There is a massive hole in IoT security, says Avast researcher

Poorly-configured protocols are leaving whole networks open to attackers

Avast security researcher Martin Hron has revealed a gaping hole in the security of Internet of Things (IoT) devices. We've written in the past about the vulnerabilities in leaving these products with their default credentials - but, according to Hron, a lot of them have no credentials at all.

It began when Hron was setting up his smart home. He realised that many of the smart hubs - the products that link all of the IoT devices on a network together - use the Message Queuing Telemetry Transport (MQTT) protocol.

MQTT, like many protocols, stems from an early time in the history of the IoT: in this case the late '90s. Back then it was mainly used in industrial applications, for transporting short telemetry data messages. Hron describes it as being ‘like an RSS feed: you subscribe to a topic, and once someone publishes something on the topic, the payload is delivered to all subscribers'.

The protocol by itself is secure, but if set up incorrectly can leave users vulnerable. Avast found more than 49,000 MQTT servers publicly visible on the internet due to a misconfigured MQTT protocol, including 32,000 with no password protection at all.

Because these servers are the central hub of an IoT network, security is vital. Compromising them can open every device on the network up to a hacker, meaning that they can control or read data they are producing.

The convenience of the IoT is tempting, but users must be aware of the potential trade-off with security - and do what they can to counter it. Hron has a few recommendations on that front:

‘Consumers need to be aware of the security concerns of connecting devices that control personal parts of their home to services they don't fully understand and the importance of properly configuring their devices… In order to ensure users' entire smart home ecosystem is secured, manufacturers need to develop IoT devices which are simple for consumers to set up with a high-level of security. Lastly, there is a need for more secure control solutions that allow consumers to confidently use technology in their homes with the knowledge that it is secure and their privacy protected.'