To no one’s surprise, there is a relatively easy way for hackers to breach thousands of smart homes. Avast researchers recently warned about the MQTT protocol (Message Queuing Telemetry Transport) which, if misconfigured, could give hackers complete access to a smart home. As a result of this security loophole, the home could be manipulated in many ways including its entertaining and voice systems, various household devices, and smart doors.
What Is the MQTT Protocol?
Interconnecting and controlling smart home devices is possible using the Message Queuing Telemetry Transport (MQTT) protocol, Avast explains adding that while the MQTT protocol itself is secure, if implemented and configured incorrectly, severe security issues may show up. To prove that, the researchers “took a closer look and using the Shodan IoT search engine found more than 49,000 MQTT servers publicly visible on the internet due to a misconfigured MQTT protocol”.
Why is exploiting a misconfigured MQTT protocol so dangerous? Simply said, because:
The protocol is meant as a subscriber/publisher model. It works like an RSS feed: you subscribe to a topic, and once someone publishes something on the topic, the payload is delivered to all subscribers.
What is mostly alarming is that this protocol is included in most smart home hub software solutions, such as Home Assistant. It is easy for users to either install a package with included MQTT or install the protocol separately when setting up the smart home hub.
It should also be mentioned that most smart home hubs typically subscribe and publish MQTT messages and provide logic. They also provide some kind of dashboard, either locally or remotely, where you can control the whole ‘smart’ home, the researchers added.
On top of that, both MQTT (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | SensorsTechForum.com authored by Milena Dimitrova. Read the original post at: https://sensorstechforum.com/misconfigured-mqtt-protocol-risks-smart-homes/