Nearly 32,000 Smart Homes & Businesses are at Risk of Leaking says Avast

A recent survey conducted by the global leader of cyber security products - Avast (LSE: AVST) revealed that 49,000 plus Message Queuing Telemetry Transport (MQTT) servers are publicly present on the internet due to wrong configuration of MQTT protocol wherein nearly 32,000 (595 from India) servers are at high risk of data leakage without having password protection. Users utilize MQTT protocol to formulate server that resides on PC/minicomputer (Raspberry Pi) and used for interconnecting & controlling smart home devices via smart home hubs. “It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to by gone technology eras when security was not a top concern. Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices,” said Martin Hron, Security Researcher, Avast.

The wrong implementation and misconfiguration of MQTT protocol often renders complete access of smart home to cybercriminals who can easily configure when home owners are there and whether smart doors & windows are open/close, and manipulate entertainment systems, voice assistants and household devices. Under certain circumstances, they can even track owners’ whereabouts resulting in serious privacy and security threat.

Avast prescribed five ways by which poorly configured MQTT servers can be hacked by cybercriminals:

• The Shodan IoT search engine is used to find open & unprotected MQTT servers and once these servers are connected, hacker can easily read transmitted messages via MQTT protocol whereas in some cases they can even control connected devices or at least poison data on behalf of devices.
• Many users implement default configuration that come along with their smart home hub software and are not password protected. This in-turn give complete access of smart homes’ dashboard to cybercriminal enabling them to hack any dashboard connected device.
• Even if MQTT server and dashboard are protected, hacker can gain complete control of person’s home due to open & unsecured Home Assistant software and SMB protocol.
• Smart homeowners employ tools & apps to create a dashboard for an MQTT-based smart home and handle their connected devices. The MQTT Dash application permits home owners to develop their own dashboard and control panel to manage smart devices using MQTT wherein they have preference to publish and replicate the settings on several devices of their choice. 
• The mobile application OwnTracks facilitates users to share their location and also deployed by smart home owners to let the smart home devices know when the user is approaching the home, to activate smart devices. This tracking feature is configured by connecting with an MQTT server and exposing it to the internet. During this process no login credentials is needed which further allow hackers to read message including device’s battery level, location using latitude, longitude, and altitude points, and the timestamp for the position.

Read more news:

Big Data, Business Analytics revenue to hit $260 bn in 2022: IDC