Two popular IoT communications protocols are riddled with vulnerabilities and systemic issues which are exposing countless global organizations to industrial espionage, targeted attacks and DoS, according to Trend Micro.
The security giant’s latest report, The Fragility of Industrial IoT’s Data Backbone, focuses on two of the most popular machine-to-machine protocols in use today: Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).
As security is not built-in to these protocols by default, they exposed 219 million messages globally in just the four months of the research period.
The report detailed how these security deficiencies leak credentials, sensitive information, and industry-related process data — which could be used to enable reconnaissance and industrial espionage.
Security problems with the design, implementation and deployment of devices using these protocols could allow attackers to remotely control endpoints, while hackers could also abuse functionality in the protocols to achieve persistent access to a target and move laterally across a network.
One flaw detailed in the report, CVE-2018-17614, was described as an out-of-bounds write that could allow an attacker to execute arbitrary code on vulnerable devices that implement an MQTT client.
Telemetry data passing over these protocols could also be “poisoned” to sabotage operations, the report warned.
There are also implications for consumers, given that MQTT is used by Facebook Messenger.
Another messaging service, Bizbox Alpha mobile, leaked 55,475 messages in four months, 18,000 of which were email messages.
Greg Young, vice-president of cybersecurity for Trend Micro, said the report should be cause for organizations to improve the security of their OT environments.
“These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases,” he added. “This represents a major cybersecurity risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks.”
The report also warned that as MQTT and CoAP become more popular, hackers are likely to use it not only for DoS but as a channel for C&C and exfiltration.
Trend Micro urged security teams to remove unnecessary M2M services, check their data is not leaking through public IoT services, improve vulnerability management workflows and stay up-to-date with evolving industry standards.