Zero-day vulnerability found in EMQ IoT software

  • September 29, 2021
  • Steve Rogerson

Developer-focused code security specialist Guardara has uncovered a zero-day vulnerability in open-source software from EMQ used for IoT devices.

The vulnerability, which was uncovered by a non-security expert using Guardara’s testing tool, could have significant implications for connected IoT devices depending on NanoMQ, an MQTT messaging engine and multi-protocol message bus for edge computing.

China-based EMQ’s products power over 100 million connected IoT devices globally across over 10,000 enterprises. UK-based Guardara used its technology to detect multiple issues within minutes that caused EMQ’s NanoMQ product to crash during testing. The existence of these vulnerabilities means that any NanoMQ reliant system could be brought down completely.

This could potentially put millions of lives and significant property at risk. The technology within NanoMQ is used for collecting real-time data from common devices including smartwatches, car sensors and fire detection sensors. Message brokers are used to monitor health parameters via sensors for patients leaving hospital, or motion detection sensors to prevent theft.

A vulnerability of this nature is difficult and time consuming for a non-security engineer to uncover, as advanced fuzz testing is an offensive security technique reserved for the most experienced security researchers and experts and, unfortunately, malicious actors. Guardara’s product allows engineering teams to integrate and automate this testing into their toolkits without specialist technical knowledge.

“Guardara’s discovery of this zero-day vulnerability within minutes shows that security issues are still present and can be widely found across different open-source projects with the right capability,” said Mitali Rakhit, CEO of Guardara. “Even though some issues may not be exploitable for remote code execution, as we rely more and more on software in our daily lives, even a single crash could be fatal depending on the circumstance. Reliability and availability are critical due to a shift in the world being consumed by software.”

Upon discovery of the vulnerability Guardara notified EMQ immediately via its disclosure process. The company reacted quickly, actively looking to improve the security posture of NanoMQ which resulted in the resolution of the issue within one day.

This comes at a time when EMQ has made its X Cloud available on the Google Cloud platform to provide fully managed and cloud-native MQTT messaging services for the IoT.

The open-source and cloud-native distributed MQTT broker for IoT says its X Cloud now supports all major cloud platforms, including Google, AWS, Azure and Aliyun Cloud, enabling users to carry out their IoT projects with MQTT in multiple regions of multiple or hybrid clouds without the hassle of deploying and managing self-managed MQTT services.

To create an EMQ X Cloud deployment, the user needs to register on the X Cloud web site with no credit card required, selecting the edition of X Cloud and choosing the public cloud platform and its region and specifications.

X Cloud is a fully-managed cloud-native MQTT messaging service, providing a one-stop hosting service to connect IoT devices to everything with real-time IoT data movement, processing and integration, accelerating the IoT application development and innovation without the burden of managing infrastructure.

Users can achieve fully automated environment creation, service deployment, on-demand scaling, service monitoring and alerting, and build industry applications for IoT.

EMQ X Cloud guarantees millisecond latency in message delivery with the soft real-time runtime system. Now combined with Google Cloud, which is particularly known for its low latency between regions, X Cloud can improve real-time transmission of messages.

X Cloud adopts the Masterless cluster architecture to ensure the high availability of services, while Google Cloud has live migration with zero effect. A combination of the two provides 99.95% availability of a single instance and 99.99% availability of multiple instances in different regions.

To meet enterprises’ growing demands of multi-cloud and hybrid cloud, X Cloud provides a unified MQTT cloud service across all mainstream cloud platforms with more than 20 availability zones and dozen regions supported worldwide.

EMQ provides an open-source data infrastructure for IoT to help achieve unified connect, move, process and analysis of IoT data from edge to cloud. Working with users from various industries such as carrier, internet of vehicles, finance and payment, power and utilities, IIoT, AIoT, and energy, EMQ says it keeps carrying the mission and vision of powering the future-proof IoT and the enterprise digital transformation.