Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:00 PM
Connect Directly

New Security Woes for Popular IoT Protocols

Researchers at Black Hat Europe will detail denial-of-service and other flaws in MQTT, CoAP machine-to-machine communications protocols that imperil industrial and other IoT networks online.

Security researcher Federico Maggi had been collecting data – some of it sensitive in nature – from hundreds of thousands of Message Queuing Telemetry Transport (MQTT) servers he found sitting wide open on the public Internet via Shodan. "I would probe them and listen for 10 seconds or so, and just collect data from them," he says.

He found data on sensors and other devices sitting in manufacturing and automotive networks, for instance, as well as typical consumer Internet of Things (IoT) gadgets.

The majority of data, Maggi says, came from consumer devices and sensors or was data he couldn’t identify. "There was a good amount of data from factories, and I was able to find data coming from pretty expensive industrial machines, including a robot," he says.

At first, Maggi, a senior threat researcher at Trend Micro, wasn't regularly studying the millions of MQTT and other message data he was gathering via scripts he wrote that automatically extracted data from the searches; he was just occasionally checking on his findings. "I was not really paying attention to it," he says.

But all that changed earlier this year. After a chance conversation during a lunch meeting with fellow researcher Davide Quarta, Maggi decided to double down on his research after Quarta, a post-doctoral researcher for EURECOM, mentioned he was studying the MQTT protocol and had "lots of data," Maggi recalls.

So the two teamed up and dug deeper into how both MQTT and its companion, the Constrained Application Protocol, or CoAP, could be abused by attackers. They found that the widely used device-to-device communications protocols contained inherent security weaknesses, especially in the way they are implemented in IoT devices – exposing flaws that could allow attackers to execute denial-of-service (DoS) attacks on devices or gain remote control of industrial IoT or consumer IoT devices for cyber espionage or worse.

MQTT and CoAP basically serve as the backbone of IoT and industrial IoT communications. As Maggi and Quarta discovered, the protocols often are deployed in devices insecurely, leaking sensitive information such as device details, user credentials, and network configuration information. The pair of researchers will present details and data from their findings in December at Black Hat Europe in London.

[See "When Machines Can't Talk: Security and Privacy Issues of Machine-to-Machine Data Protocols" briefing session at Black Hat Europe in London in December.]

Attackers could exploit these weaknesses in the protocols and their implementations to target victim organizations, as well as use an IoT device as a stepping stone further into the victim network.

Moving Target
One core problem is that the MQTT protocol standard itself has been evolving over the past few years; once devices get updated with new versions of the spec, that can leave older implementations at risk. It also has, at times, introduced changes that break compatibility among IoT and industrial IoT devices, for example. "Yes, this technology is very efficient and effective for what it needs to do, but it's also a changing technology," Maggi says. And that can open up security holes.

In some cases, updates that fix one issue in the code have inadvertently caused or introduced another security issue. Maggi says it took about five years for fixes to the MQTT protocol to result in a clean, bug-free specification. Meanwhile, developers aren't always able or willing to update each product with the new spec, leaving devices vulnerable. Even more concerning, the latest release of MQTT (version 5) has changes that "break" parts of the previous protocol version. "So guess how many people will adopt it now?" Maggi quips.

Quarta traced the DoS attack risk to a logic flaw in the standard itself. "Some parts of the standard were changing over time ... and there were errors in a subsequent version," he says. In a nutshell, a few sentences in the standard were left open to interpretation, he says, making it easy for developers to inadvertently implement it incorrectly. There was a code error in the protocol, as well as some missing features.

The MQTT Technical Committee in February put out a notice about the issue when Quarta reported it, with information on how to detect the issue in devices and fix it.

Quarta found that an attacker could wage a DoS attack on a device by taking advantage of MQTT's "retain" feature, which ensures all IoT clients get a message that's sent. The issue has to do with how multibyte strings – UTF-8 characters – and other strings are parsed by the protocol software. The standard includes the feature that mandates servers retain messages and that clients request acknowledgement of the delivery of each message they send.

A DoS attack could occur like this: A compromised IoT device would send an invalid UTF-8 message that enables the retain function and sabotages another parameter, for instance. The MQTT server would, in turn, comply and retain the message. A legitimate IoT device would then receive that message, but thanks to the malicious settings by the attacker, that device (the client) would close the connection. The server, expecting a response, bombards it over and over with messages, leading to a DoS of the IoT device.

"The best way to protect against a logic flaw DoS attack such as this is by keeping both client and broker software aligned," Maggi explains. "It doesn't matter whether they follow the specs or not, but they have to do the same thing."

At the network level, an IDS/IPS system could monitor and filter packets for malformed content, he says.

At Black Hat Europe, Maggi and Quarta plan to show recordings of the exploit, as well as provide a demo that shows how such a DoS would affect an industrial network. They'll show a simulated Mars Rover transporting a load while being directed by MQTT messages.

"You can imagine automation controls sending messages to the Rover to go back, load up, and load down, with each command an MQTT message," Maggi explains. "We pull off one of the exploits while messages are being delivered."  

The server then is unable to deliver messages on time, so it could cause the Rover to physically drop the load, for instance. "The impact of a tiny software bug" could have safety implications, he says.

Malicious Software Updates
MQTT can also be used for software and firmware updates in IoT and industrial IoT devices. "So draw your own conclusions" about risks, Maggi says. "We found ... firmware passing through MQTT as part of an update."

Even so, the researchers say they didn't discover any attacks in the wild using MQTT. But there are some possible scenarios of other types of abuse by attackers. "I've looked into if there's any malware that uses MQTT as a command-and-control technology. That would be a convenient way to make bots communicate; it's easy to blend in because of MQTT's popularity now," Quarta says. "But I haven't found any malware using it."

While the researchers were able to easily identify MQTT servers via Shodan, what was alarming was how that led them to sensitive data. The ability to actually connect directly to the discovered devices was "more scary" than finding a device via Shodan, Maggi says. "And with zero effort, you get inundated with messages sent to the client."

But Maggi and Quarta aren't the first to point out MQTT security risks, a fact they note up front. Lucas Lundgren, a security consultant at IOActive, for instance, found in his own research tens of thousands of MQTT servers leaking sensitive information during his study between 2016 and 2017.

Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server," he told Dark Reading in a 2017 interview. 

Martin Horn, a security researcher at Avast, this year discovered via his own Shodan search 49,000 MQTT servers exposed on the Net – 32,000 of them had no password protection. Horn called out the flawed implementations of MQTT as well as a lack of security for the server, which can become a single point of security failure for all of the connected IoT devices. 

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
1/27/2020 | 3:40:18 PM
Which is Good BGP or PYTHON?
Both are the future of technology and such a truly I said this. BGP is more secure than other protocols.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...