When Machines Can't Talk: Security and Privacy Issues of Machine-to-Machine Data Protocols presented at blackhatEurope 2018

by Federico Maggi, Davide Quarta,

Summary : Two popular machine-to-machine (M2M) protocols—MQTT & CoAP—are slowly forming the backbone of many IoT infrastructures, including critical industry environments. They are used to provide data connectivity for practically any kind of "machines". We found out that these protocols are affected by security and privacy issues that impact several market verticals, applications, products, and brands.This talk provides a security analysis of MQTT & CoAP at the design, implementation, and deployment level. We found issues in the design specifications, vulnerable product implementations, and hundreds of thousands unsecured, open-to-the-world deployments. These issues show the risk that endpoints could be open to denial-of-service attacks and, in some cases, full control by an adversary. Despite the fixes in the design specifications, it is hard for developers to keep up with a changing standard when a technology becomes pervasive. Also, the market of this technology is very wide because the barrier to entry is fairly low. This led to a multitude of fragmented implementations.We analyzed the source code of the most common MQTT implementations, and discovered common flaws—mostly originating from misinterpretation of the standard. In particular, we found issues in how multibyte strings, UTF-8 characters, and regular-expressions are parsed. Combined with standard features that force servers to retain messages and clients to request acknowledgement the delivery of every message, such bugs can lead to persistent denial of service. Our findings have been acknowledged by the MQTT Technical Committee, which released a note to help identify the risks.Alongside this, we've analyzed hundreds of millions MQTT & CoAP messages obtained from hundreds of thousands server. Despite previous efforts that tried to raise awareness, we still found exposed data related to various industry sectors and sensitive information, including credentials and network infrastructure details. Moreover, we found out that MQTT is being used beyond messaging, to transport binary data, most likely for OTA update purposes, which certainly raises a red flag.Using MQTT & CoAP as a concrete example of modern M2M technology, we will provide recommendations at various levels (standardization bodies, vendors, developers, and users) in the hope to see a significant reduction in the number of insecure deployments in the future, and a more responsible position by standardization bodies.