Zero Day Vulnerability Found in Popular IoT Message Broker Software

595

Developer-focused code security provider Guardara today announced it has uncovered a Zero Day Vulnerability in open source software from EMQ, the open source software provider for IoT devices.

The vulnerability, which was uncovered by a non-security expert using Guardara’s testing tool, could have significant implications for connected IoT devices depending on NanoMQ1.

EMQ’s products power over 100 million connected IoT devices globally across over 10,000 enterprises. Guardara used its technology to detect multiple issues – within minutes – that caused EMQ’s NanoMQ product to crash during testing. The existence of these vulnerabilities means that any NanoMQ reliant system could be brought down completely.

This could potentially put millions of lives and significant property at risk. The technology within NanoMQ is used for collecting real time data from common devices including smartwatches, car sensors and fire detection sensors. Message brokers are used to monitor health parameters via sensors for patients leaving hospital, or motion detection sensors to prevent theft.

Reliability and availability have never been more critical

A vulnerability of this nature is difficult and time consuming for a non-security engineer to uncover, as advanced fuzz testing is an offensive security technique reserved for the most experienced security researchers and experts (and unfortunately, malicious actors). Guardara’s product allows engineering teams to integrate and automate this sophisticated testing into their toolkits without specialist technical knowledge.

Mitali Rakhit, CEO, Guardara, said, “Even though some issues may not be exploitable for remote code execution, as we rely more and more on software in our daily lives, even a single crash could be fatal depending on the circumstance. Reliability and availability are critical due to a shift in the world being consumed by software.”

Upon discovery of the vulnerability Guardara notified EMQ immediately via its disclosure process. The company reacted quickly, actively looking to improve the security posture of NanoMQ which resulted in the resolution of the issue within 1 day.