Wednesday, August 22, 2018

Journalism? Meh.

I don't usually write this sort of post anymore, mostly because it's no longer catharsis for me, but there's an article on CSO Online, entitled "32,000 smart homes can be easily hacked due to misconfigured MQTT servers" (by Ms. "Not Her Real Name" Smith), that annoys me to no end. It comes across as little more than click-bait and the magazine doesn't allow comments. My issues with the article follow.

The author's derision, aimed towards use of an "older" protocol, is irksome. Talking about a "bygone era when security wasn't a concern" is the trademark of an engineer who's promoting something else (solution, self, or corporate stance). That said, I do like how the author avoided use of the word "legacy" (I see it all too often) but, using her logic, Tim Berners Lee could be blamed for the Equifax leaks. The insecurity lies in the lack of proper configuration, not the protocol.

You keep hearing about how IoT is insecure? It's the "I" in IoT that's the problem. The article somehow avoids discussing how MQTT was not meant to run in any environment other than a local LAN or within a single security enclave. As with any other similar protocol, running it "on the Internet" adds insecurities.

Another problem is use of the phrase "Avast found...". Let's give credit where credit is due. Avast did not scan the Internet looking for insecure MQTT servers. Instead, someone at Avast used Shodan to get their numbers. Effectively, this is taking credit for someone else's work. Do they no longer teach "quote your sources" in college?

I have a Shodan account. As of this morning, the MQTT numbers break out to:

Total:  49,223
China: 12,185
US:  8,315
Germany: 3,048
HK:   2,177
RoK:  2,033

If you search specifically for port 1883, the numbers are:

China: 12,115
US:  8,275
Germany: 3,042
HK:  2,186
RoK:  2,031

This article butts up against another topic: being a journalist doesn't exclude you from laws. It doesn't matter that an insecure server exists on the Internet. If you connect to that server without permission, you've violated a number of laws. It's irresponsible not to mention this. The article should include such a warning, vice implying how easy the servers are to access.

The article ignores that there are some servers (okay, only a few) that are set up to be intentionally insecure. There are a number of use cases where a server might be set up insecure:

  • A few of the insecure servers might be the honeypots set up by varous organizations. A Google search for "honeypot mqtt" returns some interesting examples.
  • Some servers are intentionally set to be insecure. Ignoring the usual hackme/CTF stuff, brokers like HiveMQ are set up open, so that others can develop code and/or learn about use of MQTT. (Google search for "free mqtt broker"). Others are set up to provide public services (e.g., weather stations, ISS locator, stock data, Twitter feeds, BBC Radio 3 LiveTexts) (examples here and here).
  • Some people don't care that they're being tracked. More often than not, they're tracking themselves and don't care if anyone else knows their location. The free MQTT servers are "open" and the encrypted/authenticated servers are not. Some people make the conscious choice to use the open servers. Some of those already know that they can be tracked via other means (e.g., your Android or Apple phone). The author's "shot" at OwnTrack fails to recognize that OwnTrack requires the user to "find" an Internet-accessible MQTT server (OwnTrack doesn't provide such). The author should probably next write an article about how APRS is insecure.

This doesn't mean that there aren't insecure MQTT servers on the Internet. They do exist and they make up the majority of the numbers discussed in the article. However, not accounting for legitimate use cases, warning about accessing systems without permission, etc. (when writing a "doom & gloom" article) is just shoddy journalism. My 7th grade English teacher would have given this article a C (also, he'd probably make a comment about the quality of the magazine editor).

Wednesday, August 1, 2018

What was I reading in July 2018?

This was another of those months where I've been so busy that I did very little reading. Once again, I'm studying for multiple certification tests (re-tests?). Related to reading, the current Humble Bundle is looking quite interesting.

For those with access to the house network, the ESXi upgrade (to 6.5) appears to have worked without issue. Also in the network are: 2 Kali instances with the first target and a full reverse proxy, a Gogs instance, a Markdown editor, a Vim trainer, and a web-based man page reader. Some heavy tweaking of the reverse proxy was required but it appears to be working (including access to VMRC from the Hamachi network).

For awhile, I was having issue with the "s" (star) key in TT-RSS. It turns out that my customized instance of Gleebox had updated and the navigation settings had shifted from the right-side of the keyboard to the left. Finding it required that all extensions be turned off and behavior studied while each was re-enabled. It appears to be "playing nice" again.

I received a DLP-to-RPi adapter board from Mick Makes. Although it's intended to work with the RPI Zero, I'm hoping that it'll work with the new B+. It should, because the Zero and the B+ have the same header pin-out. Fingers crossed!

I've also turned on HTTPS for the blog (just now). Whether or not it works well remains to be seen. In any case, this past month's reading...

2018-07-02

- How we discovered three poisonous books in our university library
- Pointers Are More Abstract Than You Might Expect in C
- There was a time when search engines were a thing. And it seems they still are
- SMS over IRC
- Reverse Engineering for Beginners

2018-07-03

- Anti-Flow
- The advantages of an email-driven git workflow
- Water compresses under a high gradient electric field

2018-07-11

- This new dual-platform malware targets both Windows and Linux systems

2018-07-13

- Your IoT security concerns are stupid

2018-07-17

- A Short Guide to Hard Problems
- did.txt file
- How to Implement Open Source Container Security: Part 1 - Runtime Security

2018-07-23

- C's Biggest Mistake
- Autopsy of a deep learning paper

2018-07-31

- Leonardo Da Vinci's To Do List (Circa 1490)

Above was generated by a homegrown bolt-on script for Wallabag, which is a free utility for capturing web content so that it can be read later.