According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices.
The experts analyzed the M2M protocols, the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).
The former one is a messaging protocol used to establish communication between a broker and multiple clients, the latter is a UDP client-server protocol that allows communications between nodes.
The experts pointed out that attackers could abuse M2M protocols for target reconnaissance, industrial espionage, targeted attacks, and to make lateral movements.
Researchers monitored both protocols over a period of four months, they the attacker’s role for their research
“For data gathering, we played the role of a casual attacker with modest resources, scanning the internet for exposed MQTT brokers and CoAP hosts. In just nearly four months, such a “casual attacker” was able to collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers.” reads the research paper.
The analysis of the MQTT protocol revealed the existence of security flaws that could be exploited to trigger DoS condition or execute arbitrary code. Trend Micro reported vulnerabilities to the developers of the affected software that have quickly released patches.
Below a video PoC of the attacks abusing the MQTT protocols:
The researchers did not find security flaws in the CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.
“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.
“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”
Experts highlighted the risks that malware in the next future could abuse M2M protocols for malicious activity.
“MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT.” concludes the report.
“Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT. Both MQTT and CoAP have some features that, even in the absence of implementation vulnerabilities, can be abused to the attacker’s advantage. When deploying or using MQTT and CoAP services, the following practical points should be considered.”