CyberSec&AI Connected 2021 | BLOG

In data, we trust

Martin Hron

The story of data poisoning and manipulation on the low level.

We read headlines almost every day, data leaks, privacy concerns, fake news, misinformation, or AI bias. These are all real-world problems, but to me, high-level problems stem from lower-level manipulations. As a reverse engineer and natural things-breaker, I was always keen to do low-level and hardware analysis, so naturally, I would like to point out that at the very bottom of the information technology, there are still gems to be found: low-level and fundamental data channels that could be possibly manipulated to create higher-level outcomes as I mentioned earlier. To put it simply, if there are still low-level data channels that could be easily manipulated, how could we trust in information reality that is built upon this technology?

In this short article, I will present to you an example of how low-level protocols can cause high-level misinformation on the Internet. This example showcases how an old protocol, MQTT, can be abused to make the world on the Internet seem different from the real world.

Although the security of MQTT has been researched several times by various researchers from the perspective of what data is leaking through it, no one has raised the question of data manipulation and how that, in turn, can be used to manipulate reality through the internet. I’ll show a very concrete recent case from my research, how very low-level data abuse can end in perceiving a false reality while still being trusted by the victim. It’s not how social media is manipulated or fake news and propaganda being crafted to serve its purpose. Rather, it’s an attack on the systems we use to “see” reality through the internet. The following case is an example that shows how the chain of trust is brittle and should be protected in the modern era of information-driven society. Fasten your seat belts. We are going down to the network of networks.

The effect

This is the case of one telco operator somewhere in southeast Europe, for privacy issues, we will not name the operator nor its employees.

It’s morning, one of the telco operator’s employees somewhere gets an alert from one of the systems that something is going on with one of the BTS (Base Transceiver Station) stations.

He routinely logs in to see what’s wrong. The data just went haywire. According to telemetry, someone used his access card to enter the station. It seems like an intrusion, but there is nobody on camera from the outside or inside the station. He calls the police. A few minutes later, he gets a callback. Everything seemed to be normal. Nobody was found there: the station was intact. He thinks to himself “probably a bug”. However, this happens a few more times that day with various access cards. After the third BTS physical check, he gives up alerting the police again, figuring the monitoring system was probably just broken. The day after, the BTS station went offline. After a check of the last snapshot from the cameras he sees this:

Screenshot 2021 09 22 at 12.17.14
Image 1: Camera feed as seen at NOC: attacker modified image. This was the last picture seen before the BTS went offline

The cause

The cause, in this case, is simple: a combination of a configuration error and the use of an old and insecure protocol, MQTT. MQTT is from the era of industrial automation where network perimeters were closed, and there was hardly any internet connection. We speak of the MQTT protocol as a simple yet powerful protocol that is being reused in various applications nowadays where asynchronous communication between more subscribers and publishers is needed. In recent years it has also been widely re-adopted by IoT devices for data and command exchange as it is lightweight and simple enough to be integrated. You can learn about MQTT and its issues in our research from 2018: https://decoded.avast.io/martinhron/are-smart-homes-vulnerable-to-hacking/.

But back to our case, the BTS station. In this case, they are using MQTT to send telemetry back to the NOC (Network Operation Centre) of their telco provider. We’ll leave out the security issues we found here, such as how there was unauthenticated access to the MQTT unencrypted data over the wire. The first reaction from the vendor when we disclosed these issues to them was: “It’s just a telemetry. You can’t really control anything inside the BTS station through it.” 

The problem here is, anyone who has access to that particular server where all data goes can also inject and overwrite and thus publish) data on the topic (topic in the MQTT terminology means data “channel” where data is expected by the NOC alerting system). This effectively replaces the original state of BTS with maliciously crafted data. As the NOC is subscribed to these “topics”, the chain of alerts and maybe even automatic remediations are triggered by just publishing false data into the topic with the same name.

In addition to the security concerns, the other obvious issue is privacy because all kinds of private data are being transmitted as part of telemetry, including camera snapshots, access cards, IDs, and more.

Screenshot 2021 09 22 at 12.19.12
Image 2: Simplified diagram of the attack: The key part is “replay attack” at a faster pace than the original data

You would say this might be an isolated case, and there is nothing to worry about. Well, speaking of this particular protocol, MQTT, in 2018, we found out that there are 32,000 MQTT servers publicly opened and leaking various data such as email addresses, camera snapshots, smart home data to GPS coordinates and personal information that can be not only misused as in the traditional sense of data breach or leak, but also manipulated and overwritten. Three years later, in 2021, we found this number increased to 80,000 MQTT servers. Clearly, the exposure to this old and insecure protocol has increased dramatically over the past three years.

Takeaways

The main takeaway can be summed up into one simple sentence: “We can’t trust the reality that we see through the internet if we can’t trust the underlying protocols that it’s riding.“

The number of MQTT servers is still rising as the number of connected IoT and IIoT systems also rises. I believe it’s about time to start fixing these fundamental data channels issues, as we strive for trusted information in the digital era.

Even down under at the bottom of the internet sea of fake news misinformation and data manipulations, there are still things going unnoticed and hidden where false data is coming from the manipulation at the lowest possible level. This is mainly due to improper configuration and adoption of protocols that are either obsolete or simply not suitable for critical and private data transfer. In the 21st century, we still see protocols such as the unencrypted version MQTT, telnet, or HTTP protocols being used for moving this data around the internet, making the job for adversaries easy.

It’s not that these manipulations would not happen in a pre-internet era. There have always been cases of messages being intercepted and modified. It’s just the speed and scale with which adversaries can abuse these systems that has increased dramatically. We’ve created systems that allow us to spread information easily and fast, without weighing the consequences properly. Now it’s time to get rid of obvious security risks posed by repurposing old, outdated protocols that weren’t intended for today’s threat environments.

We should always build complex systems from the bottom up. Putting the roof before the windows on your house won’t hide you from rain when the wind is blowing.

If you are interested in this topic, we prepared a more technical series on MQTT research we did, which will be published gradually at https://decoded.avast.io

About the author

Martin Hron is a Security Researcher at Avast. Martin leads research across various disciplines such as dynamic binary translation, hardware-assisted virtualization, and malware analysis. Martin is devoted to technology and is a true software and hardware reverse engineer, game programmer, tinkerer, AI, and IoT mantras practitioner. Prior to Avast, Martin held the position of artificial intelligence and game programmer, working on the MAFIAII (AAA game title) project and Windows Kernel SW engineer with encryption file system drivers. Martin brings more than 20 years of experience in the IT industry and deep knowledge of hardware and operating system architectures to Avast, where he leads research, mainly in the domain of dynamic malware analysis and general security. Martin is always on the hunt and keeping an eye on new emerging technologies.

Share this article

Share on linkedin
Share on facebook
Share on twitter

And follow #CyberSecAI

Martin Hron

Security Researcher at Avast

is featured in this article

Join us in November 2021 and register now for online CyberSec&AI Connected 2021

Latest news

Download the CyberSec&AI Connected Overview

Thank you!

Thank you for your interest. We will stay in touch regarding any related news about the CyberSec&AI  conference