IoT Design- New research has highlighted an old problem: The Internet of Things isn’t exactly secure. Hardly news, you might say, but the researchers from Trend Micro discovered that two popular IoT protocols are insecure by design. So insecure, indeed, that they are putting both ‘Industry 4.0’ smart factory implementations and smart cities at risk. In fact, these are the design flaws that could quite literally turn the lights out.
The Fragility of Industrial IoT’s Data Backbone report found that both the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) protocols are insecure by design and to make matters worse hundreds of thousands of both hosts are reachable via public-facing IPs. These machine-to-machine (M2M) communications form the core of Industrial IoT systems that are deployed within large-scale networks seen within smart factory and smart city projects. Paul Dignan, a senior systems engineer with F5 Networks, helped me to understand the more commonly used MQTT protocol better. “MQTT is a publish-subscribe messaging protocol that allows devices such as cameras, heat sensors and lP-enabled light bulbs to publish data to an intermediary module” he explained, continuing “by default, the data the protocol sends is un-encrypted when in transit, which ultimately means that applications can then subscribe to this intermediary module (also known as message brokers) and retrieve the published data.”
Across a period of four months, the Trend Micro researchers identified in excess of 200 million MQTT communication messages, and more than 19 million messages from the less popular CoAP machine-to-machine protocol, leaked by exposed brokers and servers. If this wasn’t worrying enough in and of itself, that this production data could be located by anyone with the ability to perform a few simple keyword searches just multiplies the worry. Armed with this information on assets, personnel and technology an attacker could remotely control IoT endpoints or launch a Denial of Service (DoS) attack. SO, for example, researchers found data exposure related to the manufacturing sector that were leaked by a programmable logic controller and which had the names assigned to specific control systems and details of manufacturing processes; gold dust for the reconnaissance phase of an advanced persistent threat attack. Martin Thorpe, enterprise architect at Venafi, reminds us that “IoT devices are rarely built with more than basic connectivity in mind” and adds “deploying insecure IoT devices more widely across the enterprise, supply chains and within smart cities will undoubtedly create new risks.” He’s not wrong, not wrong at all. That these protocols are easily the most pervasive used by IoT devices, designed with apparently little thought given to security at the time and yet used in mission critical deployments in most smart factory manufacturing environments as well as throughout flagship smart city projects, is a major cybersecurity risk.
I contacted Bharat Mistry, principal security strategist at Trend Micro, to chat about the findings. He told that because CoAP is a more recent and less widespread protocol than MQTT, its design is less flawed. He also warned that, despite this, CoAP protocols remain susceptible to IP spoofing which is where criminals can pose as legitimate or anonymous end points in order to capture data. When it comes to the more widespread MQTT protocols, the most prominent flaws are “undoubtedly its payload remaining length, the Unicode handling in topic strings and its URI-style topic validation” Bharat says, continuing “all of these have provided a pathway for vulnerabilities to emerge which have inadvertently been implemented on a global scale.”
It’s the global nature of the impact of these flaws which is truly hard to comprehend, not least as Bharat points out neither of the protocols were ever intended for deployments over public networks or designed to carry sensitive data. “The intended use for these protocols are for environments that are typically closed or private” he explains, adding “used to transport control data over networks that are low bandwidth, high packet loss and low powered and in some cases very distant.” They were also designed to work on devices with very limited CPU and memory ‘compute’ power so designed to be very lightweight with little or no overhead for meaningful security features. All of which means that the real-world security implications to large-scale deployments across large enterprise, industry 4.0 manufacturing and smart city projects is massive. “If even just one internal device is accessible via public-facing IPs, it can compromise the entire security infrastructure in place and leave the door wide open for bad actors to take control of these devices and gain access to a network” Wallace Sann, VP of global systems engineering at ForeScout told me.