back to article DoS vulns in 3 open-source MQTT message brokers could leave users literally locked out of their homes or offices

Synopsys Cybersecurity Research Centre (CyRC) has warned of easily triggered denial-of-service (DoS) vulnerabilities in three popular open-source Internet of Things message brokers: RabbitMQ, EMQ X, and VerneMQ. The message brokers, responsible for handling data sent to or from IoT devices like smart home hubs and door locks, …

  1. Mishak

    You would kind of hope that any device that relies on MQTT would implement a watchdog to restart it if it terminates unexpectedly.

    Oh, wait, we're talking IoT...

    1. ForthIsNotDead

      You would be correct, and... We do... Crontab is such a useful beast...

      1. Adrian 4 Silver badge

        Even rc or that poettering thing would restart the daemon.

        Out of interest, what do those alternate brokers offer over mosquitto ?

        1. LDS Silver badge

          RabbitMQ doesn't use MQTT by default. It uses AQMP - MQTT is a plug-in, don't remember if it is enabled by default or not.

    2. Androgynous Cupboard Silver badge

      Ah, but these are the brokers we're talking about. The devices themselves may be knocked out by a wage-slave in a Shenzen factory and vulnerable to everything, but the brokers are run on proper computers and written by people that care. They should be no worse than any other daemon, eg apache, ftpd.

      Running Mosquitto here, with no regrets about that after this article.

  2. Falmari Silver badge

    Patch a key

    When was the last time you had to patch a key?

    I suppose keys can be vulnerable to DoS, multiple people tying to put their key into the same lock at the same time.

    1. LDS Silver badge

      Re: Patch a key

      A key broken inside the lock....

      1. Falmari Silver badge

        Re: Patch a key

        Even better example of DoS Key. :)

        1. lglethal Silver badge

          Re: Patch a key

          It can be done, but its very hard for someone to do it without leaving their house/basement...

          1. jake Silver badge

            Re: Patch a key

            Unless they are locking themselves in ... which, given the anti-social and often paranoid tendencies of folks with this mindset, wouldn't surprise me in the least.

      2. Ben Tasker Silver badge

        Re: Patch a key

        Or, given that a DoS is normally an attack (self-inflicted accidents not withstanding) - superglue in the lock.

        1. Peter2 Silver badge

          Re: Patch a key

          Which is easily fixed by pouring acetone (ie; nail varnish remover) into the lock as it dissolves superglue.

          1. Ben Tasker Silver badge

            Re: Patch a key

            A DoS is easily fixed by spinning up more capacity etc.

            It only needs to be a temporary inconvenience, not a permanent one.

            Also, if you've got a uPVC door you might want to be a little careful putting acetone anywhere near it (though nail varnish remover is sufficiently dilute it shouldn't be an issue)

            1. jake Silver badge

              Re: Patch a key

              "A DoS is easily fixed by spinning up more capacity etc."

              Frame in a new door. Or open a window. Or open Windows.

              1. Ben Tasker Silver badge

                Re: Patch a key


                Imagine explaining that to the insurance companies' risk adjuster - "There was glue in the lock, so I put in a new door"

                Didn't it occur to you to get a locksmith out sir?

            2. Drew Scriver

              Re: Patch a key

              Depends on the type of DoS-attack. For a DDoS-attack you may be able to add capacity, although that's not a given.

              However, DoS can be accomplished even with a single request or action in some instances. Generally, no amount of capacity will help in such cases. Although I have seen a web form that required one server per user - two people using the web form at the same time on the same server caused a DoS-sitution. I suppose that in that case you could just add servers...

              1. jake Silver badge

                Re: Patch a key

                "I suppose that in that case you could just add servers..."

                Cheaper to add a programmer with clues and the remit to use the correct tools for the job, instead of the tools mandated by management.

          2. jake Silver badge

            Re: Patch a key

            "Which is easily fixed by pouring acetone (ie; nail varnish remover) into the lock"

            Really? Try it. Report back.

          3. bombastic bob Silver badge

            Re: Patch a key

            or you just drill out the lock cylinder with a carbide bit and replace it

            (new mechanical door locks are pretty cheap)

    2. Kevin Johnston

      Re: Patch a key

      With most locks on uPVC doors, if you insert the key in one side then it stops a key being fully inserted from the other. Was told this morning of a relative having done than before suffering a medical issue and it required the Fire Service as it was a 3rd floor flat but had an open window.

      So DOS beaten by backdooring (ish)

  3. imanidiot Silver badge

    Smart stuff is all well and good, but if having internet problems or a power outage locks you out of your home you're doing something wrong imho. Backup systems. They matter.

    1. lglethal Silver badge

      Backup system?

      A window and a half-brick?

    2. Mishak


      One place I used to work at found that out when the server supporting the smart card access system failed.

      It was behind a security door controlled by the same system. Cue fire axe...

      1. Drew Scriver

        Could have sold management on a fail-open config at that point, right? ;-)

    3. Claptrap314 Silver badge

      "Fail Safe"

      Or not. It's your life, not mine...

  4. Kevin McMurtrie Silver badge

    Is there a GoS

    Is there a Granting of Service attack? My experience with most of the classic message queues is that it takes weeks of reading bloated source code to get them into a configuration where they shouldn't crash under a moderate load, and then they crash.

    1. Drew Scriver

      Re: Is there a GoS

      Wouldn't that essentially be a DoS? After all, the service includes actually locking a door. If that no longer happens that service would be down...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021