Two popular machine-to-machine (M2M) protocols--MQTT & CoAP--are slowly forming the backbone of many IoT infrastructures, including critical industry environments. They are used to provide data connectivity for practically any kind of "machines". We found out that these protocols are affected by security and privacy issues that impact several market verticals, applications, products, and brands.
This talk provides a security analysis of MQTT & CoAP at the design, implementation, and deployment level. We found issues in the design specifications, vulnerable product implementations, and hundreds of thousands unsecured, open-to-the-world deployments. These issues show the risk that endpoints could be open to denial-of-service attacks and, in some cases, full control by an adversary. Despite the fixes in the design specifications, it is hard for developers to keep up with a changing standard when a technology becomes pervasive. Also, the market of this technology is very wide because the barrier to entry is fairly low. This led to a multitude of fragmented implementations.
We analyzed the source code of the most common MQTT implementations, and discovered common flaws--mostly originating from misinterpretation of the standard. In particular, we found issues in how multibyte strings, UTF-8 characters, and regular-expressions are parsed. Combined with standard features that force servers to retain messages and clients to request acknowledgement the delivery of every message, such bugs can lead to persistent denial of service. Our findings have been acknowledged by the MQTT Technical Committee, which released a note to help identify the risks.
Alongside this, we've analyzed hundreds of millions MQTT & CoAP messages obtained from hundreds of thousands server. Despite previous efforts that tried to raise awareness, we still found exposed data related to various industry sectors and sensitive information, including credentials and network infrastructure details. Moreover, we found out that MQTT is being used beyond messaging, to transport binary data, most likely for OTA update purposes, which certainly raises a red flag.
Using MQTT & CoAP as a concrete example of modern M2M technology, we will provide recommendations at various levels (standardization bodies, vendors, developers, and users) in the hope to see a significant reduction in the number of insecure deployments in the future, and a more responsible position by standardization bodies.
When machines can't talk: Security and privacy issues of machine-to-machine data protocols
BLACKHAT Europe 2018, Internet of Things Track, December 3-6, 2018, London, UK
Type:
Talk
City:
London
Date:
2018-12-03
Department:
Digital Security
Eurecom Ref:
5697
Copyright:
© EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in BLACKHAT Europe 2018, Internet of Things Track, December 3-6, 2018, London, UK and is available at :
PERMALINK : https://www.eurecom.fr/publication/5697