sensors on a radiation monitor in a nuclear plant, for example, he says.

Among his findings was an exposed MQ Web-based IoT demonstration of connected cars by IBM, he says. Lundgren says user-controlled data there isn't properly "sanitized," so an attacker could send phony messages from the connected cars or anyone viewing the demo. IBM as of this posting was investigating the issue.

In another find, Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server" there, he says, declining to name the vendor at this time.

Another danger with MQTT servers: they often are used for firmware updates in IoT, so an attacker could rig a firmware update with malicious code, for example.

So how does the MQTT exposure differ from all of the other IoT vulnerabilities and weaknesses constantly being unearthed? "This one is so simple. It's right in front of you," he says.

The Middle East oil pipeline server he spotted exposed its oil flow as well as usernames and passwords to the PLC devices. You wouldn't need Stuxnet or any sophisticated malware to reroute the flow of oil in the pipeline or other industrial systems exposed via weakly configured MQTT servers, he notes. 

"You just need freeware tools to connect to it and you can send and manipulate data," says Lundgren, who plans to reveal more findings at Black Hat.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7622
PUBLISHED: 2020-04-06
All versions before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
CVE-2020-9473
PUBLISHED: 2020-04-06
The S. Siedle & Soehne SG 150-0 Smart Gateway <= 1.2.3 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
CVE-2020-1728
PUBLISHED: 2020-04-06
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other pr...
CVE-2020-8004
PUBLISHED: 2020-04-06
STMicroelectronics STM32F1 devices have Incorrect Access Control.
CVE-2020-7631
PUBLISHED: 2020-04-06
diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.