Alteast 32,000 smart homes, businesses in threat: Avast
Avast found more than 49,000 MQTT servers visible on the Internet due to a misconfigured MQTT protocol. The protocol is used to interconnect and control smart home devices.
Research from Avast, the company which works with cybersecurity products, found more than 49,000 Message Queuing Telemetry Transport ( MQTT) servers publicly visible on the internet due to a misconfigured MQTT protocol. This includes more than 32,000 ( 595 from India) servers with no password protection, putting them at risk of leaking data. The MQTT protocol is used to interconnect and control smart home devices, via smart home hubs. When implementing the MQTT protocol, users set up a server. In case of consumers, the server usually lives on a PC or some mini- computer such as Raspberry Pi, to which devices can connect to and communicate with.
While the MQTT protocol itself is secure, severe security issues can arise if MQTT is incorrectly implemented and configured. Cybercr iminals could gain complete access to a home to learn when their owners are home, manipulate entertainment systems, voice assistants and household devices, and see if smart doors and windows are opened or closed. Under certain conditions cybercriminals can even track a user’s whereabouts which can be a serious privacy and security threat.
Martin Hron describes five ways in which poorly configured MQTT servers can be abused by hackers:
Open and unprotected MQTT servers can be found using the Shodan IoT search engine, and once connected, hackers can read messages transmitted using the MQTT protocol. Avast research shows that hackers can read the status of smart window and door sensors, for example, and see when lights are switched on and off. Avast also found that outsiders could control connected devices or at least poison data using the MQTT protocol on behalf of devices.
Even if an MQTT server is protected, Avast found
that a smart home can be hacked as in some cases, the dashboard used to control a smart home’s control panel runs on the same IP address as the MQTT server.
Even if both the MQTT server and dashboard are protected, Avast found that in the case of smart hub software, Home Assistant software, open and unsecure SMB shares are public and therefore accessible to hackers.
Smart homeowners can use tools and apps to create a dashboard for an MQTT- based smart home, to control their connected devices. A particular application, MQTT Dash, allows users to create their own dashboard and control panel to control smart devices using MQTT.
It was found that MQTT can, in certain instances, allow hackers to track users’ location, as MQTT servers typically concentrate on real- time data. Many MQTT servers are connected to a mobile application called OwnTracks. OwnTracks gives users the possibility to share their location with others, but can also be used by smart home owners to let the smart home devices know when the user is approaching the home, to activate smart devices, like smart light lamps. In order to configure the tracking feature, users have to configure the application by connecting to an MQTT server and expose the MQTT server to the internet. During this process, users are not required to setup login credentials, meaning anyone can connect to the MQTT server. Hackers can read messages that include a device’s battery level, location using latitude, longitude, and altitude points, and the timestamp for the position.