A new investigation of Avast (LSE: AVST), the global leader in digital security products, found that there are more than 49,000 servers Message queuing Telemetry Transport ( MQTT) publicly visible on the internet due to the poor configuration of the MQTT protocol. This includes more than 32,000 servers without a password, which puts them at risk of filtering data. The MQTT protocol is used to connect and control intelligent household devices via intelligent household hubs. By implementing the MQTT protocol, users configure a server. In the case of consumers, the server is usually located on a PC or minicomputer, such as Raspberry Pi, to which the devices can connect and with which they can communicate.
While the MQTT protocol is secure, serious security issues may arise if it is not deployed and configured well. The cybercriminals can have full access to the home and find out if the owners are there; Manipulate entertainment systems, voice attendants, and home appliances, as well as see if smart doors and windows are open or closed. Under certain conditions, cybercriminals can even track the user’s location, which threatens your privacy and security very seriously.
“It’s terrifyingly easy to access and control a smart home because there are still many unsafe protocols that go back to a past technological era in which security was not a priority,” said Martin Hron, security researcher at Avast. “Consumers should be aware that these problems can arise when they connect devices that control sectors of their home with services they do not fully understand, and the importance of properly configuring their devices.”
Martin Hron describes five ways that hackers can take advantage of poorly configured MQTT servers:
Open and unprotected MQTT servers can be found through the ShodanIoT search engine and, once connected, hackers can Read messages transmitted using the MQTT protocol. Avast’s research shows that hackers can, for example, read the status of sensors in a door or an intelligent window and see if the lights are on or off. In this particular case, Avast also found that strange people could control connected devices or, at least, contaminate the data using the MQTT protocol. So, for example, an attacker could send messages to the central to open the garage door.
Even if a MQTT server is protected, Avast found that it was possible to hack a smart home because, in some cases, the dashboard used to handle the home Control panel runs on the same IP address as the MQTT server. Many users use the default configuration of the central software that controls their smart home and they are not usually protected with a password, which means that a hacker can gain full access to the board and control any Device connected.
Even if the MQTT server and the board are protected, Avast discovered that in the case of the software of a smart Central, Home Assistant, the resources shared by Server Message Block (SMB), open and insecure, are public and therefore accessible to Hackers. SMB is a protocol to share files on internal networks, mainly on the Windows platform. Avast found publicly shared directories with all Home Assistant files, including settings. Among the exposed files was one that contained passwords and keys saved in plain text. Passwords stored in the configuration file can allow cybercriminals to fully control a home.
Owners can use tools and applications to create a dashboard for a MQTT-based smart home to control connected devices. A special application, MQTT Dash, allows users to create their own dashboard and control Panel to manage intelligent devices that use MQTT. Users have the option to publish on this server the configuration that they defined on the board and thus play it smoothly on all the devices they want. If the used MQTT server is unsafe, anyone can easily access the user’s dashboard and hack into the home.