New research has revealed security flaws in widely used internet of things protocols, prompting a warning to users to check their operational technology security.
Cybersecurity specialist Trend Micro and Politecnico di Milano found “major” design flaws and vulnerable implementations related to two popular machine-to-machine protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).
Their report The Fragility of Industrial IoT’s Data Backbone highlights the growing threat of industrial espionage, denial of service and targeted attacks arising from abuse of these protocols.
Over four months, researchers identified more than 200 million MQTT messages and more than 19 million CoAP messages being leaked by exposed brokers and servers. Malicious attackers could locate this leaked production data through simple searches, identifying information on assets, personnel and technology that can be abused for targeted attacks.
“The issues we’ve uncovered in two of the most common messaging protocols used by IoT devices should be cause for organisations to take a serious, holistic look at the security of their OT environments,” said Trend Micro vice president of cybersecurity Greg Young. “These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases. This represents a major cybersecurity risk.” He said that hackers with even modest resources could exploit these design flaws and vulnerabilities to remotely control IoT endpoints, deny service or steal data, and could use access to a target to move laterally across a network.
To reduce the risks, Trend Micro encouraged organisations to:
- adopt proper policies to remove unnecessary M2M services
- run periodic checks using internet-wide scanning services to ensure sensitive data is not leaking through public IoT services
- Implement a vulnerability management workflow or other means to secure the supply chain
- stay up to date with industry standards as the technology evolves.
The complete report is available at www.trendmicro.com/vinfo/us/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols