IoT developers and vendors very rarely take a security-first approach when designing systems, applications, and devices. It makes sense to focus on functionality first and figure out privacy and security later, once the product is out and selling.
This is also the case with two of the most common IoT data protocols in use today. Flexible, lightweight, and built for crowded networks and feature-restrictive devices, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) has created a gaping hole in industrial and private IoT worldwide.
What do you need to know about MQTT and CoAP protocols and their flaws? And what can you do to protect your IIoT and IoT devices and networks?
What are IoT protocols?
IoT data protocols are M2M (machine to machine) communication standards that allow low-power IoT devices to exchange data. These protocols enable endpoint-to-endpoint communication without the need for an Internet connection or communication with a central server.
Today, two of the most common protocols in IoT and IIoT are Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). Chosen for their flexibility, these protocols have been implemented in IoT and IIoT devices, from smart grids to personal fitness trackers.
Message Queuing Telemetry Transport (MQTT)
Message Queuing Telemetry Transport (MQTT) is a lightweight IoT data protocol widely used in IoT and IIoT deployments. With its basic architecture and TCP/IP support, MQTT is the ideal protocol to enable communications across swarms of low-power devices. In addition, it is an old and proven technology, with its earliest version dating back to 1999, and is employed in many familiar IoT architectures like Arduino and Intel Galileo.
The downside of MQTT is the same as its advantage; its flexibility and basic architecture. Though MQTT has emerged as a standard in many industrial IoT applications, it lacks data representation and device management definition. What this means is that implementation of these capabilities is wholly dependent on the vendor or platform. This, in turn, makes it much more challenging to secure versatile IoT environments.
CoAP (Constrained Application Protocol)
Constrained Application Protocol (CoAP) is an application protocol designed to allow for HTTP (Hypertext Transfer Protocol) communication in IoT systems.
Not yet standardized, the CoAP protocol employs a client-server architecture to translate the HTTP model to be suitable for usage with restrictive devices and crowded networks. CoAP is ideal for implementation in IoT and IIoT applications like microcontrollers and sensors with low overheads, support for multicast, and ease of employment.
Having a fitness tracker lose connectivity or leak data may not seem like a big deal. However, when you consider smart cities and industrial IIoT applications, vulnerabilities in these protocols can quickly turn into nightmare scenarios by crippling critical infrastructure and disrupting business operations.
The Security & Privacy Challenge with CoAP & MQTT
Over the years, multiple studies have discovered an overwhelming and alarming number of exposed MQTT brokers and CoAP servers on the Internet. Earlier this year, research by TrendMicro revealed that a “casual attacker” could collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers in just under four months by using Shodan scanners on relevant network ports.
Geographical distribution of MQTT brokers (top) and CoAP servers (bottom)
Note: TrendMicro recorded 17,226 MQTT brokers in the Asia-Pacific (AP) region. However, Shodan’s geolocation metadata limitations inhibited them from determining the more precise country or territory locations for the counts.
This vulnerability allows the attacker mentioned above access to millions of records and the ability to disrupt the operations of IoT devices across the globe.
The above-mentioned vulnerable endpoints are just misconfigured or unprotected by an IoT firewall. There are also design issues, such as the CVE-2017-7653 vulnerability for Mosquitto, the most popular MQTT broker. This vulnerability can allow a malicious client to supply invalid data to the MQTT broker.
To quote the official MQTT standard manual, “MQTT solutions are often deployed in hostile communication environments,” while it is the “implementer’s responsibility to provide appropriate security features.” The general recommendation is to use TLS on TCP 8883. However, the manual still states that:
- Devices could be compromised
- Data at rest in Clients and Servers might be accessible
- Protocol behaviors could have side effects (e.g., “timing attacks”)
- Denial of Service (DoS) attacks
- Communications could be intercepted, altered, re-routed, or disclosed
- Injection of spoofed Control Packets
From an operational perspective, these issues highlight the risk of poorly secured IoT and IIoT communications, leaving endpoints vulnerable to attacks. These attacks include denial-of-service (DoS) attacks and, in some cases, can give the attacker complete control of a device or a whole network.
When it comes to the CoAP protocol, attackers can exploit the UDP-like nature of CoAP to launch amplification attacks with increasing payload sizes to overwhelm and crash the network and the devices on it.
Is cellular 5G connectivity the answer?
CoAP and MQTT are IoT data protocols that are lightweight, flexible, and commonly used. However, they don’t pretend to be made for IoT and IIoT devices and network security. Rather, they focus on enabling communications between “machines” over often unreliable networks. As the types of devices and applications vary and transform, it is no wonder that managing the authentication, authorization, and monitoring of the availability of these versatile device swarms is becoming increasingly difficult.
The 5G cellular connectivity standard was designed, in part, to enable and support mass IoT and IIoT deployments and applications. With the ability to implement comprehensive intrusion detection systems and network-based protection services, as well as granular network segmentation – there’s no doubt that 5G and IIoT are a match made in Industry 4.0 heaven.
That said, any wireless transmission is inherently vulnerable, and 5G is no different. It introduces its own set of risks and vulnerabilities and benefits like broader coverage, lower latency, and IoT-specific features for low-power communications. However, those attacks and vulnerabilities are much easier to defend against and mitigate today than attacks on unsecured devices and networks employing vulnerable IoT protocols like CoAP and MQTT.