100 million IoT devices affected by zero-day flaw

Security researchers have uncovered a zero-day vulnerability in open source software from EMQ that could cause systems to crash and affect medical equipment.

Researchers found the flaw in NanoMQ, an MQ Telemetry Transport (MQTT) messaging engine and multi-protocol message bus for edge computing that is used for collecting real-time data from smartwatches, car sensors, fire detection sensors, and more, according to researchers at cyber security firm Guardara.

The same technology is used to monitor health parameters via sensors for patients leaving the hospital and motion detection sensors to prevent theft.

The vulnerability could have significant implications for connected internet of things (IoT) devices dependent upon NanoMQ.

Zsolt Imre, founder and CTO of Guardana, said on GitHub the problem lies in the MQTT packet length. This messaging protocol for IoT devices is designed to be an extremely lightweight publish/subscribe messaging transport for connecting remote devices with a small code footprint and minimal network bandwidth.

Imre said when the MQTT packet length is tampered with and is lower than expected, a memcpy operation receives a size value that makes the source buffer location points to or into an unallocated memory area. “As a result, nanomq crashes,” he said.

“The problem seems to be with how the payload length is calculated,” Imre added. “Suspected that the unusual packet length ‘msg_len’ is a smaller value than ‘used_pos,’ therefore the subtraction results in a negative number. However, ‘memcpy’ expects the size as ‘size_t,’ which is unsigned. Therefore, due to the casting of a negative number to ‘size_t’, the length becomes a very large positive number (0xfffffffc in case of this proof of concept).”

According to Guardara, the flaw could potentially put millions of lives and significant property at risk. The flaw was discovered using a new testing tool developed by the firm.

Mitali Rakhit, CEO at Guardara, said even though some issues may not be exploitable for remote code execution, as we rely more and more on software in our daily lives: “Even a single crash could be fatal depending on the circumstance. Reliability and availability are critical due to a shift in the world being consumed by software.”

Upon discovering the vulnerability, Guardara notified EMQ immediately via its disclosure process. The company reacted and resolved the issue within a day.