32,000 smart homes can be easily hacked due to misconfigured MQTT servers

Another day, another IoT cautionary tale of how hackers can pwn thousands of smart homes. This time the warning is related to the Message Queuing Telemetry Transport (MQTT) protocol. If the MQTT protocol is misconfigured, Avast warned that cyber thugs could “gain complete access to a home” and do things like “manipulate entertainment systems, voice assistants, household devices, and physically open smart doors.”

Although the MQTT protocol, which was a SCADA protocol developed in the 1990s, is secure, serious security issues arise when MQTT servers are misconfigured. Using the Shodan search engine, Avast found more than 49,000 of those misconfigured servers. 32,000 of the MQTT servers had no password to protect them.

MQTT can “carry virtually any payload” and is used to interconnect devices with different protocols so they can they can be controlled via smart home hubs. Avast explained, “The protocol is meant as a subscriber/publisher model. It works like an RSS feed: you subscribe to a topic, and once someone publishes something on the topic, the payload is delivered to all subscribers.”

To make an exceptionally smart home, people turn to automation and MQTT. “MQTT is included in most smart home hub software solutions, such as Home Assistant, so users can either install a package that includes MQTT or install MQTT separately when setting up their smart home hub,” Avast security researcher Martin Hron wrote. “Smart home hubs usually subscribe and publish MQTT messages and provide logic. They also provide some kind of dashboard, either locally or remotely, where you can control the whole ‘smart’ home.”