At Shodan we’re always interested in seeing how researchers are using the search engine. Recently, Martin Hron wrote an Avast blog post detailing his experience exposing the strengths and weaknesses of Internet of Things (IoT) devices that utilize the MQTT or Message Queuing Telemetry Transport smart device communications protocol.
Using Shodan, Hron, a security researcher, found more than 49,000 MQTT misconfigured servers visible on the internet, including over 32,000 servers with no password protection, thereby putting homes and businesses using IoT devices at risk of being hacked. According to Hron, “if the MQTT protocol is not properly configured, cybercriminals can gain complete access to a home and, for example, learn when their owners are at home, manipulate entertainment systems, voice assistants, household devices, and physically open smart doors.”
MQTT servers listed on Shodan
The MQTT servers are thought to have been misconfigured by users when setting up their smart home devices, exposing both the system “dashboard” and the MQTT server itself. With regard to security, the problem with MQTT servers and IoT devices in general is the difficulty of setting up security with these new devices and the limited device-level security built into the devices by manufacturers.
“Consumers need to be aware of the security concerns of connecting devices that control personal parts of their home to services they don’t fully understand and the importance of properly configuring their devices. Industry-wide, we have called for better device-level security for IoT devices. In order to ensure users’ entire smart home ecosystem is secured, manufacturers need to develop IoT devices which are simple for consumers to set up with a high-level of security,” says Hron.
Crestron Devices Make Hotel Rooms, Conference Rooms and Airport Touch Screens Vulnerable to Spying
Ricky "HeadlessZeke" Lawshae, an offensive security researcher for the Advanced Security Research team at Trend Micro, presented research at this year’s DefCon hacking conference exposing security flaws in Crestron devices such as touch screens in hotel rooms and conference rooms that could let hackers eavesdrop on conversations. Crestron makes automation and control solutions for homes and buildings that integrate systems including AV, lighting, shading, security, BMS and HVAC that can be managed, monitored and controlled from one platform.
Using Shodan, Lawshae found over 20,000 Crestron devices around the world connected to the internet. Focusing on Crestron's MC3 control system that runs on Windows and the company's TSW-X60 touchscreen panel that runs on Android, Lawshae discovered that the security authentication protections in these devices are disabled by default.
“Installing and programming these devices is difficult enough without considering adding security. Instead of being a necessity, it's an extra headache that almost always gets entirely passed over,” says Lawshae.
Shodan Reveals Babysitting App Sitter Exposed 93,000 Records Online
This month independent security researcher Bob Diachenko found a MongoDB database with thousands of records indexed on Shodan.
According to Diachenko, “it appears that Sitter, "the No.1 app for managing babysitters", inadvertently exposed its MongoDB instance to public. A 2GB set included 93 thousand user details with encrypted passwords to their Sitter accounts, phone numbers, addresses, transaction details with partial credit card numbers, user phone book contacts etc.”
Diachenko alerted the company about the exposed database and they immediately took it offline, responding that “Sitter has already notified all of its users and partners of the temporary data breach you identified that resulted in the last week in the course of development of certain product enhancements. The security vulnerability was immediately re-secured.”
Document Scanning Firm Exposes Corporate Documents on AWS
In another find by Bob Diachenko on August 19th, the researcher “came across a 142GB US-based / AWS-hosted MongoDB, not protected by password and login, hence available for public access” that belonged to ABBYY, a global provider of content intelligence solutions and services.
In a post on LinkedIn, Diachenko comments that “For the last couple of months I've been specifically focusing on researching and responsively reporting open MongoDBs using Shodan API. The reason for my interest was simple - I just wanted to convince myself that MongoDB ransomware attacks (so widely reported more than a year ago) are in the past. However, the amount of both published and non-published incident reports proved me wrong.”
The company’s database was disabled after Diachenko notified the firm. In a press release the company responded that after confirming the “database was part of one of our services – ABBYY Text Analytics for Contracts – we immediately locked external access to the database and started an investigation.”