Report Outlines IoT, IIoT Protocol Vulnerabilities
In a report released online Tuesday (summary here, detailed PDF here), enterprise security firm Trend Micro detailed a number of issues it discovered within two top Internet of Things (IoT) communication protocols: MQTT and CoAP.
The Messaging Queuing Telemetry Transport (MQTT) protocol is most often used for one-to-many communication within IoT and industrial IoT (IIoT) deployments, with the communication generally "mediated" by a message broker. Constrained Application Protocol (CoAP) is client-server protocol that can be used to either "publish messages to a broker and/or subscribe to a broker to receive certain messages." Labels can be used on the messages to subdivide them by topic.
According to Trend Micro, an "Internet-wide scan on exposed IoT endpoints" conducted by a partner discovered tens upon thousands of unsecured hosts. Trend Micro further discovered numerous public-facing unsecured hosts, offering hackers "millions of exposed records," as well as leaving organizations open to denial-of-service (DoS) attacks. The report offers a geographic breakdown of the vulnerabilities by protocol.
The company also details some of the exposed data it found online from these vulnerabilities and what industries they came from, making the point that data from local governments to industry to financial institutions are vulnerable due to the protocol issues.
"Considering the emergence of these protocols, it's reasonable to expect that attackers will catch up and abuse M2M technology for their malicious activities. We even expect poisoning of telemetry data to be a feasible and indirect attack method in the future," the company commented.
"Certain considerations like not having security built in and protocols having concepts such as wild-card topics and linked resources can be turned against users by exposing their resources and collecting data about them. Moreover, MQTT and CoAP do not check the data or payload that they transport, which means that the information can be really anything, posing data validation issues on the connected systems," it continued. "Organizations' security teams should ensure that proper security mechanisms are in place when using protocols. Solutions do exist to secure M2M communications -- they are just not employed by all."
About the Author
Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital projects at the company, including launching and running the group's popular virtual summit and Coffee talk series . She an experienced tech journalist (20 years), and before her current position, was the editorial director of the group's sites. A few years ago she gave a talk at a leading technical publishers conference about how changes in Web browser technology would impact online advertising for publishers. Follow her on twitter @beckynagel.