mobile | classic
Dataweek Electronics & Communications Technology Magazine





Follow us on:
Follow us on Facebook Share via Twitter Share via LinkedIn


Search...

Electronics Buyers' Guide

Electronics Manufacturing & Production Handbook 2019


 

MQTT protocol is giving hackers a backdoor into smart homes
12 September 2018, News

Another warning has been issued to designers of Internet of Things (IoT)-connected products, with the cybersecurity firm Avast announcing recently that it discovered a severe flaw related to the MQTT (Message Queuing Telemetry Transport) protocol widely used by smart home devices.

The company found more than 49 000 MQTT servers publicly visible on the Internet due to a misconfigured MQTT protocol. This includes more than 32 000 servers with no password protection, putting them at risk of leaking data. To be clear, this does not mean that the MQTT protocol itself is insecure, but rather that severe security issues can arise if it is incorrectly implemented and configured.

The MQTT protocol is used to interconnect and control smart home devices via smart home hubs. When implementing the MQTT protocol, users set up a server. In the case of consumers, the server usually lives on a PC or some mini-computer such as Raspberry Pi, which devices can connect to and communicate with.

The implication of the flaw discovered by Avast is that cybercriminals could gain complete access to a home to learn when their owners are home, manipulate entertainment systems, voice assistants and household devices, and see if smart doors and windows are opened or closed. Under certain conditions, it says cybercriminals can even track a user’s whereabouts, which can be a serious privacy and security threat.

“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” said Martin Hron, security researcher at Avast. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”

Hron describes five ways in which poorly configured MQTT servers can be abused by hackers:

1. Open and unprotected MQTT servers can be found using the Shodan IoT search engine, and once connected, hackers can read messages transmitted using the MQTT protocol. Avast research shows that hackers can read the status of smart window and door sensors, for example, and see when lights are switched on and off. In this particular case, Avast also found that outsiders could control connected devices or at least poison data using the MQTT protocol on behalf of devices. This way, for example, an attacker could send messages to the hub to open the garage door.

2. Even if an MQTT server is protected, Avast found that a smart home can be hacked as in some cases, the dashboard used to control a smart home’s control panel runs on the same IP address as the MQTT server. Many users use default configurations that come with their smart home hub software, and these are often not password protected, meaning a hacker can gain complete access to a smart home’s dashboard, allowing the hacker to control any device connected via the dashboard.

3. Even if both the MQTT server and dashboard are protected, Avast found that in the case of smart hub software, Home Assistant software, open and unsecure SMB shares are public and therefore accessible to hackers. SMB is a protocol used for sharing files on internal networks, mainly on the Windows platform. Avast found publicly shared directories with all the Home Assistant files including configuration files. In the exposed files, it found a file storing passwords and keys stored in plain text. The passwords stored in the configuration file can allow a hacker to gain complete control of a person’s home.

4. Smart homeowners can use tools and apps to create a dashboard for an MQTT-based smart home, to control their connected devices. A particular application, MQTT Dash, allows users to create their own dashboard and control panel to control smart devices using MQTT. Users have the option to publish the settings they set up using the dashboard to the MQTT server, so they can easily replicate the settings on as many devices as they would like. If the MQTT server used is unsecure, a hacker can easily access the user’s dashboard, which allows them to easily hack the smart home.

5. Avast found that MQTT can, in certain instances, allow hackers to track users’ location, as MQTT servers typically concentrate on real-time data. Many MQTT servers are connected to a mobile application called OwnTracks. OwnTracks gives users the possibility to share their location with others, but can also be used by smart homeowners to let the smart home devices know when the user is approaching the home, to activate smart devices, like smart light lamps. In order to configure the tracking feature, users have to configure the application by connecting to an MQTT server and expose the MQTT server to the Internet. During this process, users are not required to setup login credentials, meaning anyone can connect to the MQTT server. Hackers can read messages that include a device’s battery level, location using latitude, longitude and altitude points, and the timestamp for the position.

For more information visit www.avast.com


  Share on Facebook Share via Twitter Share via LinkedIn    

Further reading:

  • Electronics news digest
    29 May 2019, News
    South Africa • South Africa will soon join the World Economic Forum’s (WEF) Centre for the Fourth Industrial Revolution Network (C4IR Network) alongside China, India and Japan by launching an affiliate ...
  • From the editor’s desk: US-China trade war hits chip makers
    29 May 2019, Technews Publishing, News
    The escalating trade war between the US and China has the global economy on high alert, and unless things normalise soon it is going to have massive ramifications on many industries. Following US president ...
  • Otto Wireless scoops two new agencies
    29 May 2019, Otto Wireless, News
    Otto Wireless Solutions has recently been appointed as the official distributor for two overseas manufacturers of RF and microwave components: Taiwanese microwave ceramic components designer and manufacturer, ...
  • Actum acquires Band-It business in South Africa
    29 May 2019, Actum Electronics, News
    The Actum Group has acquired Banding and Identification Solutions Africa (BISA), the leading distributor of Band-It clamping and fastening products in South Africa. The transaction, which was finalised ...
  • CSIR outlines new strategy
    29 May 2019, News
    The CSIR (Council for Scientific and Industrial Research) has revealed details about its new strategic direction, built around the vision of accelerating socioeconomic prosperity in South Africa through ...
  • The ubiquity of IoT in design
    29 May 2019, News
    The Internet of Things (IoT) is a wave that impacts all ‘verticals’ and ‘horizontals’ of the digital evolution, and organisations who deliver design and manufacturing services in this hazy matrix are ...
  • Otto Wireless presents the T-Link Experience
    29 May 2019, Otto Wireless, News
    On 20 June, Otto Wireless Solutions, together with TP-Link, will be hosting a half-day product showcase conference at Riversands conference venue. The event will be an intense half-day session, commencing ...
  • Electronics news digest
    30 April 2019, News
    South Africa • The CSIR (Council for Scientific and Industrial Research) – which will turn 75 in 2020 – has plotted a new strategic direction built around the vision of accelerating socioeconomic prosperity ...
  • From the editor’s desk: The unseen role of component distributors
    30 April 2019, Technews Publishing, News
    FAEs play an essential role in bridging the engineering world where things are designed and made, and the business world where big decisions are taken and money changes hands.
  • Is the supply chain broken?
    30 April 2019, Electrocomp, Diel Met Systems, ExecuKit, NuVision Electronics, RF Design, This Week's Editor's Pick, News
    The world’s insatiable demand for electronic goods has created a monster: a supply chain that spans the globe and relies on the entirety of our collective knowledge and experience in the pursuit of industry.
  • Win an AVR-IoT WG development board
    30 April 2019, News
    Dataweek readers are being offered the opportunity to win a Microchip Technology AVR-IoT WG development board (AC164160) to make it easy to deploy IoT devices to Google Cloud IoT Core’s artificial intelligence ...
  • 4IRSA launches digital economy summit
    30 April 2019, News
    The launch of South Africa’s first ‘digital economy’ summit, endorsed by Cabinet, was announced at the Wits Tshimologong Digital Innovation Hub by the minister of telecommunications, Stella Ndabeni-Abrahams, ...

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronics Buyers’ Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual





 

         
    Classic | Mobile

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.