Security specialist Avast has warned of misconfiguration in ‘smart home’ products that are leaving thousands of users vulnerable to attack, thanks to accidental exposure of Message Queuing Telemetry Transport (MQTT) servers.

“Both MQTT and [popular broker software] Mosquitto have broad security capabilities — for example, to provide fine-grained access control by user and topic. As with many things, the problems are created in the implementation and configuration,” Avast’s Martin Hron explains in his article, which looks at real-world scenarios where user data is exposed and unauthorised remote access possible even while using a supposedly-secure MQTT implementation.

“What if the MQTT server does not have a secure configuration? As with a lot of vulnerabilities, the main issues are insecure and default configurations. What makes the misconfiguration of MQTT worse is that by getting access to the MQTT server, you get access to all the messages flowing through it. How? Remember # as a wildcard? You can subscribe to just # and nothing else. In such cases, every time someone publishes something on any topic, you’ll get that data.

“More concerning is that many poorly configured MQTT servers are also publicly available on the internet without any password, allowing a cybercriminal to spy on any house that uses it. The ‘advantage’ for the cybercriminal is that if the server is publicly available, he or she can connect to it from anywhere. Further, as most users don’t set up access controls— in the form of Access Control Lists (ACLs)—when they configure a Mosquitto while setting up their smart home hub, cybercriminals can not only subscribe to the server, but can also publish to it, thus seizing control of all devices in a smart home.”

Martin’s full piece, which includes evidence of nearly 49,000 publicly-exposed MQTT servers visible to the Shodan security-focused search engine of which around 32,000 have no password protection, is available on the Avast blog.