- Powering over 100m IoT devices globally across 10,000 enterprises, EMQ vulnerability has real-world implications for car, fire detection, and patient data sensors
- Startup’s new breakthrough technology allowed non-security expert to identify vulnerability within minutes
[LONDON, UNITED KINGDOM, 23 SEPTEMBER 2021] Developer-focused code security specialist Guardara today announces it has uncovered a Zero Day Vulnerability in open source software from EMQ, the world’s leading provider of open source software for IoT devices. The vulnerability, which was uncovered by a non-security expert using Guardara’s powerful testing tool, could have significant implications for connected IoT devices depending on NanoMQ.
EMQ’s products power over 100 million connected IoT devices globally across over 10,000 enterprises. Guardara used its technology to detect multiple issues – within minutes – that caused EMQ’s NanoMQ product to crash during testing. The existence of these vulnerabilities means that any NanoMQ reliant system could be brought down completely.
This could potentially put millions of lives and significant property at risk. The technology within NanoMQ is used for collecting real time data from common devices including smartwatches, car sensors and fire detection sensors. Message brokers are used to monitor health parameters via sensors for patients leaving hospital, or motion detection sensors to prevent theft.
Reliability and availability have never been more critical
A vulnerability of this nature is difficult and time consuming for a non-security engineer to uncover, as advanced fuzz testing is an offensive security technique reserved for the most experienced security researchers and experts (and unfortunately, malicious actors). Guardara’s product allows engineering teams to integrate and automate this sophisticated testing into their toolkits without specialist technical knowledge.
“Guardara’s discovery of this Zero Day vulnerability within minutes shows that security issues are still present and can be widely found across different open source projects with the right capability. Even though some issues may not be exploitable for remote code execution, as we rely more and more on software in our daily lives, even a single crash could be fatal depending on the circumstance. Reliability and availability are critical due to a shift in the world being consumed by software.” – Mitali Rakhit, CEO, Guardara
Upon discovery of the vulnerability Guardara notified EMQ immediately via its disclosure process. The company reacted quickly, actively looking to improve the security posture of NanoMQ which resulted in the resolution of the issue within 1 day.
Democratizing security and improving access
According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from 1 million positions in 2014. It is unrealistic to expect that security professionals alone will be able to bear the burden of securing software with hundreds of millions, if not billions of devices. In 2018 co-founders Mitali Rakhit and Zsolt Imre established Guardara to use their breakthrough technology to make complex security techniques accessible to non-security experts.
“Our technology is game-changing for the industry because of its ability to bring security expertise into the hands of people who didn’t traditionally have access to formal training in security engineering or research. By democratizing access to sophisticated testing techniques, we are leveling the playing field against the adversary, and empowering the technology community to build security into their products from Day 0.” – Mitali Rakhit, CEO, Guardara.
Notes to Editors:
- NanoMQ is an MQ Telemetry Transport (MQTT) messaging engine and multi-protocol message bus for edge computing, used for collecting real time data from everything like smartwatches to car sensors and fire detection sensors. IoT message brokers are also used to monitor health parameters via sensors for patients leaving hospital or motion detection sensors to prevent theft.
- An offensive security testing technique utilized by Guardara’s product assessed the security and reliability of NanoMQ. This involved importing a wireshark capture of MGTT traffic into the product, then configuring a test which detected multiple issues within a couple of minutes. Guardara then notified EMQ immediately via their disclosure process. In addition, as per EMQ’s request, Guardara detailed one of the issues on Github here; https://github.com/nanomq/nanomq/issues/203?fbclid=IwAR0dfQrgHknG6ZsEv5WDJnpzaxyjUdQ-BtLC0ON4RkJHQm6dnB1HA4Bu1w8.
Guardara is a cybersecurity company on a mission to secure the world’s code. We believe in the democratization of security technology and are making security infrastructure and tooling accessible to non security professionals.
Founded in 2018, our Headquarters is located in London, United Kingdom. Our team of experts have over 25 years of experience in both offensive and defensive cyber security working with Fortune 500 companies, top global security consulting firms, and high growth venture backed security startups.