Researcher Finds MQTT Hole in IoT Defenses

A commonly used protocol provides a gaping backdoor when misconfigured.

It started with a simple wish: Martin Horn, security researcher at Avast, wanted a smart home. As he began his research into systems, he found that many devices included set-up instructions with no security provisions. And then, it got worse.
Horn realized that many of the hubs gathering IoT devices into a unified system run
Message Queuing Telemetry Transport
(MQTT) protocol, an ISO standard for device-to-device communications. And quite a lot of the devices acting as MQTT servers have no security at all. Its not that they use a default user name and password, Horn says, its that they dont have user names or passwords - period.
Its not a flaw in IoT devices themselves, its just a lack of security, Horn says. In this case, its wide open, with no password at all. Its important to note, he explains in an
Avast blog post
, that the MQTT protocol itself is secure, if implemented and configured correctly. The lack of security is the fault of the implementation, not the underlying protocol.
And the faulty implementations are widespread. Horn says that a relatively simple Shodan search found more than 49,000 MQTT servers visible on the Internet because MQTT has been improperly configured. Of those, more than 32,000 have no password protection at all.
Once compromised, the MQTT servers are primarily a threat to their owners. This is more about leaking the data, not about becoming part of a botnet, Horn says. I can imagine the possibility, if you could update firmware over MQTT, of recruitment [into a botnet], but its mainly about leaking the data or losing control of the home system.
And the problem is that the MQTT server, by dint of its central position in the IoT network, becomes a central point of security failure that can open the entire network to to compromise even if the individual endpoints are configured securely. Connecting to the unprotected MQTT server and using it to control other devices or reading data from the connected devices becomes almost trivial, according to Horns blog post.
Protecting these vulnerable devices is simple in concept: Add a username and password. In some cases thats a trivial step in a configuration process. In other cases, its impossible, because the device manufacturer didnt make allowances for the addition.
Horn says in his post: …we have called for better device-level security for IoT and for manufacturers to develop their products in such a way that encourages and makes it simple for all consumers to properly set up their devices and all the pieces related and connected to it, in order to ensure users’ entire smart ecosystem is secure.
Related Content:
Trend Micro Survey Confirms A Disregard for the Risk of an IoT Breach
Cracking Cortana: The Dangers of Flawed Voice Assistants
7 Variants (So Far) of Mirai
5 Tips for Protecting SOHO Routers Against the VPNFilter Malware

Learn from the industrys most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for
more info
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researcher Finds MQTT Hole in IoT Defenses