Misconfigured Message Queuing Telemetry Transport (MQTT) protocols and servers that are not password protected can give complete access to smart home devices and put them at risk of leaking data. This is stated in a recent research conducted by cybersecurity provider Avast.
In a new research, Avast has found more than 49,000 MQTT servers that are publicly visible on the internet due to a misconfigured MQTT protocol. This includes more than 32,000 servers with no password protection. Out of these, 595 were from India.
For the unaware, MQTT protocol is used to interconnect and control smart home devices, via smart home hubs. Users set up a server while implementing the MQTT protocol, that usually lives on a PC or some mini-computer such as Raspberry Pi.
The research said that while the MQTT protocol itself is secure, security issues can arise if MQTT is incorrectly implemented and misconfigured. In such cases, cybercriminals could gain complete access to a home to learn when their owners are home, manipulate entertainment systems, voice assistants and household devices, the research added. Under certain conditions cybercriminals can even track a user’s whereabouts which can be a serious privacy and security threat.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” said Martin Hron, security researcher at Avast. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
Martin Hron describes five ways in which poorly configured MQTT servers can be abused by hackers.
This includes using the Shodan IoT search engine to find open and unprotected MQTT or using dashboard to control a smart home’s control panel that runs on the same IP address as the MQTT server.
Even if both the MQTT server and dashboard are protected, the research found that in the case of smart hub software, Home Assistant software, open and unsecure SMB shares are public and therefore accessible to hackers.
Other method involve hacker’s accessing the user’s dashboard. A particular application, MQTT Dash, allows users to create their own dashboard and control panel to control smart devices using MQTT. If the MQTT server used is unsecure, a hacker can easily hack the smart home.
The last method involves hackers tracking users’ location to hack smart home devices using a mobile application called OwnTracks. Many MQTT servers are connected to a mobile application called OwnTracks. The application while connecting to an MQTT server exposes it to internet without requiring any credentials, meaning anyone can connect to the server.
In a new research, Avast has found more than 49,000 MQTT servers that are publicly visible on the internet due to a misconfigured MQTT protocol. This includes more than 32,000 servers with no password protection. Out of these, 595 were from India.
For the unaware, MQTT protocol is used to interconnect and control smart home devices, via smart home hubs. Users set up a server while implementing the MQTT protocol, that usually lives on a PC or some mini-computer such as Raspberry Pi.
The research said that while the MQTT protocol itself is secure, security issues can arise if MQTT is incorrectly implemented and misconfigured. In such cases, cybercriminals could gain complete access to a home to learn when their owners are home, manipulate entertainment systems, voice assistants and household devices, the research added. Under certain conditions cybercriminals can even track a user’s whereabouts which can be a serious privacy and security threat.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” said Martin Hron, security researcher at Avast. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
Martin Hron describes five ways in which poorly configured MQTT servers can be abused by hackers.
This includes using the Shodan IoT search engine to find open and unprotected MQTT or using dashboard to control a smart home’s control panel that runs on the same IP address as the MQTT server.
Even if both the MQTT server and dashboard are protected, the research found that in the case of smart hub software, Home Assistant software, open and unsecure SMB shares are public and therefore accessible to hackers.
Other method involve hacker’s accessing the user’s dashboard. A particular application, MQTT Dash, allows users to create their own dashboard and control panel to control smart devices using MQTT. If the MQTT server used is unsecure, a hacker can easily hack the smart home.
The last method involves hackers tracking users’ location to hack smart home devices using a mobile application called OwnTracks. Many MQTT servers are connected to a mobile application called OwnTracks. The application while connecting to an MQTT server exposes it to internet without requiring any credentials, meaning anyone can connect to the server.

 
 
 
 
 
No comments:
Post a Comment