The global site of the UK's leading magazine for automation, motion engineering and power transmission
28 March, 2024

LinkedIn
Twitter
Twitter link

Cyber-researchers find ‘major’ flaws in IoT protocols

19 December, 2018

Cyber-security researchers have found “major” design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, MQTT (Message Queuing Telemetry Transport) and CoAP (Constrained Application Protocol). In a joint report, Trend Micro and the Politecnico di Milano highlight what they see as a growing threat of industrial espionage, denial-of-service and targeted attacks resulting from abuse of these protocols.

Over a four-month period, the researchers identified more than 200 million MQTT messages and more than 19 million CoAP messages leaked by exposed brokers and servers. They warn that using simple keyword searches, malicious attackers could locate this leaked production data, identifying information on assets, personnel and technology that can be used for targeted attacks.

“The issues we’ve uncovered in two of the most pervasive messaging protocols used by IoT devices today should be cause for organisations to take a serious, holistic look at the security of their OT (operational technology) environments,” suggests Trend Micro’s vice-president of cybersecurity, Greg Young. “These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission-critical environments.

“This represents a major cyber-security risk,” he adds. “Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks.”

To mitigate the risks, Trend is encouraging organisations to:

•  implement policies to remove unnecessary M2M services;

•  run periodic checks using Internet-wide scanning services to ensure sensitive data is not leaking; and

•  implement a vulnerability management workflow or other means to secure the supply chain.

The report, called The Fragility of Industrial IoT’s Data Backbone, can be downloaded from Trend Micro's Web site.




Magazine
  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here

     

Poll

"Do you think that robots create or destroy jobs?"

Newsletter
Newsletter

Events

Most Read Articles