Skip to main content

Researcher Finds MQTT Hole in IoT Defenses

posted onAugust 16, 2018
by l33tdawg

It started with a simple wish: Martin Horn, security researcher at Avast, wanted a smart home. As he began his research into systems, he found that many devices included set-up instructions with no security provisions. And then, it got worse.

Horn realized that many of the hubs gathering IoT devices into a unified system run Message Queuing Telemetry Transport (MQTT) protocol, an ISO standard for device-to-device communications. And quite a lot of the devices acting as MQTT servers have no security at all. It's not that they use a default user name and password, Horn says, it's that they don't have user names or passwords - period.

"It's not a flaw in IoT devices themselves, it's just a lack of security," Horn says. "In this case, it's wide open, with no password at all." It's important to note, he explains in an Avast blog post, that the MQTT protocol itself is secure, if implemented and configured correctly. The lack of security is the fault of the implementation, not the underlying protocol.

Source

Tags

Security

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th