DDS is a middleware protocol and API standard for data communication supported by the standards development organization, Object Management Group (OMG). It is promoted as being ideal for business-critical IoT devices.
Public transportation, air traffic control, aerospace, autonomous driving, industrial robots, medical gadgets, and missile and other military systems have employed DDS. Not only this, NASA, Siemens, and Volkswagen have all used DDS. It is also used in the famous Robot Operating System (ROS).
DDS implementations are available in both open source and closed source formats. Eclipse (CycloneDDS), eProsima (Fast DDS), TwinOaks Computing (CoreDX DDS), OCI (OpenDDS), Gurum Networks (GurumDDS), and RTI (Connext DDS) are those that have contributed to the project.
Trend Micro, Alias Robotics, TXOne Networks, and ADLINK Technology researchers examined the DDS standard and the abovementioned implementations and uncovered over a dozen flaws. Last week, the researchers presented some of their results at the Black Hat Europe 2021 cybersecurity conference. A research paper documenting their work is set to be released early next year.
Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control Systems (ICS) alert in connection with the study. CISA said that it provides this warning to provide users advance notice of the disclosed vulnerabilities and identify baseline mitigations for decreasing the risk of these and other cyberattacks.
Patches for CycloneDDS, Connext DDS, OpenDDS, FastDDS, and CoreDX DDS have been released. There appear to be no fixes from Gurum, which the researchers claim failed to respond to repeated notification attempts.
The vulnerabilities discovered are write-what-where condition, network amplification, poor handling of invalid structure, buffer overflow concerns, and buffer allocation. Threat actors can use the weaknesses to execute arbitrary code, gather information, or cause a denial of service (DoS) problem.
However, in their Black Hat presentation, the researchers stated that attackers are unlikely to uncover internet-exposed devices because DDS is often placed locally and deep in the control network. On the other hand, DDS might be exploited by an attacker who can access the targeted entity’s systems for the detection of more endpoints, lateral movement, and malware command and control (C&C).