Why 32,000 Smart Homes Are at High Risk of Being Hacked
8.20.18 – SSI – Rodney Bosch
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” says Martin Hron, security researcher at Avast.
REDWOOD CITY, Calif. — From the “not another cyber risk!” fright files: More than 30,000 residences with smart home gear have been found to be highly vulnerable to hacking, according to new research by cybersecurity firm Avast.
Are you familiar with the Message Queuing Telemetry Transport (MQTT) protocol? It’s used to control smart home devices, and it is central to a new security dilemma. Avast reports it found more than 49,000 MQTT servers publicly visible on the Internet due to a misconfigured MQTT protocol.
The MQTT protocol itself is secure; however, severe security issues can occur if MQTT is incorrectly implemented and configured. Hackers could gain complete access to a home to learn when their owners are present, manipulate entertainment systems, voice assistants and household devices, and see if smart doors and windows are opened or closed, according to an announcement. Under certain conditions cybercriminals can even track a user’s whereabouts, posing a serious privacy and security threat.
At risk are more than 32,000 servers with no password protection, essentially rendering them each a leaking data sieve. The MQTT protocol is used to interconnect and control smart home devices via smart home hubs. When implementing the MQTT protocol, users set up a server. In the case of consumers, the server usually lives on a PC or some minicomputer such as Raspberry Pi, to which devices can connect to and communicate with, Avast explains.
Of the 49,197 misconfigured MQTT servers the company found with the Shodan IoT search engine, 8,257 are in the United States. Of the 32,888 MQTT servers without password protection, 4,733 are in the U.S. Only China had more misconfigured and unprotected MQTT servers than the U.S.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” says Martin Hron, security researcher at Avast. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
- Open and unprotected MQTT servers can be found using the Shodan IoT search engine, and once connected, hackers can read messages transmitted using the MQTT protocol. Avast research shows that hackers can read the status of smart window and door sensors, for example, and see when lights are switched on and off. In this particular case, Avast also found that outsiders could control connected devices or at least poison data using the MQTT protocol on behalf of devices. This way, for example, an attacker could send messages to the hub to open the garage door.
- Even if an MQTT server is protected, Avast found that a smart home can be hacked as in some cases, the dashboard used to control a smart home’s control panel runs on the same IP address as the MQTT server. Many users use default configurations that come with their smart home hub software, and these are often not password protected, meaning a hacker can gain complete access to a smart home’s dashboard, allowing the hacker to control any device connected via the dashboard.
- Even if both the MQTT server and dashboard are protected, Avast found that in the case of smart hub software, Home Assistant software, open and unsecure SMB shares are public and therefore accessible to hackers. SMB is a protocol used for sharing files on internal networks, mainly on the Windows platform. Avast found publicly shared directories with all the Home Assistant files including configuration files. In the exposed files, Avast found a file storing passwords and keys stored in plain text. The passwords stored in the configuration file can allow a hacker to gain complete control of a person’s home.
- Smart homeowners can use tools and apps to create a dashboard for an MQTT-based smart home, to control their connected devices. A particular application, MQTT Dash, allows users to create their own dashboard and control panel to control smart devices using MQTT. Users have the option to publish the settings they set up using the dashboard to the MQTT server, so they can easily replicate the settings on as many devices as they would like. If the MQTT server used is unsecure, a hacker can easily access the user’s dashboard, which allows them to easily hack the smart home.
- Avast found that MQTT can, in certain instances, allow hackers to track users’ location, as MQTT servers typically concentrate on real time data. Many MQTT servers are connected to a mobile application called OwnTracks. OwnTracks gives users the possibility to share their location with others, but can also be used by smart home owners to let the smart home devices know when the user is approaching the home, to activate smart devices, like smart light lamps. In order to configure the tracking feature, users have to configure the application by connecting to an MQTT server and expose the MQTT server to the internet. During this process, users are not required to setup login credentials, meaning anyone can connect to the MQTT server. Hackers can read messages that include a device’s battery level, location using latitude, longitude, and altitude points, and the timestamp for the position.
Avast’s full research can be found here.