Some security experts have expressed concerns about the Constrained Application Protocol, which is often used with IoT devices and networks, and how it can be abused for distributed denial-of-service attacks. What is the Constrained Application Protocol and how can threat actors take advantage of it?
The Constrained Application Protocol (CoAP) is a specialized web transfer protocol intended for use by constrained nodes — such as IoT devices with limited computing resources — operating over constrained networks — such as the lossy, low-bandwidth wireless networks often used to connect IoT devices. CoAP enables these devices to communicate interactively using the same types of web services that are widely available to more powerful computers connected to higher-performance networks.
The protocol enables interaction between nodes using a request/response format designed to be forgiving of low-bandwidth networks connecting systems with minimal processing capabilities. Because it is a relatively simple protocol and because it is designed to connect devices, not handle high volumes of traffic transmitted over networks, and not intended to handle high volumes of traffic, devices that use CoAP can be vulnerable to attacks that depend on overwhelming networks with high volumes of traffic, such as amplification attacks.
One of the goals of CoAP is to enable machine-to-machine applications to operate in constrained environments. Examples include energy efficiency, manufacturing and building automation systems, where low-powered IoT sensors and control devices depend on shared data to increase energy-efficient operations. These applications can use CoAP to transfer data between devices on the same constrained network, between devices and general nodes on the internet, and between devices on different constrained networks.
While CoAP uses the User Datagram Protocol (UDP) by default, it can also be implemented with other transport methods, including the Transmission Control Protocol (TCP) or even SMS text messaging to transmit data on wireless networks. While UDP flooding can pose a risk, attacks that flood circuits relying on TCP or SMS can be even more effective.
CoAP differs from other IoT protocols in that it uses UDP by default, and UDP lacks the reliability and delivery guarantees provided by TCP. CoAP pins its reliability on a series of lightweight messages rather than consistent connections.
Consider, for example, a temperature sensor programmed to send an update to an IoT device controlling a machine every few seconds. If the controller misses an update at a critical time — for example, just after a machine overheats — the next update will be quite different from the one that preceded it. In general, however, device temperature usually changes infrequently, so short delays can be acceptable in many cases.
An attack on a CoAP network could target constrained nodes equipped with 8-bit microcontrollers and small amounts of system memory. Because constrained networks have high packet error rates with slow throughput, CoAP’s dependence on transport layer mechanisms to address congestion and reply/request control can enable threat actors to flood the target website with a high volume of packets. The threat actors can also bypass CoAP and flood the network by sending a large reply to a small request.