Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:00 PM
Connect Directly

New Security Woes for Popular IoT Protocols

Researchers at Black Hat Europe will detail denial-of-service and other flaws in MQTT, CoAP machine-to-machine communications protocols that imperil industrial and other IoT networks online.

Security researcher Federico Maggi had been collecting data – some of it sensitive in nature – from hundreds of thousands of Message Queuing Telemetry Transport (MQTT) servers he found sitting wide open on the public Internet via Shodan. "I would probe them and listen for 10 seconds or so, and just collect data from them," he says.

He found data on sensors and other devices sitting in manufacturing and automotive networks, for instance, as well as typical consumer Internet of Things (IoT) gadgets.

The majority of data, Maggi says, came from consumer devices and sensors or was data he couldn’t identify. "There was a good amount of data from factories, and I was able to find data coming from pretty expensive industrial machines, including a robot," he says.

At first, Maggi, a senior threat researcher at Trend Micro, wasn't regularly studying the millions of MQTT and other message data he was gathering via scripts he wrote that automatically extracted data from the searches; he was just occasionally checking on his findings. "I was not really paying attention to it," he says.

But all that changed earlier this year. After a chance conversation during a lunch meeting with fellow researcher Davide Quarta, Maggi decided to double down on his research after Quarta, a post-doctoral researcher for EURECOM, mentioned he was studying the MQTT protocol and had "lots of data," Maggi recalls.

So the two teamed up and dug deeper into how both MQTT and its companion, the Constrained Application Protocol, or CoAP, could be abused by attackers. They found that the widely used device-to-device communications protocols contained inherent security weaknesses, especially in the way they are implemented in IoT devices – exposing flaws that could allow attackers to execute denial-of-service (DoS) attacks on devices or gain remote control of industrial IoT or consumer IoT devices for cyber espionage or worse.

MQTT and CoAP basically serve as the backbone of IoT and industrial IoT communications. As Maggi and Quarta discovered, the protocols often are deployed in devices insecurely, leaking sensitive information such as device details, user credentials, and network configuration information. The pair of researchers will present details and data from their findings in December at Black Hat Europe in London.

[See "When Machines Can't Talk: Security and Privacy Issues of Machine-to-Machine Data Protocols" briefing session at Black Hat Europe in London in December.]

Attackers could exploit these weaknesses in the protocols and their implementations to target victim organizations, as well as use an IoT device as a stepping stone further into the victim network.

Moving Target
One core problem is that the MQTT protocol standard itself has been evolving over the past few years; once devices get updated with new versions of the spec, that can leave older implementations at risk. It also has, at times, introduced changes that break compatibility among IoT and industrial IoT devices, for example. "Yes, this technology is very efficient and effective for what it needs to do, but it's also a changing technology," Maggi says. And that can open up security holes.

In some cases, updates that fix one issue in the code have inadvertently caused or introduced another security issue. Maggi says it took about five years for fixes to the MQTT protocol to result in a clean, bug-free specification. Meanwhile, developers aren't always able or willing to update each product with the new spec, leaving devices vulnerable. Even more concerning, the latest release of MQTT (version 5) has changes that "break" parts of the previous protocol version. "So guess how many people will adopt it now?" Maggi quips.

Quarta traced the DoS attack risk to a logic flaw in the standard itself. "Some parts of the standard were changing over time ... and there were errors in a subsequent version," he says. In a nutshell, a few sentences in the standard were left open to interpretation, he says, making it easy for developers to inadvertently implement it incorrectly. There was a code error in the protocol, as well as some missing features.

The MQTT Technical Committee in February put out a notice about the issue when Quarta reported it, with information on how to detect the issue in devices and fix it.

Quarta found that an attacker could wage a DoS attack on a device by taking advantage of MQTT's "retain" feature, which ensures all IoT clients get a message that's sent. The issue has to do with how multibyte strings – UTF-8 characters – and other strings are parsed by the protocol software. The standard includes the feature that mandates servers retain messages and that clients request acknowledgement of the delivery of each message they send.

A DoS attack could occur like this: A compromised IoT device would send an invalid UTF-8 message that enables the retain function and sabotages another parameter, for instance. The MQTT server would, in turn, comply and retain the message. A legitimate IoT device would then receive that message, but thanks to the malicious settings by the attacker, that device (the client) would close the connection. The server, expecting a response, bombards it over and over with messages, leading to a DoS of the IoT device.

"The best way to protect against a logic flaw DoS attack such as this is by keeping both client and broker software aligned," Maggi explains. "It doesn't matter whether they follow the specs or not, but they have to do the same thing."

At the network level, an IDS/IPS system could monitor and filter packets for malformed content, he says.

At Black Hat Europe, Maggi and Quarta plan to show recordings of the exploit, as well as provide a demo that shows how such a DoS would affect an industrial network. They'll show a simulated Mars Rover transporting a load while being directed by MQTT messages.

"You can imagine automation controls sending messages to the Rover to go back, load up, and load down, with each command an MQTT message," Maggi explains. "We pull off one of the exploits while messages are being delivered."  

The server then is unable to deliver messages on time, so it could cause the Rover to physically drop the load, for instance. "The impact of a tiny software bug" could have safety implications, he says.

Malicious Software Updates
MQTT can also be used for software and firmware updates in IoT and industrial IoT devices. "So draw your own conclusions" about risks, Maggi says. "We found ... firmware passing through MQTT as part of an update."

Even so, the researchers say they didn't discover any attacks in the wild using MQTT. But there are some possible scenarios of other types of abuse by attackers. "I've looked into if there's any malware that uses MQTT as a command-and-control technology. That would be a convenient way to make bots communicate; it's easy to blend in because of MQTT's popularity now," Quarta says. "But I haven't found any malware using it."

While the researchers were able to easily identify MQTT servers via Shodan, what was alarming was how that led them to sensitive data. The ability to actually connect directly to the discovered devices was "more scary" than finding a device via Shodan, Maggi says. "And with zero effort, you get inundated with messages sent to the client."

But Maggi and Quarta aren't the first to point out MQTT security risks, a fact they note up front. Lucas Lundgren, a security consultant at IOActive, for instance, found in his own research tens of thousands of MQTT servers leaking sensitive information during his study between 2016 and 2017.

Lundgren was able to send commands to an exposed MQTT server sitting inside a major technology vendor's network. "It allowed me to send raw commands into a server," he told Dark Reading in a 2017 interview. 

Martin Horn, a security researcher at Avast, this year discovered via his own Shodan search 49,000 MQTT servers exposed on the Net – 32,000 of them had no password protection. Horn called out the flawed implementations of MQTT as well as a lack of security for the server, which can become a single point of security failure for all of the connected IoT devices. 

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
1/27/2020 | 3:40:18 PM
Which is Good BGP or PYTHON?
Both are the future of technology and such a truly I said this. BGP is more secure than other protocols.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...