Full Article posted on IT World Canada:
Canadian researcher warns of vulnerability in protocol used by M2M applications
Howard Solomon Howard Solomon @howarditwc
Published: December 5th, 2018
Poor security surrounding an obscure but common machine-to-machine messaging protocol is exposing personal and corporate data, warns a Canadian security researcher.
Darryl Burke, CTO of an Ontario software marketing firm who also runs a consulting business on the side, says using the Shodan search engine he’s found several examples of unsecured servers with poorly-configured versions of Message Queuing Telemetry Transport (MQTT), a lightweight messaging protocol used by developers in a number of applications.
Problems include
–an Edmonton municipal parking lot that uses service from a third-party vendor which photographs the licence plates of cars entering the lot to confirm payment. These images, however, aren’t encrypted. Since being notified the city is looking into the issue;
— a Canadian firm that sells a background music service to companies for stores and elevators, which exposed data such as which playlists are chosen by customers. This isn’t personal information, Burke says, but it could be of interest to a competitor. Burke said the company told him the service is a proof-of-concept and knows about the leak;
—a U.S.-based taxi dispatch service whose messages to drivers on where and when to pick up fares can be intercepted. These messages may include a phone number.
IT administrators “need to be aware of this if they’re using IoT infrastructure, or vendor software that uses it,” said Burke. They should be asking the right questions and making sure it’s protected, otherwise they could be inadvertently exposing their data.”