Public-facing IPs are exposing millions of records

The data backbones supporting IoT networks are dangerously fragile, security researchers warn.

A team of researchers from Trend Micro and Politecnico di Milano found two of the most widely used machine-to-machine (M2M) protocols – Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) – present both design issues and insecure deployment problems.

The research highlights how hackers might be able to remotely hack into IoT endpoints or cause vulnerable systems to freeze through exploiting protocol-level weaknesses.

Abusing specific functionality in the protocols creates the potential for hackers to either maintain persistent access on a vulnerable system or, worse yet, move laterally across a targeted network.

Various vulnerabilities were identified through this research and disclosed through Trend Micro’s Zero Day Initiative (ZDI): CVE-2017-7653, CVE-2018-11615, and CVE-2018-17614.

Possibly the worst of the batch, CVE-2018-17614 is an out-of-bounds write that creates a mechanism for an attacker to execute arbitrary code on vulnerable devices that implement an MQTT client.

While no new CoAP vulnerabilities were discovered, the report highlights the potential for system running the UDP-based protocol to be abused in order to amplify the volume of DDoS attack traffic thrown against a targeted system.

Exposed endpoints easily found

The researchers warn that hundreds of thousands of IoT hosts are collectively exposing millions of records.

The MQTT and CoAP hosts are reachable via public-facing IP addresses. Overall, this provides attackers with millions of exposed records.

Finding exposed endpoints in virtually every country is feasible due to the inherent openness of the protocols and publicly searchable deployments.

The researchers estimate that more than 200 million MQTT messages and 19 million CoAP messages have been leaked by exposed brokers and servers in the last four months alone.

Hackers can harvest this information using straightforward keyword searches before abusing this information to run industrial espionage, denial-of-service and targeted attacks.

Data about the location of ambulances and information from patient monitors both feature in the sample of leaked and readily searchable information.

Leaked messages from groupware (or collaborative) messaging apps are commonplace in the sample. One specific instance from Bizbox Alpha mobile leaked 55,475 messages in over four months, of which about 18,000 were email messages.

Lack of well-defined security creates problems for both city-wide deployment of IoT technologies and smart factories, where the researchers uncovered an array of potentially sensitive records.

Records were leaked by a programmable logic controller (PLC), which was sending out telemetry data via an open MQTT broker. Exposed records could indicate names assigned to particular control systems, details of the manufacturing processes, and even urgent maintenance requests.

“The issues we’ve uncovered in two of the most pervasive messaging protocols used by IoT devices today should be cause for organizations to take a serious, holistic look at the security of their OT environments,” said Greg Young, vice president of cybersecurity for Trend Micro.

“These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases. This represents a major cybersecurity risk.”

“Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft, and denial-of-service attacks.”

The researchers offer a variety of countermeasures against potential attack:

  • Implement proper policies to remove unnecessary M2M services
  • Run periodic checks using internet-wide scanning services to ensure sensitive data is not leaking
  • Implement a vulnerability management workflow or other means to secure the supply chain

Research by the team at Trend Micro and Italian computer scientists builds on earlier studies from IOActive and Avast, which pull focus on IoT deployment issues in enterprise and home environments, respectively.

Ken Munro, an IoT security expert and partner at Pen Test Partners, told The Daily Swig that the Trend Micro study was a useful addition to the field, or “interesting research”, as he put it.

A report on the issue, entitled The Fragility of Industrial IoT’s Data Backbone (PDF), was published on Tuesday.