by Bharat Mistry
The Internet of Things is a hugely complex ecosystem of devices, messaging protocols, cloud systems, networks and more. With so many moving parts it’s inevitable that there are security gaps for attackers to exploit. The fact that attacks thus far have been relatively isolated should be no cause for complacency. With IoT increasingly embedded into the operations of hospitals, factories, energy plants, offices and more, we should be looking closer at where these gaps lie.
That’s why Trend Micro released a major new piece of research today. It reveals serious design flaws and vulnerabilities in two of the most popular machine-to-machine protocols in use today. Over 219 million messages were exposed globally by these systems in just the four months of the research period.
What we found
The report, The Fragility of Industrial IoT’s Data Backbone, details our research into Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). They work slightly differently, but both are vital to the free flow of data that drives the IoT and industrial IoT. There’s just one problem: security is optional and not built in. That means misconfigured systems could end up leaking credentials, sensitive information, and industry-related process data to facilitate reconnaissance and industrial espionage. Meanwhile, the ability to poison telemetry data could sabotage key industrial processes.
On top of this, the protocols contain vulnerabilities which could be exploited to deny service or enable full remote control of devices. CVE-2018-17614, for example, is an out-of-bounds write that could allow an attacker to execute arbitrary code on vulnerable devices supporting MQTT.
The report highlights four main threats:
Targeted reconnaissance: Unsecured deployments were found leaking technical details, names, phone numbers, credentials, and network configuration details. This is exactly what hackers are looking for to help craft targeted attacks. Even attackers with limited resources could identify lucrative information on assets, personnel and technology with simple keyword searches.
Industrial espionage: The same security deficiencies are exposing key operational data in manufacturing, healthcare, local government, building automation, transportation, agriculture and other sectors. This could give a competitor a distinct advantage over a targeted company.
Targeted attacks: Potentially using the info harvested in reconnaissance raids, hackers could launch targeted attacks on IoT systems with relative ease. Design, implementation, and deployment issues make it possible to take control of endpoints and deny service.
Lateral movement: Attackers can even exploit functionality in the protocols to maintain persistent access to a target and/or move laterally across a network, which can help during targeted attacks.
There are even wider implications. MQTT is used by Facebook Messenger and other services, potentially exposing private messages. One specific instance from Bizbox Alpha mobile leaked 55,475 messages in four months, 18,000 of which were email messages.
Strengthening the backbone
If these security challenges weren’t enough, we believe that as M2M traffic grows in volume, hackers are increasingly likely to use MQTT and CoAP as a command and control and exfiltration channel, as well as a vector for DoS. So what’s the answer? Four key steps can help from a corporate perspective:
- Implement policies to remove unnecessary M2M services
- Run periodic internet-wide checks/scans to ensure sensitive data is not leaking through public IoT services
- Implement a vulnerability management workflow or other means to secure the supply chain
- Stay up-to-date with industry standards as the technology is evolving rapidly
As part of Trend Micro’s ongoing commitment to Securing the Connected World, our senior threat researcher, Federico Maggi, is presenting solo and will be taking part in a panel debate on IoT security at Black Hat Europe on Thursday.
What: Building Your Defense for the Internet of Things
Where: Black Hat Europe, London Excel
When: 6 Dec 2018; 13:55-14:15, Business Hall Theatre B (panel) and 15:45-16:35, Room D (talk)