How to Protect Your IoT Ecosystem from CoAP Security Vulnerabilities
  August 15, 2017

Many Communication Protocols Are Emerging to Satisfy the Unique Parameters of the Internet of Things Ecosystem.

Recently, many IoT-based communication protocols have emerged to try and satisfy the unique parameters of an IoT ecosystem. IoT-enabled devices and sensors must operate on low energy and exchange large amounts of information reliably, and securely. The Constrained Application Protocol (CoAP) is meant for constrained environments, and has request and response messaging types based on the REST model. Additionally, CoAP fulfills M2M requirements, can support unicast & multicast requests, has low header overhead and parsing complexity, push notification through publish/subscribe mechanism, has simple proxy and caching capabilities, and simple security binding based on Datagram Transport Layer Security (DTLS). The Internet of Things (IoT) denotes an ecosystem of objects and devices that connect to the Internet, allowing them to exchange data without human intervention. The sending and receiving of insightful data may unlock competitive advantages for businesses across many industries. We are seeing many people adopt CoAP, and they are excited about it, but it is important to understand that many vulnerabilities exist and if exploited, these may compromise your entire ecosystem.

Although CoAP is promising, there are many security physical (local) and non-physical (remote) threats to be cognizant of:


Cloning: A hacker could physically clone the characteristics of a device meant to be within the ecosystem – both the physical product, firm ware and software. A hacker can then enter the ecosystem during on-boarding step by impersonating a legitimate device, steal information, or compromise the ecosystem.

Firmware Replacement Attack: When new updates are made in an ecosystem, they typically happen over-the-air. Hackers can enter in this step and can install malicious software if this over-the-air installation process is insecure. If successful, the hacker would easily be able to affect other devices in the ecosystem.

Extraction of Security Parameters: Many devices in IoT ecosystems may remain exposed and unprotected physically. A hacker can extract security information like keys from the device.

Denial of Service Attack: A denial of service attack (DoS) can shut-down an entire ecosystem by jamming the communication channel. This also prevents proper communications between devices to stop working.


Eavesdropping Attack: Eavesdropping can take place during the on-boarding step of a new device where a hacker can intercept secret keys that are used to establish communications within the constrained network.

Man-In-the-Middle Attack: Man in the Middle attacks also exploit poor key exchange practices and allow for a malicious device to sit in the middle of an ecosystem. This allows for a hacker to intercept all information passed through the ecosystem.

Routing Attack: Routing attacks occur when a hacker establishes a malicious device to have a high-quality route and thereby can intercept all data packets. This allows hacker to either drop all packets (sinkhole attack) or choose to drop specific packets (selective forwarding).

SQL Injection: A SQL injection inserts SQL query through input (from client to application). This allows the hacker access into the database whereby they can modify it, or execute administrative operations.

Moving Forward…

The Internet of Things is still in preliminary stages regarding security. Although currently there is no standard communication protocol, the emerging Constrained Application Protocol is very promising. It is very important to conduct security tests and one tool that can help with this is Soap UI . For greater insights into CoAP vulnerabilities and how protect against them check here. We hope that this post illuminates some of the security vulnerabilities that you should be aware of when designing an Internet of things ecosystem that leverages CoAP.