Poor security surrounding an obscure but common machine-to-machine messaging protocol is exposing personal and corporate data, warns a Canadian security researcher.
Darryl Burke, CTO of an Ontario software marketing firm who also runs a consulting business on the side, says using the Shodan search engine he’s found several examples of unsecured servers with poorly-configured versions of Message Queuing Telemetry Transport (MQTT), a lightweight messaging protocol used by developers in a number of applications.
Problems include
–an Edmonton municipal parking lot that uses service from a third-party vendor which photographs the licence plates of cars entering the lot to confirm payment. These images, however, aren’t encrypted. Since being notified the city is looking into the issue;
— a Canadian firm that sells a background music service to companies for stores and elevators, which exposed data such as which playlists are chosen by customers. This isn’t personal information, Burke says, but it could be of interest to a competitor. Burke said the company told him the service is a proof-of-concept and knows about the leak;
—a U.S.-based taxi dispatch service whose messages to drivers on where and when to pick up fares can be intercepted. These messages may include a phone number.
IT administrators “need to be aware of this if they’re using IoT infrastructure, or vendor software that uses it,” said Burke. They should be asking the right questions and making sure it’s protected, otherwise they could be inadvertently exposing their data.”
His warning comes as Trend Micro released a report on vulnerabilities in MQTT and a protocol called CoAP (Constrained Application Protocol), which allows the creation of the equivalent of HTTP for constrained nodes in client-server applications. CoAP is based on the User Datagram Protocol (UDP, the report warns so is inherently susceptible to Internet Protocol (IP) spoofing.
“During our research, we found hundreds of thousands of misconfigured hosts that exposed credentials, sensitive information, and industry-related process data,” says the report.
The cautions from Burke and Trend Micro are a reminder to CISOs of the dangers posed by industrial automated machine-to-machine and Internet of Things devices, and how purchasing and security team decision-makers can’t just assume devices are secure. Developers also have to ensure the protocols are properly implemented.
Burke came across problems with MQTT while working on a project for his full-time employer. An open standard, MQTT is a publish-subscribe protocol that handles one-to-many communication mediated by brokers. One client can subscribe to it and send out messages which others can act on, The messages or data may be stored in a database on a server. Wondering how many organizations use MQTT, Burke did a quick Internet scan using the Shodan search engine and found 10,000 hosts in North America alone. Then he started building a tool to determine how many of those had security problems.
The early version of the tool has found a lot.
Burke also found security issues in the protocol itself. This last finding was verified by Trend Micro, which said in its report the MQTT standard has some corner cases that could subject implementations to vulnerabilities. One involves the Unicode handling in topic strings. The standard leaves it up to the developer to close the connection upon failing the validation of disallowed UTF-8 code points. So if it happens that a broker does not check for disallowed UTF-8 code points, a malicious client could take advantage of the discrepancy to disconnect other clients through invalidly encoded strings.
“Of course,” says the report, “if the broker follows the standard, it wouldn’t be an issue. Interestingly, if both the broker and the client do not follow the standard, the issue is also avoided. But if the broker does not follow the standard and the client does, the client will disconnect upon receiving invalid content.”
Despite being relatively new, CoAP is already implemented in many pieces of internet-of-things (IoT) and industrial-internet-of-things (IIoT) software, says Trend Micro. “Security issues that we highlight are primarily due to the “connectionless” nature of User Datagram Protocol (UDP), on which it is based.”
One problem with CoAP is it could be used in distributed denial of service amplification attacks because a client could be fooled by a UDP packet with a spoofed source IP address, says the report. Trend Micro estimates the amplification would be 32 times the source, so an attacker with access to a 1-Mbps link would be able to hit a target at 32 Mbps.
”One of the benefits of MQTT, being a ‘publish and subscribe’ (service) … is one client can just publish a message without having to worry about who’s listening,” said Burke. “Whoever’s listening can say, ‘Send me messages of this type,’ and the server will send off the data without the endpoints knowing about each other.” However, he added, if the MQTT server isn’t secured anyone can log into it and query for all messages saved.
As a result administrators or security teams have to ensure not only that all servers exposed to the Internet are protected from any attack, M2M messages have to be encrypted. The data clients send to each other may also have to be limited.