Skip to main content

Top IoT standards could be compromised by hackers

Audio player loading…

Security firm Trend Micro has discovered major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols used in IoT devices, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (Co2P).

The company's new report sheds light on the growing threat of industrial espionage, denial-of-service and targeted attacks by abusing these protocols.

Over the course of four months, Trend Micro researchers identified over 200m MQTT messages and more than 19m CoAP messages that were leaked by exposed brokers and servers. 

Malicious attackers could locate this leaked production data using simple keyword searches and use it to identify lucrative information on assets, personnel and technology that could be abused to carry out targeted attacks.

IoT security concerns

Trend Micro's Vice President of cybersecurity, Greg Young explained how these protocols represent a massive security risk, saying:

“The issues we’ve uncovered in two of the most pervasive messaging protocols used by IoT devices today should be cause for organisations to take a serious, holistic look at the security of their OT environments. These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases. This represents a major cybersecurity risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks.” 

The company's research shows how attackers could remotely control IoT endpoints or deny service by leveraging security issues in the design, implementation and deployment of devices using the MQTT and Co2P protocols.

Additionally, hackers could maintain persistent access to a target to move laterally across a network by abusing specific functionality in these protocols.

After getting his start at ITProPortal while living in South Korea, Anthony now writes about cybersecurity, web hosting, cloud services, VPNs and software for TechRadar Pro. In addition to writing the news, he also edits and uploads reviews and features and tests numerous VPNs from his home in Houston, Texas. Recently, Anthony has taken a closer look at standing desks, office chairs and all sorts of other work from home essentials. When not working, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.