It’s been found that homes running a misconfigured MQTT protocol to control their smart devices are highly vulnerable to being exposed by hackers, allowing them to be manipulated and controlled by people outside the household.
Cybersecurity firm Avast has discovered 49,000 servers running a misconfigured Message Queuing Telemetry Transport (MQTT) protocol, allowing them to be publicly visible online.
32,000 of these were without password protection, rendering them highly vulnerable to hackers and allowing them complete access and control of their smart home devices.
MQTT is a communications protocol that allows the interconnection of devices and is key in successful home automation.
Most smart home hubs are sold with MQTT, as the protocol allows you to control numerous devices from one location — the hub.
Martin Hron, security researcher at Avast, has written, “Smart home hubs usually subscribe and publish MQTT messages and provide logic. They also provide some kind of dashboard, either locally or remotely, where you can control the whole ‘smart’ home.”
MQTT itself is secure — problems only arise when it is misconfigured, as it has been in 49,197 homes all over the world.
8,257 of those homes are in the US, according to Help Net Security, making it the second country after China to have the highest number of misconfigurations.
32,888 of those MQTT servers are not only publicly visible, but also have no password protection. 4,733 of those servers are in the US, again making it second only to China.
“Many homeowners use open source solutions for their smart home. The most popular software for smart hubs are readily available solutions such as Domoticz, Home Assistant and OpenHAB. When we looked for these, we were able to see a lot of default configurations, which surprisingly required no password. So, even if the MQTT server is secure, the dashboard can be accessed as easily as typing the IP address into a browser,” Hron continues.
Growing pains like these are almost inevitable when it comes to the Internet of Things, which has only recently achieved mainstream appeal. But these problems must be addressed now, before too many people adopt the technology and these bad habits.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” said Hron.
“Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
Take a look at Avast’s research to see the 5 ways that hackers can exploit a misconfigured MQTT server explained.
Security has always been the number one issue facing the smart home industry. Something must be done, now, to truly address the problem and allow the market to grow.
