Defending the Supply Chain: Why the DDS Protocol is Critical in Industrial and Software Systems
By measuring the exposure of DDS services, in one month we found 643 distinct public-facing DDS services in 34 countries affecting 100 organizations via 89 internet service providers (ISPs). Of the DDS implementations by seven distinct vendors (one of which we were initially unaware of), 202 leaked private IP addresses (referring to internal network architecture details), and seven supposedly secret URLs. Some of these IP addresses expose unpatched or outdated DDS implementations, which are affected by some of the vulnerabilities that we’ve discovered and disclosed in November.
This research is from the collaboration of Trend Micro Research and TXOne Networks (Federico Maggi, Mars Cheng, Patrick Kuo, Chizuru Toyama, Rainer Vosseler, and Ta-Lun Yen), ADLINK Labs (with Erik Boasson, one of the inventors and core developers of DDS), Alias Robotics (with Víctor Mayoral Vilches, Robotics Architect), and Trend Micro Zero Day Initiative (ZDI). We analyzed the specifications of DDS and the six implementations maintained by certified vendors with millions of deployments globally. During our research, we interviewed key DDS users and system integrators to collect their feedback on our findings and the importance of DDS for innovation in their respective sectors.
As a critical piece of technology that receives little attention and considering our findings, we encourage other researchers, DDS users, and implementors to promote security awareness about DDS and its ecosystem. Successful exploitation of these vulnerabilities in any of the critical sectors where DDS is used can have consequences, such as (including nomenclature referring to the ATT&CK ICS framework):
- loss of control (T0827)
- loss of safety (T0880)
- denial of service (DoS, T0814) via brute forcing (T0806)
- facilitate initial access (TA0108) via exploitation of remote services (T0866, T0886) or supply chain compromise (T0862)
- allow attackers to perform discovery (TA0102, T0856) by abusing the discovery protocol
- abuse the protocol itself to create an efficient command and control channel (T0869)
According to our analysis, we recommend mitigations such as:
- vulnerability scanning (M1016)
- network intrusion prevention (M1031)
- network segmentation (M1030)
- filter network traffic (M1037)
- execution prevention (M1038)
- auditing (M1047)
Our findings apply worldwide and affect billions of devices across every vertical, including all critical applications such as autonomous driving, intelligent public transportation, telecommunications, cloud, healthcare, consumer and industrial robotics, and defense systems.
Based on our findings and a demonstration of their impact to the DDS’s key sectors, we advocate for the continuous security testing of DDS and other related critical technology. We also provide actionable recommendations to use for a secure DDS integration. To help raise awareness on the importance of DDS security, we provide two examples showing how an attacker can amplify network traffic, leading to real-time and determinism issues or cause an autonomous vehicle to lose control and collide against objects when implemented without the proper security measures.
Given that DDS is little known yet quite ubiquitous, we encourage subject-matter experts to reuse our proofs of concept to raise awareness and help decision-makers allocate proper resources in securing current and future DDS deployments.