We are living in a world that is increasingly becoming more and more dependent on the Internet of Things, meaning there is, or should be at least, an increased focus on security for IoT.
However, Trend Micro, a Japanese cybersecurity firm, published a report that showed two of the leading machine-to-machine (M2M) protocols — Message Queueing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) – have design issues that aren’t used in a secure manner. These two protocols are mostly found with industrial IoT devices.
IoT Security Report
Researchers Federico Maggi and Rainer Vosseler prepared the report for Trend Micro and stated that when using simple keyword searches, attackers were able to find exposed IoT servers and brokers. They have leaked more than 200 million MQTT messages and 19 million CoAP messages. The attackers can then use the messages for industrial espionage, denial-of-service attacks, and targeted attacks.
The research dug up 4,310 agriculture-related records from smart farms. Health care records were also turned up that contained the exact location of ambulances as well as data from monitoring devices that were attached to patients. That data included email addresses and location information.
Of the messages that Trend Micro obtained, 4,627,973 were contained private IP addresses. 219 of those used 12345 as a password, one that most know is critically inept.
While MQTT is used in industrial IoT, the protocol is often used in groupware tools and messaging apps, such as Facebook Messenger. The Trend Micro research found an exposed instance from Bizbox Alpha, an Android app. It leaked 55,475 messages for just four months. 18,000 of these were email messages.
“The issues we’ve uncovered in two of the most pervasive messaging protocols used by IoT devices today should be cause for organizations to take a serious, holistic look at the security of their OT environments,” noted Greg Young, vice president of cybersecurity at Trend Micro, in a statement.
“These protocols weren’t designed with security in mind but are found in an increasingly wide range of mission-critical environments and use cases. This represents a major cybersecurity risk,” he added.
“Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft, and denial-of-service attacks.”
The Next Web is assuming we’ve only begun to see what amounts to an “insecurity nightmare” with an estimated 8.4 billion installed IoT devices last year.
To help keep this under control, Trend Micro recommends that organizations remove any M2M services that aren’t necessary and that existing devices are monitored as well to be sure they aren’t leaking private data.
But to be honest, security as a whole is woefully inept. Look at all the recent cases of compromised data. Before anything else, there needs to be a greater awareness of security overall in tech, and then certainly it should also be recognized at the IoT level.
Does this data worry you or does it come as no surprise considering the state of the security in the tech world? Let us know what you think about insecurity with regards to IoT messaging protocols in the comments.