Open MQTT Servers Raise Physical Threats in Smart Homes

Misconfigured DIY smart-home hubs for home automation could allow attackers to track owners’ movements, see if smart doors and windows are opened or closed, and even open garage doors.

Tens of thousands of consumer-grade Internet of Things (IoT) servers have been found wide-open on the internet, allowing cybercriminals to potentially compromise homeowners’ physical security. Bad actors can gain complete access to smart-home footprints to track owners’ movements, see if smart doors and windows are opened or closed, and even open garage doors.

The servers in question are 49,000 Message Queuing Telemetry Transport (MQTT) servers, which are publicly visible due to misconfigured MQTT protocol, according to research released Thursday from Avast. This includes more than 32,000 servers with no password protection.

These are essentially DIY smart-home hubs set up by consumers to enable home automation and unify the control of various connected devices, like thermostats, appliances, lighting, alarm systems and cameras, and even automatic soil monitoring and garden-watering systems. MQTT is included in most automation solutions, including the open-source Home Assistant platform – and it allows a number of smart devices to be connected, controlled and automated, even if they weren’t originally designed to work together.

“The MQTT protocol is used to interconnect and control smart-home devices, via smart-home hubs,” explained Martin Hron, security researcher at Avast, in a posting on the issue published today. “When implementing the MQTT protocol, users set up a server. In the case of consumers, the server usually lives on a PC or some mini-computer such as Raspberry Pi, to which devices can connect to and communicate with.”

In terms of architecture, an MQTT server (broker) is provided with embedded security capabilities, which serves as a messenger between devices and adds intelligence to the system. According to Avast, smart home hubs usually subscribe and publish MQTT messages and provide logic. They also provide a dashboard, either locally or remotely, where users can control the home.

While the MQTT protocol itself is secure, a lack of security awareness combined with poor built-in protections can create a number of threat vectors, even when a server is partially protected.

“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” Hron said. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”

A weather forecast in addition to other topics, published by an unsecured MQTT server.

Perhaps the easiest path to attack is simply finding one of the 32,000 open and unprotected MQTT servers out there, using the Shodan IoT search engine. Once connected, hackers can read messages transmitted using the MQTT protocol, such as the status of smart window and door sensors, or notices about when lights are switched on and off (which can be used to infer a person’s movements).

Avast also found that outsiders could control connected devices or at least poison data using the MQTT protocol on behalf of devices. This way, for example, an attacker could send messages to the hub to, say, open the garage door or unlock a lock.

Even if an MQTT server is protected, Avast found that a smart home can be hacked if the dashboard used to control a smart home’s control panel runs on the same IP address as the MQTT server itself.

Example of a publicly available dashboard of a home-automation system that allows full control of all connected appliances.

“Many users use default configurations that come with their smart home hub software, and these are often not password protected,” Hron said.

And even if both the MQTT server and dashboard are protected, Avast found that Home Assistant, the open-source home-automation platform often used to administer smart-home footprints using MQTT, creates publicly shared directories using Windows SMB filesharing protocol; these contain all Home Assistant files, including configuration files. In the exposed files, Avast found stored passwords and keys, all in plain text, that can allow a hacker to gain complete control of a person’s home.

“Home Assistant is only one of the many examples of how a combination of weak vendor default configurations and user laziness can make setup of an IoT device insecure,” Hron told Threatpost. “Education is key with consumers, and with IoT devices, a lot of consumers just aren’t aware that a number of devices have vulnerabilities as well, just like a PC can have them.”

Also, an application called MQTT Dash allows users to create their own dashboard and control panel to control smart devices using MQTT, the research found.

“Users have the option to publish the settings they set up using the dashboard to the MQTT server, so they can easily replicate the settings on as many devices as they would like,” Hron said. “If the MQTT server used is unsecure, a hacker can easily access the user’s dashboard, which allows them to easily hack the smart home.”

There’s also a mobile aspect, since many MQTT servers are connected to a mobile application called OwnTracks. OwnTracks can be used by smart-home owners to let their connected devices know when they’re getting close to home – this can be used to turn on the lights, start the air conditioner, preheat an oven and so on. But to configure the tracking feature, users have to connect to the MQTT server.

Recorded positions during the course of one week.

“During this process, users are not required to setup login credentials, meaning anyone can connect to the MQTT server,” Hron explained. “Hackers can read messages that include a device’s battery level, location using latitude, longitude and altitude points, and the timestamp for the position.”

MQTT isn’t the only smart-home platform to come under scrutiny of late; in July, researchers found 20 vulnerabilities in Samsung’s SmartThings Hub, allowing attackers to control smart locks, remotely monitor the home via connected cameras and perform other alarming functions. The flaws were located in Samsung’s centralized controller, a component that connects to an array of IoT devices around the house – including light bulbs, thermostats and cameras.

In terms of mitigation, “I’d say the only proper solution is either educate users about the problem, or, which will have bigger impact, make this software so that security is opt-out — so, they would need to proactively ask you to set up credentials during installation,” Hron told Threatpost — thus eliminating the default authentication problem.
As for notifications, Avast has discussed the issue in a thread on the Home Assistant forum, and is contacting the maintainer of Mosquitto, a widely deployed MQTT server project, to urge it to consider making password and username an opt-out feature during setup.

Suggested articles