The Fragility of Industrial IoT's Data Backbone: Security and Privacy Issues in MQTT and CoAP Protocols

Abstract

The most popular protocols for machine-tomachine (M2M) technology—the backbone of the internet of things (IoT) and industrial internet of things (IIoT)—are affected by security and privacy issues that impact several market verticals, applications, products, and brands. This report provides a holistic security analysis of the most popular M2M protocols: Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). Given their flexibility, these data protocols are being adopted in a variety of settings for consumer, enterprise, and industrial applications to connect practically all kinds of “machine,” from innocuous fitness trackers to large power plants. We found issues in design as well as vulnerable implementations, along with hundreds of thousands of unsecure deployments. These issues highlight the risk of how endpoints could be open to denial-of-service (DoS) attacks and, in some cases, taken advantage of to gain full control by an attacker. Despite the fixes in the design specifications, it is hard for developers to keep up with a changing standard when a technology becomes pervasive. Also, the market for this technology is very wide because the barrier to entry is fairly low. This has led to a multitude of fragmented implementations. This report is aimed at raising security awareness and driving the adoption of proper remediation measures.

Publication
Trend Micro Research