The Internet of Things is full of security holes, and the latest one has been pointed out by Avast researcher Martin Hron: unsecured MQTT servers.
What is MQTT?
The Message Queuing Telemetry Transport (MQTT) protocol is a messaging protocol that’s has been in use for almost two decades, mainly for industrial automation. It is often used to overcome the gap between different protocols, allowing different devices to communicate with each other.
“The protocol is meant as a subscriber/publisher model. It works like an RSS feed: you subscribe to a topic, and once someone publishes something on the topic, the payload is delivered to all subscribers,” Hron explains.
This publish-subscribe messaging pattern requires a message broker.
“We have an MQTT server (broker) with embedded security capabilities, which serves as a ‘messenger’ between all components. We have a smart home hub which orchestrates all our devices and adds real intelligence to the whole system, and we have various MQTT-capable or MQTT-bridged devices that are connected to the MQTT server/broker.”
The problem – and insecurity – lies not in the protocol or Mosquitto (the most common broker software that implements it), but with misconfigurations of MQTT servers.
In fact, by using the Shodan IoT search engine, Avast researchers found over 49,000 MQTT servers exposed on the Internet and, of these, nearly 33,000 servers have no password protection, allowing attackers to access them and all the messages flowing through it.
“Further, as most users don’t set up access controls— in the form of Access Control Lists (ACLs)—when they configure a Mosquitto while setting up their smart home hub, cybercriminals can not only subscribe to the server, but can also publish to it, thus seizing control of all devices in a smart home,” he points out.
Avast researchers also found that that a smart home can be hacked through an insecure smart home control panel.
“Many homeowners use open source solutions for their smart home. The most popular software for smart hubs are readily available solutions such as Domoticz, Home Assistant and OpenHAB. When we looked for these, we were able to see a lot of default configurations, which surprisingly required no password. So, even if the MQTT server is secure, the dashboard can be accessed as easily as typing the IP address into a browser,” Hron explains.
But even if the dashboard is protected, the attackers can get inside through open and unsecured SMB shares.
“IoT devices are slowly creeping their way into our homes — it is crucial to implement them correctly now, as we will only be adding more as time goes on,” he warns.
“Industry-wide, we have called for better device-level security for IoT devices. In order to ensure users’ entire smart home ecosystem is secured, manufacturers need to develop IoT devices which are simple for consumers to set up with a high-level of security. Lastly, there is a need for more secure control solutions that allow consumers to confidently use technology in their homes with the knowledge that it is secure and their privacy protected.”