Researcher Finds MQTT Hole in IoT Defenses

A commonly used protocol provides a gaping backdoor when misconfigured.

Dark Reading logo in a gray background | Dark Reading

It started with a simple wish: Martin Horn, security researcher at Avast, wanted a smart home. As he began his research into systems, he found that many devices included set-up instructions with no security provisions. And then, it got worse.

Horn realized that many of the hubs gathering IoT devices into a unified system run Message Queuing Telemetry Transport (MQTT) protocol, an ISO standard for device-to-device communications. And quite a lot of the devices acting as MQTT servers have no security at all. It's not that they use a default user name and password, Horn says, it's that they don't have user names or passwords - period.

"It's not a flaw in IoT devices themselves, it's just a lack of security," Horn says. "In this case, it's wide open, with no password at all." It's important to note, he explains in an Avast blog post, that the MQTT protocol itself is secure, if implemented and configured correctly. The lack of security is the fault of the implementation, not the underlying protocol.

And the faulty implementations are widespread. Horn says that a relatively simple Shodan search found more than 49,000 MQTT servers visible on the Internet because MQTT has been improperly configured. Of those, more than 32,000 have no password protection at all.

Once compromised, the MQTT servers are primarily a threat to their owners. "This is more about leaking the data, not about becoming part of a botnet," Horn says. "I can imagine the possibility, if you could update firmware over MQTT, of recruitment [into a botnet], but it's mainly about leaking the data or losing control of the home system."

And the problem is that the MQTT server, by dint of its central position in the IoT network, becomes a central point of security failure that can open the entire network to to compromise even if the individual endpoints are configured securely. Connecting to the unprotected MQTT server and using it to control other devices or reading data from the connected devices becomes almost trivial, according to Horn's blog post.

Protecting these vulnerable devices is simple in concept: Add a username and password. In some cases that's a trivial step in a configuration process. In other cases, it's impossible, because the device manufacturer didn't make allowances for the addition.

Horn says in his post:  "…we have called for better device-level security for IoT and for manufacturers to develop their products in such a way that encourages and makes it simple for all consumers to properly set up their devices and all the pieces related and connected to it, in order to ensure users’ entire smart ecosystem is secure."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights