M2M Protocols Could lead to Industrial Attacks

Tuesday, December 4, 2018 @ 05:12 PM gHale

Hackers can leverage machine-to-machine (M2M) protocols to attack Internet of Things (IoT) and Industrial Internet of Things (IIoT) systems, new research found.

Security provider, Trend Micro, analyzed two M2M protocols: Message Queuing Telemetry Transport (MQTT), which facilitates communications between a broker and multiple clients, and the Constrained Application Protocol (CoAP), a UDP-based server-client protocol that allows HTTP-like communications between nodes.

Dell Suffers Attack
NC Water Utility Recovering from Attack
USB Drives Loaded with ICS-Based Malware
Russia Behind Triton Attack: Report

MQTT is a mature standard used for automation and industrial applications. CoAP is newer and used by multiple IoT and IIoT products.

Trend Micro monitored activity associated with these protocols over a period of four months and identified over 200 million MQTT messages and more than 19 million CoAP messages leaked by hundreds of thousands of Internet-exposed brokers and servers.

In the case of MQTT, Trend Micro researchers discovered vulnerabilities in the protocol itself and its implementations. The flaws can allow malicious actors to execute arbitrary code or cause a denial-of-service (DoS) condition, which can pose a serious risk to industrial systems. The flaws have been reported to the developers of the affected software and patches have been released.

Researchers have not found any actual vulnerabilities in CoAP, but pointed out that since the protocol is based on UDP, it’s susceptible to IP spoofing, which makes it ideal for DDoS amplification.

“MQTT is a mature standard and a publish-subscribe protocol that handles one-to-many communication mediated by brokers,” said Trend Micro Threat Researcher Federico Maggi in a post. “We found security issues in the protocol itself and its software implementations. This presents a problem as MQTT is widely adopted commercially for automation and in industrial applications, which could prove crucial for mission-critical M2M.

“CoAP, on the other hand, follows a client-server model, allowing the creation of the equivalent of HTTP for constrained nodes. Despite being relatively new, CoAP is already implemented in many pieces of IoT and IIoT software today. Security issues that we highlight are primarily due to the ‘connectionless’ nature of User Datagram Protocol (UDP), on which it is based. Although the risks are well highlighted in the CoAP Request for Comments (RFC), in this research we empirically measured the bandwidth amplification potential of CoAP services.”

Maggi is one of the authors of a research paper on the subject, along with Trend Micro’s Rainer Vosseler and Davide Quarta of the Polytechnic University of Milan.

In the past, security professional said there were problems with these M2M protocols where they could be leveraged for targeted reconnaissance, industrial espionage, targeted attacks and lateral movement.

Maggi said it will not take long until attackers become aware of their potential for malicious activity.

The report is aimed at raising security awareness and driving the adoption of proper remediation measures. Given the results of the research, the three researchers made the following high-level recommendations:
• Implement proper policies to remove unnecessary M2M services. This is particularly hard in complex, multi-vendor IIoT systems, which depend on M2M technology for basic functionalities, from simple notifications to critical software upgrades. Before being used in IoT solutions, M2M technology was (and is still being used) for integration.
• Run periodic checks using internet-wide scan services or tools to ensure that none of the sensitive company data is inadvertently leaked through public IoT services. It is often the case that — for fast prototyping — test systems use unsecure IoT servers, which are then left unchanged, even when supposed to run in production mode.
• Implement a vulnerability management workflow or other means to secure the supply chain. This is important because M2M technology is implemented not only in large and enterprise-grade software but also in small, embedded devices, which are less likely to receive timely security upgrades.
• Stay up to date with the standards in this space because this technology is evolving rapidly. The small footprint of these software may justify in-house development, so it is likely that organizations have chosen to develop their standard M2M technology rather than buy existing implementations.

Leave a Reply

You must be logged in to post a comment.