Default static key in ThingsBoard IoT platform can give attackers admin access

Developers of ThingsBoard, an open-source platform for managing IoT devices that’s used in various industry sectors, have fixed a vulnerability that could allow attackers to escalate their privileges on a server and send requests with administrative privileges. The vulnerability, tracked as CVE-2023-26462, was discovered and privately reported by researchers from IBM Security X-Force. It stems from the platform using a static key to sign JSON Web Tokens (JWTs) issued to clients. With knowledge of that key, which can be easily obtained, attackers could forge valid requests that would allow them to identify to the system as higher privileged users.

“Because ThingsBoard allowed the default key to be used without requiring administrators to change it, and because that default key was also exposed publicly in the configuration files, the door was opened for attackers to gain unauthorized access in excess of what is intended,” the X-Force researchers said in their report.

The flaw was fixed in ThingsBoard version 3.4.2 by generating a random key for every new installation or upgrade to version 3.4.2 or later. If admins can’t upgrade immediately, they can manually change the default signing key for older versions in the configuration file or through the admin dashboard.

Insecure implementation of JSON Web Tokens

JSON Web Token is an internet standard for stateless authentication that has been widely adopted in mobile and web applications, particularly in scenarios where interactive authentication is impractical such as machine-to-machine or service-to-service communication. Stateless authentication doesn’t rely on usernames and passwords being imputed and the state of a user’s session being stored on the server. Instead it relies on tokens or tickets that contain certain assertions or claims about an user that the server knows to be true.

With JWT, the server generates a token for a client and signs it with its secret key. That token consists of a payload that identifies the user and their permissions. Every time the user or client wants to perform an action on the server, they send their signed token along with the request.

It’s easy to see in this workflow why keeping the signing key secure is important. Otherwise, someone who knows the server’s key could take a valid payload, alter values in it, and then re-sign it with the key so the server will accept it as valid.

In the case of ThingsBoard, an attacker can change the scope value from the JWT that identifies the user’s role on the server and therefore dictates what privileges they have. Some of the high-privileged scopes can be TENANT_ADMIN or SYS_ADMIN. Tenants are organizational subdivisions on the platform and tenant admins can manage all devices belonging to a certain tenant. System admins, however, have control over the whole system, including the ability to manage all tenants.

“By editing this role value and generating a new, valid signature for the payload, a user can escalate privileges within the platform to the highest level,” the X-Force researchers said. “This grants access throughout the entirety of the platform, including other tenants, users, and devices not affiliated with the original account.”

ThingsBoard can manage and collect data from devices that support a variety of IoT gateways, cloud APIs, and communication protocols such as: MQTT, HTTP, CoAP, Webhooks, LwM2M, LoRaWAN, SigFox, NB IoT, SMS, OPC-UA, Modbus, BLE, Request, CAN, BACnet, ODBC, REST, and SNMP. It integrates with platforms such as Azure Event Hub, AWS IoT, Azure IoT Hub, and IBM Watson IoT. Due to the multitude of connectivity options, it supports both internet-enabled devices and devices that communicate over non-internet protocols.

Use cases for ThingsBoard include collecting data from energy meters, soil monitors and farming equipment, smart irrigation systems, air quality monitors, fleet management systems, food storage monitors, water meters, and resource consumption monitors in offices. Its creators claim it’s used in energy, telecom, warehouse management, smart city projects, building automation, agriculture, and Industry 4.0 projects.

“ThingsBoard is just one among many IoT platforms which, much like the devices that connect to them, all deserve further research and scrutiny,” the X-Force researchers said. “Adoption of IoT devices in all industries will only continue to grow, and with it the need to ensure security in the platforms managing devices and collecting data.”