Security researchers have unearthed problems in a couple of machine-to-machine (M2M) protocols that could lead to hackers carrying out industrial espionage, denial-of-service and targeted attacks.
According to research carried out by Trend Micro, both the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) have design issues and insecure deployment problems.
It said that more than 200 million MQTT messages and 19 million CoAP messages have been leaked by exposed brokers and servers, which attackers are able to locate online with simple keyword searches, and abuse for industrial espionage, denial-of-service and targeted attacks.
According to a report published by the IT security firm, titled "The Fragility of Industrial IoT’s Data Backbone", 4,627,973 records containing private IP addresses have been leaked in four months - 219 of these had the password set to 12345.
The report also found that leaked messages from messaging apps such as Facebook messenger are prevalent. One specific instance from Bizbox Alpha mobile leaked 55,475 messages in over four months, of which about 18,000 were email messages.
"One of the brokers used by the app was misconfigured for a while, and leaked 55,475 messages in over four months, of which about 18,000 were email messages," the report said.
Also at risk are smart farms, 4,310 agriculture-related records were leaked, including field data with precise location information and smart agriculture platforms. Data about the location of ambulances, and data from patient monitors is available to search online, including their email addresses and location information.
The research shows how attackers could remotely control IoT endpoints or deny service by leveraging security issues in the design, implementation and deployment of devices using these protocols. The report said that by abusing specific functionality in the protocols, hackers could maintain persistent access to a target to move laterally across a network.
"The issues we’ve uncovered in two of the most pervasive messaging protocols used by IoT devices today should be cause for organisations to take a serious, holistic look at the security of their OT environments," said Greg Young, vice president of cybersecurity for Trend Micro.
"These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases. This represents a major cyber-security risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks."
Yossi Naar, co-founder of Cybereason, told SC Media UK that the problem with securing hundreds of billions of connected devices is that we must secure hundreds of billions of connected devices.
"That may seem obvious and slightly nonsensical, but it is the vast attack surface and the potential complexity of the IoT device security challenge that has us all concerned. Yet, and at odds with that potential complexity challenge, is the reality that we must make IoT security simple," he said.
Chris Sherry, regional director, UK&I and Northern Europe at ForeScout, told SC Media UK that the key to eliminating these threats is to increase visibility of all the devices on a network and their activities.
"Factory passwords for new devices should also always be changed, endpoint access to networks should be managed and, in some cases, restricted, and devices should always run the latest software and security updates to further reduce the risk of creating vulnerabilities. UK businesses need to urgently get their house in order if they want to adequately protect the data they store on their networks from any cyber-attacks," he said.