Researchers found the flaw in NanoMQ, an MQ Telemetry Transport (MQTT) messaging engine and multi-protocol message bus for edge computing that is used for collecting real-time data from smartwatches, car sensors, fire detection sensors, and more, according to researchers at cyber security firm Guardara.
The same technology is used to monitor health parameters via sensors for patients leaving the hospital and motion detection sensors to prevent theft.
The vulnerability could have significant implications for connected internet of things (IoT) devices dependent upon NanoMQ.
Zsolt Imre, founder and CTO of Guardana, said on GitHub the problem lies in the MQTT packet length. This messaging protocol for IoT devices is designed to be an extremely lightweight publish/subscribe messaging transport for connecting remote devices with a small code footprint and minimal network bandwidth.
Imre said when the MQTT packet length is tampered with and is lower than expected, a memcpy operation receives a size value that makes the source buffer location points to or into an unallocated memory area. “As a result, nanomq crashes,” he said.
HP Wolf Security: Threat insights report
Equipping security teams with the knowledge to combat emerging threats
“The problem seems to be with how the payload length is calculated,” Imre added. “Suspected that the unusual packet length ‘msg_len’ is a smaller value than ‘used_pos,’ therefore the subtraction results in a negative number. However, ‘memcpy’ expects the size as ‘size_t,’ which is unsigned. Therefore, due to the casting of a negative number to ‘size_t’, the length becomes a very large positive number (0xfffffffc in case of this proof of concept).”
According to Guardara, the flaw could potentially put millions of lives and significant property at risk. The flaw was discovered using a new testing tool developed by the firm.
Mitali Rakhit, CEO at Guardara, said even though some issues may not be exploitable for remote code execution, as we rely more and more on software in our daily lives: “Even a single crash could be fatal depending on the circumstance. Reliability and availability are critical due to a shift in the world being consumed by software.”
Upon discovering the vulnerability, Guardara notified EMQ immediately via its disclosure process. The company reacted and resolved the issue within a day.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.