IoT

Researcher Finds MQTT Hole in IoT Defenses

A commonly used protocol provides a gaping backdoor when misconfigured.

It started with a simple wish: Martin Horn, security researcher at Avast, wanted a smart home. As he began his research into systems, he found that many devices included set-up instructions with no security provisions. And then, it got worse.

Horn realized that many of the hubs gathering IoT devices into a unified system run Message Queuing Telemetry Transport (MQTT) protocol, an ISO standard for device-to-device communications. And quite a lot of the devices acting as MQTT servers have no security at all. It's not that they use a default user name and password, Horn says, it's that they don't have user names or passwords - period.

"It's not a flaw in IoT devices themselves, it's just a lack of security," Horn says. "In this case, it's wide open, with no password at all." It's important to note, he explains in an Avast blog post, that the MQTT protocol itself is secure, if implemented and configured correctly. The lack of security is the fault of the implementation, not the underlying protocol.

And the faulty implementations are widespread. Horn says that a relatively simple Shodan search found more than 49,000 MQTT servers visible on the Internet because MQTT has been improperly configured. Of those, more than 32,000 have no password protection at all.

Once compromised, the MQTT servers are primarily a threat to their owners. "This is more about leaking the data, not about becoming part of a botnet," Horn says. "I can imagine the possibility, if you could update firmware over MQTT, of recruitment [into a botnet], but it's mainly about leaking the data or losing control of the home system."

And the problem is that the MQTT server, by dint of its central position in the IoT network, becomes a central point of security failure that can open the entire network to to compromise even if the individual endpoints are configured securely. Connecting to the unprotected MQTT server and using it to control other devices or reading data from the connected devices becomes almost trivial, according to Horn's blog post.

Protecting these vulnerable devices is simple in concept: Add a username and password. In some cases that's a trivial step in a configuration process. In other cases, it's impossible, because the device manufacturer didn't make allowances for the addition.

Horn says in his post:  "…we have called for better device-level security for IoT and for manufacturers to develop their products in such a way that encourages and makes it simple for all consumers to properly set up their devices and all the pieces related and connected to it, in order to ensure users’ entire smart ecosystem is secure."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A96.uk
50%
50%
A96.uk,
User Rank: Apprentice
8/22/2018 | 12:57:36 PM
Re: MQTT is IT not IoT
Yes it is IT security that fails here with MQTT implimentation.

 

It comes under configuration management.

Security needs to be abstracted away from business requirements.

Its a given in IoT.

 

Example used here already people 2016

 

https://www.wolfssl.com/wolfmqtt-v0-3-and-mqtt-secure-firmware-update-example/

https://www.wolfssl.com/docs/atmel/

 

My own IoT design's are designed to show the IT world how to do SECURITY.

In hardware. Like U2F from FIDO/FIDO2 for humans.

 

508a/608a or SAML11 for your edge nodes.

SAML11 for youre secure IoT hub talking MQTT over HTTPS.

 

It does not matter if your IP security fails.

The data is protected by hardware security.

Your heart beat system will tell you of DOS on your IP part.

 

ONLY PUBLIC KEYS are in the wild in secure IoT systems.
Kunchen
50%
50%
Kunchen,
User Rank: Apprentice
8/22/2018 | 12:37:55 PM
Re: MQTT is IT not IoT
Doesn't that go back to security policies? Disabling/securing services/ports? 
A96.uk
50%
50%
A96.uk,
User Rank: Apprentice
8/22/2018 | 3:06:24 AM
MQTT is IT not IoT
The Internet of things (IoT) is the network of physical devices, sensors, actuators, and secure network connectivity which enable these objects to collect and exchange data

People need to know who to blame for poor design & security with IT systems.

 

IoT is a subset of IT, linked in a Venne diagram by the overlap, this is the place for the secure hub.

IoT securely designed does not rely on MQTT security.

IT security configuration has always been an issue.

If you cannot configure MQTT don't even think about adding on a IoT sub system.

 

Regards

 

https://a96.uk/
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.