When machines can't talk: Security and privacy issues of machine-to-machine data protocols

(1)

Federico Maggi

Senior Threat Researcher

Davide Quarta

Post-doc Researcher (now at EURECOM)

Security & Privacy Issues of M2M Data Protocols

When Machines

Can't Talk

(2)

Collaborators

Stefano Zanero, POLIMI

Pouyan Sepehrdad, QUALCOMM PSI

(3)

https://www.facebook.com/notes/facebook-engineering/building-facebook-messenger/10150259350998920

(4)

https://play.google.com/store/apps/details?id=com.duzon.bizbox.next.phone

(5)

(6)

USERS

Large consumer electronics and mobile device manufacturer Marine industry

Automotive parts manufacturer

Civil engineering, manufacturing and constructions Medical & rehabilitation equipment

Logistics

Internet service providers

Industry-grade TFT display manufacturer Fashion and clothing industry

(7)

How does MQTT

work?

(8)

(9)

(10)

(11)

(12)

(13)

How about

CoAP?

(14)

(15)

(16)

(17)

MQTT is popular

(and CoAP is gaining

a lot of traction, too)

(18)

(19)

Applications

TELEMETRY

(20)

(21)

DyziO/Shutterstock.com

(22)

Timofeev Vladimir/Shutterstock.com

(23)

(24)

(25)

Applications

DEVICE

MANAGEMENT

(26)

(27)

(28)

Applications

COMMAND

QUEUEING

(29)

(30)

feyang/Shutterstock.com

(31)

Dangerous Applications

Over The Air Firmware

Upgrades

(32)

(33)

Industrial IoT

Products and Brands

(34)

Source: https://www.mainflux.com/

(35)

(36)

(37)

(38)

IoT & IIoT solutions depend on

MQTT (and CoAP)

(39)

Problem 1

(40)

(41)

(42)

2016–2017

⏩

2018

(43)

MQTT public brokers 2016–2017 (~87,000 brokers)

Overall (cumulative)

Daily

(44)

Overall (cumulative)

Daily

(45)

(46)

Is it just a

deployment &

exposure

problem?

(47)

Let’s dig deeper

(Federico → Davide)

(48)

Problem 2

/how/to/parse/topic/filters

(49)

(50)

(51)

RegEx.match

(52)

/how/not/to/parse/topic/filters

(53)

RegEx.match

(54)

^(a+)+$

(55)

^(a+)+$

aaaaX

aaaaaaaaaaaaaaaaX

(56)

BONUS: Broker crash via malformed regex

(57)

(58)

(59)

Problem 3

(60)

(61)

sizeof

(62)

(63)

(64)

(65)

(66)

(67)

(68)

From spec to code

(69)

(70)

(71)

(72)

Problem 4

(73)

(74)

(75)

(76)

(77)

(78)

(79)

CVE-2017-7653

(80)

https://www.oasis-open.org/committees/document.php?document_id=62635

(81)

CVE-2017-7653

(82)

(83)

(84)

(85)

Lesson learned:

Security angle on standards

(Davide → Federico)

(86)

(87)

(88)

(89)

(90)

(91)

How about

CoAP?

(92)

(93)

CoAP Security

● RFC very clear on potential security issues (YAY! Built in and not bolt on!)

● based on UDP: recall what this means!

○ open servers can be used

■ to bypass firewall ACLs

■ as reflectors

● CoAP allows to write (even large) payload to the server

○ perfect candidate for amplification attacks!

(94)

(95)

(96)

CoAP 2.47x

Bandwidth Amplification Factor (BAF)

Reference table from: https://christian-rossow.de/publications/amplification-ndss2014.pdf

BAF

(97)

(98)

(99)

BAF = 31.75x

(100)

(101)

(102)

SPOOFING IN 2018

(103)

Big Picture

&

Takeaways

(104)

(105)

(106)

(107)

(108)

READINGS

(109)