Daily Management Review

More than 32 thousand "smart" houses under threat of hacker attack


08/24/2018


More than 49 thousand network protocols MQTT are widely available on the Internet because of incorrect configuration. Among them, more than 32 thousand servers are not password protected, according to a study by Avast, a cybersecurity software developer.



magerleagues via flickr
magerleagues via flickr
"Accessing and managing a smart home is frighteningly easy." There are still many obsolete and poorly protected protocols created at a time when security was not such an acute problem," said Martin Hron, Avast security specialist. Users should be aware of the security problems of connecting smart home devices to services that they do not quite understand, as well as the need to properly configure the system."

The MQTT protocol is used to connect and control smart home devices through the smart home management center. Users configure the server when installing the MQTT protocol. The server is usually based on a computer or a minicomputer, such as Raspberry Pi, to which devices can connect and interact.

The protocol itself is protected, but the incorrect configuration opens the door to hackers. Cybercriminals can get full access to the house to find out when their owners are at home, manage multimedia systems, voice assistants and home appliances, and also check if smart doors and windows are closed. Under certain conditions, they can even track the user's location, which can be a serious threat to privacy and security.

Open and unprotected smart homes can be found using the search engine Shodan IoT. Once connected, hackers will be able to read messages sent using the MQTT protocol. Avast specialists found that in this case, attackers can control connected devices or at least change data using the MQTT protocol on behalf of devices. Thus, an attacker can, for example, send messages to the control center for the smart house to open the garage door.

Experts have found that even if the server is protected, a smart house can be hacked, since many users use the smart home management software with a default configuration where password protection is often not available. This means that you can get full access to the monitoring panel of the smart house, and this will allow the hacker to control any device connected through it.

Avast specialists found that in some cases, hackers can monitor location of users, since MQTT servers usually focus on real-time data. Many servers are connected to the mobile application OwnTracks. With it, users can share their location with other users.

To configure the tracking function, users need to configure the application by connecting to the MQTT server and giving it access to the Internet. During this process, you do not need to enter login credentials, which means that anyone can connect to the MQTT server. Using latitude, longitude and altitude, as well as a timestamp, hackers can read messages that include information about the battery level of the device and the location.

source: computing.co.uk