Security experts are warning of another major smart home security threat after revealing that as many as 32,000 businesses and homes have failed to protect systems exposed via the internet.
The issue resides in the lightweight Message Queuing Telemetry Transport (MQTT) protocol, favored in IoT networks to transfer data between machines.
When implementing it at home, users are required to set-up a server, usually on a PC or mini-computer like a Raspberry Pi, that the devices can communicate with.
Unfortunately, security vendor Avast found 49,000 such MQTT servers publicly visible on the internet via a simple Shodan search, with 32,000 featuring no password protection. This global figure might seem rather low, but the vendor clarified to Infosecurity that the protocol is used mainly by more "advanced tech users."
This could be creating cybersecurity, privacy and even physical security risks for users, according to Avast researcher, Martin Hron.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” he argued. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
Hron painted several scenarios where these MQTT issues could be exploited by attackers.
With access to MQTT data, they could read the status of smart window and door sensors and locks and smart lighting, and even insert their own commands into the data to open doors, he claimed.
If the server is protected, hackers could try the smart home dashboard running on the same IP address, as these are often either not password protected or easily crackable. If that avenue fails, they could try open and insecure SMB shares running on the popular Home Assistant platform, including passwords and keys stored in plaintext, which could give them complete control over the smart home, the vendor claimed.
Avast also warned that hackers could track users’ location if they use the MQTT-compatible OwnTracks app.