Another day, another IoT cautionary tale of how hackers can pwn thousands of smart homes. This time the warning is related to the Message Queuing Telemetry Transport (MQTT) protocol. If the MQTT protocol is misconfigured, Avast warned that cyber thugs could “gain complete access to a home” and do things like “manipulate entertainment systems, voice assistants, household devices, and physically open smart doors.”
Although the MQTT protocol, which was a SCADA protocol developed in the 1990s, is secure, serious security issues arise when MQTT servers are misconfigured. Using the Shodan search engine, Avast found more than 49,000 of those misconfigured servers. 32,000 of the MQTT servers had no password to protect them.
MQTT can “carry virtually any payload” and is used to interconnect devices with different protocols so they can they can be controlled via smart home hubs. Avast explained, “The protocol is meant as a subscriber/publisher model. It works like an RSS feed: you subscribe to a topic, and once someone publishes something on the topic, the payload is delivered to all subscribers.”
To make an exceptionally smart home, people turn to automation and MQTT. “MQTT is included in most smart home hub software solutions, such as Home Assistant, so users can either install a package that includes MQTT or install MQTT separately when setting up their smart home hub,” Avast security researcher Martin Hron wrote. “Smart home hubs usually subscribe and publish MQTT messages and provide logic. They also provide some kind of dashboard, either locally or remotely, where you can control the whole ‘smart’ home.”
Both MQTT and Mosquitto, the most common server software which implements the protocol, have “broad security capabilities,” which are nullified if they are poorly configured. Of the 49,197 misconfigured MQTT servers Avast found via Shodan, 8,257 are in the U.S. Of the 32,888 MQTT servers without password protection, 4,733 are in the U.S. Only China had more misconfigured and unprotected MQTT servers than the U.S.
Heron goes to detail the following “five easy ways to hack a smart home.”
1. Connecting and subscribing to wildcard topics on an unprotected MQTT server: After subscribing to the # topic on an open and unprotected server, an attacker could see all the automation happening in a home and even publish to topics.
You can control devices or at least poison the data being collected by publishing on behalf of the devices. For example, you can send messages to the hub as if you were the security sensor at the smart home’s front door smart lock, because MQTT messages do not have a sender field so the message receiver is unable to determine where the request came from. Due to this, cybercriminals can easily perform “replay attacks” and send messages on behalf of the devices connected to the hub.
2. Connecting to unprotected smart hub dashboards on a secure MQTT server: When looking for the most popular smart hub software – Domoticz, Home Assistant and OpenHAB – Avast found default configurations which required no password. So even if the MQTT server was secure, an attacker can access the dashboard by using the IP address.
Exploiting this access would allow a cybercriminal to control any of the devices connected via the dashboard including lights, locks, heating and cooling systems, cameras, and more. With this control, a cybercriminal could do any number of things, such as secretly spy on or record people within their home, drastically adjust their home’s temperature, or gain entrance to the home while the homeowners are on vacation or at work, without setting off any alarms.
3. Reading files on a protected MQTT server with a protected dashboard: Even if both the server and dashboard are protected, Avast found open and unsecured SMB shares including all Home Assistant smart hub configuration files; one of the files contained usernames and passwords stored in plain text, meaning an attacker would have “complete control over someone’s house.”
4. Creating a UI on an unprotected MQTT server: Users can create their own dashboard and control panel such as by using a mobile MQTT Dash app. If the server is unsecured, however, a cyber thug can get the same UI as the users. Avast wrote, “This provides an easy way to hack someone’s home and even get their UI with just one connection to their MQTT server.”
5. Tracking device location: Many MQTT servers, even some not connected to a smart home, can track a user’s location (longitude, latitude and altitude) via the mobile app OwnTracks. People may share their location with an MQTT server for things like geofencing, getting things like the lights to come on, adjust the thermostat temperature and the garage door to open when a user gets close to their home. The problem is that OwnTrack uses unsecured protocols and unencrypted messages and an attacker could use the real-time data.
“Because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern, it is frighteningly easy to gain access and control of a person’s smart home,” Avast warned. There is a trade-off between how easy it is to setup smart home devices and security. “Consumers need to be aware of the security concerns of connecting devices that control personal parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”