Japanese cybersecurity firm has uncovered major design flaws and vulnerabilities two popular machine-to-machine (M2M) protocols — Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).
Trend Micro researchers have identified more than 200 million MQTT messages and more than 19 million CoAP messages being leaked by exposed brokers and servers in the past four months.
“Using simple keyword searches, malicious attackers could locate this leaked production data, identifying lucrative information on assets, personnel and technology that can be abused for targeted attacks,” the security company said.
The report, which is co-branded with Politecnico di Milano, “The Fragility of Industrial IoT’s Data Backbone,” shows how attackers could remotely control IoT endpoints or deny service by leveraging security issues in the design, implementation and deployment of devices using the two protocols.
According to the report, MQTT is a communication protocol that facilitates one-to-many communication mediated by brokers. CoAp, on the other hand, is a client-server protocol that, unlike MQTT, is not yet standardized.
It further stated that MQTT is preferred over CoAP for mission-critical communications because it can enforce quality of service and ensure message delivery. CoAP, for its part, is preferred for gathering telemetry data transmitted from transient, low-power nodes like tiny field sensors.
“What we found was striking: Hundreds of thousands of MQTT and CoAP hosts combined are reachable via public-facing IP addresses. Overall, this provides attackers with millions of exposed records. Finding exposed endpoints in virtually every country is feasible due to the inherent openness of the protocols and publicly searchable deployments,” the study emphasized.
Greg Young, Vice President of Cybersecurity for Trend Micro, said in a media statement this should be cause for organizations to take a serious, holistic look at the security of their OT environments.
“These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases. This represents a major cybersecurity risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks,” he said.