Report Outlines IoT, IIoT Protocol Vulnerabilities

In a report released online Tuesday (summary here, detailed PDF here), enterprise security firm Trend Micro detailed a number of issues it discovered within two top Internet of Things (IoT) communication protocols: MQTT and CoAP.

The Messaging Queuing Telemetry Transport (MQTT) protocol is most often used for one-to-many communication within IoT and industrial IoT (IIoT) deployments, with the communication generally "mediated" by a message broker. Constrained Application Protocol (CoAP) is client-server protocol that can be used to either "publish messages to a broker and/or subscribe to a broker to receive certain messages." Labels can be used on the messages to subdivide them by topic.

According to Trend Micro, an "Internet-wide scan on exposed IoT endpoints" conducted by a partner discovered tens upon thousands of unsecured hosts. Trend Micro further discovered numerous public-facing unsecured hosts, offering hackers "millions of exposed records," as well as leaving organizations open to denial-of-service (DoS) attacks. The report offers a geographic breakdown of the vulnerabilities by protocol.

The company also details some of the exposed data it found online from these vulnerabilities and what industries they came from, making the point that data from local governments to industry to financial institutions are vulnerable due to the protocol issues.

"Considering the emergence of these protocols, it's reasonable to expect that attackers will catch up and abuse M2M technology for their malicious activities. We even expect poisoning of telemetry data to be a feasible and indirect attack method in the future," the company commented.

"Certain considerations like not having security built in and protocols having concepts such as wild-card topics and linked resources can be turned against users by exposing their resources and collecting data about them. Moreover, MQTT and CoAP do not check the data or payload that they transport, which means that the information can be really anything, posing data validation issues on the connected systems," it continued. "Organizations' security teams should ensure that proper security mechanisms are in place when using protocols. Solutions do exist to secure M2M communications -- they are just not employed by all."

About the Author

Becky Nagel is the former editorial director and director of Web for 1105 Media's Converge 360 group, and she now serves as vice president of AI for company, specializing in developing media, events and training for companies around AI and generative AI technology. She's the author of "ChatGPT Prompt 101 Guide for Business Users" and other popular AI resources with a real-world business perspective. She regularly speaks, writes and develops content around AI, generative AI and other business tech. Find her on X/Twitter @beckynagel.