Trend Micro states that two of the most commonly used machine-to-machine (M2M) protocols have major design flaws and are regularly deployed in an unsafe manner. This is stated in the report The Fragility of Industrial IoT’s Data Backbone of the company, reports The Next Web.
This specifically concerns Message Queueing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). The two protocols are regularly used in IoT devices, especially those in industrial contexts. According to researchers Federico Maggi and Rainer Vossler, attackers can use simple searches to locate vulnerable IoT servers and brokers using keywords. They can then leak over 200 million MQTT messages and 19 million CoAP messages.
These messages can then be misused for industrial espionage, DDoS attacks and targeted attacks. Trend Micro was able to find messages related to agriculture and healthcare. The researchers found 4,310 messages related to the agriculture of smart farms. Other data included the exact location of an ambulance and data from monitoring devices attached to patients, along with their email addresses and location information.
4,627,973 of the messages Trend Micro received contained private IP addresses. 219 of them had the unsafe password ‘12345’.
Although MQTT is widely used within industrial IoT, the researchers state that the protocol is also regularly used within group and message-apps tools. One of those apps is Facebook Messenger. During the investigation, the company found a vulnerable instance of the Android app Bizbox Alpha, which leaked 55,475 messages in four months time. 18,000 of which were e-mail messages.
“These protocols were not designed with security in mind, but are found and a growing number of critical environments and use cases. This represents a huge security risk,” said Greg Young, vice president of cyber security at Trend Micro. “Hackers with even modest resources can exploit these errors and vulnerabilities to perform reconnaissance, secret data theft, and DDoS attacks.
By 2017, an estimated 8.4 billion IoT devices had been installed. Trend Micro encourages organizations to remove all unnecessary M2M services and monitor existing devices to ensure they don’t leak private data.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.