By B.N. Frank
Experts have been warning for years about security risks and vulnerabilities of Internet of Things (IoT) technology and “Smart” devices (see 1, 2, 3). Cyberattacks continue to be reported (see 1, 2, 3). Thanks to Threatpost for reporting another high risk situation.
100M IoT Devices Exposed By Zero-Day Bug
A high-severity vulnerability could cause system crashes, knocking out sensors, medical equipment and more.
A flaw in a widely used internet-of-things (IoT) infrastructure code left more than 100 million devices across 10,000 enterprises vulnerable to attacks.
Researchers at Guardara used their technology to find a zero-day vulnerability in NanoMQ, an open-source platform from EMQ that monitors IoT devices in real time, then acts as a “message broker” to deliver alerts that atypical activity has been detected. EMQ’s products are used to monitor the health of patients leaving a hospital, to detect fires, monitor car systems, in smartwatches, in smart-city applications and more.
“Guardara used its technology to detect multiple issues…that caused EMQ’s NanoMQ product to crash during testing,” the company said in a press statement. “The existence of these vulnerabilities means that any NanoMQ reliant system could be brought down completely.”
Guardara CEO Mitali Rakhit told Threatpost that the vulnerability (no CVE assigned) was given a CVSS score of 7.1, making it high-severity.
“How dangerous it is depends on what setting NanoMQ is used in,” Rakhit added.
The bug is caused by improper restriction of operations within the bounds of a memory buffer (CWE-119).
Zsolt Imre from Guardara explained on GitHub that the issue was with the MQTT packet length. MQTT is a messaging protocol standard for IoT, designed as an extremely lightweight publish/subscribe messaging transport for connecting remote devices with a small code footprint, requiring minimal network bandwidth. Thus, MQTT is used in a wide variety of industries that use low-bandwidth smart sensors, such as automotive, manufacturing, telecommunications, oil and gas, and so on.
In NanoMQ’s implementation, “when the MQTT packet length is tampered with and is lower than expected, a ‘memcpy’ operation receives a size value that makes the source buffer location point to or into an unallocated memory area,” Imre wrote. “As a result, NanoMQ crashes.”
‘The problem seems to be with how the payload length is calculated,” Imre continued. “Suspected that the unusual packet length ‘msg_len’ is a smaller value than ‘used_pos,’ therefore the subtraction results in a negative number. However, ‘memcpy’ expects the size as ‘size_t,’ which is unsigned. Therefore, due to the casting of a negative number to ‘size_t’, the length becomes a very large positive number (0xfffffffc in case of this proof of concept).”
All an attacker would need to exploit the vulnerability and crash the system are basic networking and scripting skills, Rakhit added.
These kinds of denial-of-service attacks can be extremely dangerous as they affect the availability of mission-critical equipment.
“This could potentially put millions of lives and significant property at risk,” according to the firm. “The technology within NanoMQ is used for collecting real-time data from common devices including smartwatches, car sensors and fire-detection sensors. Message brokers are used to monitor health parameters via sensors for patients leaving hospital, or motion detection sensors to prevent theft.”
The software developer has issued fixes; users of devices that incorporate NanoMQ should check with their vendors for an update to device firmware.
Attacks on IoT Devices Spike
Kaspersky released a report earlier this month that showed a more than 100 percent jump in cyberattacks on IoT devices during the first half of 2021, with a staggering 1.5 billion attacks launched so far this year.
“Since IoT devices, from smartwatches to smart-home accessories, have become an essential part of our everyday lives, cybercriminals have skillfully switched their attention to this area,” Dan Demeter, security expert at Kaspersky said. “We see that once users’ interest in smart devices rose, attacks also intensified.”
Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.
Activist Post reports regularly about IoT and other unsafe technology. For more information visit our archives.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.