1990s technology exposes 32,000 smart homes, businesses to exploit

The emergence of connected Internet of Things (IoT) devices may have made home lives more interconnected, smart, and efficient — in some cases — but it has also caused a security minefield full of holes and exploits.

More security news

We only need to think back to the Mirai botnet, in which hundreds of thousands of IoT and mobile gadgets were enslaved to a botnet of such size that it managed to briefly knock out connectivity for an entire country.

The botnet was comprised of IoT devices using default credentials which are easy to brute-force. Since then, Mirai-style botnet copycats have emerged to target online services. In one recent case, a threat actor was able to build a botnet based on vulnerable IoT devices 18,000-strong in only 24 hours.

If lax security protocols are in place, anything from a smart lighting setup to security cameras can not only be compromised by threat actors, but used against their owners.

Now, it seems the Message Queuing Telemetry Transport (MQTT) protocol, which is used to control smart home devices, is now causing a fresh security headache.

According to security researchers from Avast, MQTT is making its way into our homes and businesses as a means of controlling the vast array of IoT devices at our disposal.

However, the cybersecurity firm says that the protocol, which requires a server or mini PC like the Raspberry Pi, is exposing IoT devices to attack.

While MQTT in itself is secure, as is the most common server software which implements the protocol — known as Mosquitto — when implemented incorrectly in products and services such as smart home hubs, servers can become publicly visible which paves the way for attackers to compromise connected IoT devices.

CNET: IoT attacks are getting worse — and no one’s listening

When these devices are connected to an enterprise system, for example, attackers may be able to access other systems, steal data, and more. Security flaws in archaic fax machines can be used to steal data from businesses, and so the use of IoT devices, in the same manner, is not unrealistic.

According to the cybersecurity firm, exploration through the Shodan search engine uncovered over 49,000 MQTT servers which were publicly visible due to misconfiguration of the MQTT protocol.

In addition, 32,000 of the servers found had no protection at all, as no passwords were in place to prevent entry.

screen-shot-2018-08-17-at-12-22-20.jpg Avast

“The early use cases for IoT devices were largely industrial,” Avast says. “The other problem is that people don’t generally focus on security when setting up IoT devices. If you don’t encourage the user to change the settings (at least to change the default password), they will probably end up using the default configuration.”

TechRepublic: How to inoculate the tech herd from IoT cyber-infections

In order to test how vulnerable the smart home can be, the researchers chose an open MQTT server and subscribed to the protocol remotely, which requires no authentication. In this case, they were able to monitor the communication channel between different home automation systems, as well as spy on every light as they were being switched on and off.

Not only could this kind of access allow attackers to monitor whether or not someone is at home — potentially leading to physical burglary — but they could also perform “replay attacks” to seize control of IoT devices, such as smart door locks.

To make matters worse, the researchers were also able to gain access to smart home system dashboards even when MQTT servers were secure.

Many IoT products rely on open-source components such as Domoticz, Home Assistant, and OpenHAB, which Avast found often used default configurations which required no credentials to access.

screen-shot-2018-08-17-at-13-36-39.jpg

screen-shot-2018-08-17-at-13-36-39.jpg

When the dashboard and server were both protected, it only took a quick check of other services connected to them to find other security holes to exploit.

In some cases, open and unsecured SMB shares were available, and these publicly-shared directories contained configuration files containing credentials stored in plain text, leading to unfettered access to smart home dashboards.

screen-shot-2018-08-17-at-13-46-32.jpg

screen-shot-2018-08-17-at-13-46-32.jpg

See also: ‘Hacky hack hack’: Teen arrested for breaking into Apple’s network

“Because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern, it is frighteningly easy to gain access and control of a person’s smart home,” the researchers say. “The convenience of IoT devices and smart home hubs connected to the internet is a double-edged sword, and there is a trade-off between ease-of-use and security.”

Previous and related coverage

READ MORE HERE