- 2025 Cyber Security Predictions: Navigating the Ever-Evolving Threat Landscape
- Not Just Another List of Top 10 Metrics You Should Measure
- My new favorite headphones for swimming come bundled in a unique charging accessory
- Why I recommend this Windows laptop to creatives and professionals - even if it's meant for gamers
- This HP laptop may be the closest thing to a MacBook Pro for Windows users - and I don't mind it
Critically Underrated: Studying the Data Distribution Service (DDS) Protocol
By Federico Maggi, Rainer Vosseler (Trend Micro Research), Mars Cheng, Patrick Kuo, Chizuru Toyama, Ta-Lun Yen (TXOne Networks), Erik Boasson (ADLINK), and Victor Mayoral Vilches (Alias Robotics)
Despite being unknown even to industry practitioners, the Data Distribution Service (DDS) protocol has been in use for more than a decade. This middleware software technology is responsible for running billions of public and private devices and mechanisms currently in use. DDS is integral in embedded systems that require real-time machine-to-machine communication, facilitating a reliable communication layer between sensors, controllers, and actuators.
This technology is situated at the beginning of the supply chain as a layer that connects, controls, and monitors applications, sensors, and actuators, aimed at maintaining interoperability and fault tolerance. It is used in various critical sectors such as healthcare, transportation, industrial internet of things (IIoT), robotics, aeronautics, and the military, among others. Given these factors, this makes the middleware technology an attractive target for attackers.
We analyzed this software and found multiple security vulnerabilities. This blog lists 13 identified security gaps that were assigned new CVE IDs found in the six most common DDS implementations, mostly concerning deployment. We also show a preview of the security gaps we found in the standard’s specification and a summary of our testing procedure. For details on the known vulnerabilities, attack scenarios, and research methodology, read our full paper “A Security Analysis of the Data Distribution Service (DDS) Protocol.” All the vulnerabilities found have been disclosed and patched or mitigated by their respective vendors.
New vulnerabilities
We studied six widely used DDS implementations, chosen based on executions’ number of users and customers in the critical sectors globally. We also looked at each implementation’s real-time publish-subscribe (RTPS) packet, as DDS is dependent on its own lower layer standard protocol.
Notably, we also studied the Robot Operating System 2 (ROS 2) because it uses DDS as its default standard operating system (OS) middleware for all robotics and automation use cases. Given the service’s position as a security and operations building block, all vulnerabilities that affect DDS also affect the rest of the software stack, such as RTPS and all ROS 2 instances.
