In this three-part series, we focus on Data Distribution Service (DDS), which drives systems such as railways, autonomous cars, spacecraft, diagnostic imaging machines, luggage handling, and military tanks, amongst others. We’ll also explore the current status of DDS and highlight recommendations enterprises can take to minimise the threats associated with this middleware.
But first, let’s discuss what DDS is and how it is applied in various industries.
Overview
DDS is a standardised middleware software based on the publish-subscribe paradigm, helping the development of middleware layers for machine-to-machine communication. This software is integral especially to embedded systems or applications with real-time requirements. Maintained by the Object Management Group (OMG),7 DDS is used in all classes of critical applications to implement a reliable communication layer between sensors, controllers, and actuators.
DDS is at the beginning of the software supply chain, making it easy to lose track of and is an attractive target for attackers. Notably, the following companies and agencies use DDS (note that this is not an exhaustive list of currently using this technology):
- National Aeronautics and Space Administration (NASA) at the Kennedy Space Center
- Siemens in wind power plants
- Volkswagen and Bosch for autonomous valet parking systems
- Nav Canada and European CoFlight for air-traffic control
From a software development standpoint, DDS is also a communication middleware used for the interoperability of processes across machines in all main programming languages. Moreover, DDS is a data-centric publish-subscribe communication protocol that allows developers to build a flexible shared data “space” for virtually any application requiring two or more nodes to exchange typed data.
From a programmer’s perspective, DDS is a powerful application programming interface (API). On top of the plain byte-streams and C-strings, DDS supports serialisation and deserialization of any built-in or custom data type through a dedicated interface definition language (IDL).
DDS Applications
DDS is the foundation of other industry standards, like OpenFMB for smart-grid applications and Adaptive AUTOSAR. The Robot Operating System 2 (ROS 2), the de facto OS for robotics and automation, uses DDS as the default middleware.
DDS, along with Real-Time Publish-Subscribe (RTPS), is used to implement industry-grade middleware layers for mission critical applications. For example, when the artificial intelligence (AI) of an autonomous car needs to issue a “turn left” command, DDS is used to transport the command from the electronic control unit (ECU) down to the steering servo motors.
Here is a list of examples where DDS is used in critical industries, including external resources offering estimates on how many devices in each sector exist or are expected to exist in the near future:
Sector |
Example Use Cases |
Notable Users |
Telecommunications and networks |
• Software-defined networking (SDNs) technologies •Appliance Life Cycle •Management (LCM) tools, including 5G |
• Fujitsu |
Defense |
• Command and control (C&C) systems • Navigation and radar systems • Launch systems |
• National Aeronautics and Space Administration (NASA) • NATO Generic Vehicle Architecture (NGVA)15 • Spanish Army |
Virtualisation & Cloud |
• Inter- and intra-communications of security operations centres (SOC) |
• NVIDIA |
Energy |
• Power generation and distribution • Research |
• GE Healthcare • Medical Device Plug-and- Play interoperability program (MD PnP) |
Mining |
• Precision mining • Mining system automation • Geological modelling |
• Komatsu • Plotlogic • Atlas Copco |
Industrial internet of things (IIoT) and robotics |
• Universal middleware |
• Robot Operating System (ROS 2) • AWS RoboMaker • iRobot |
Public and private transportation |
• Autonomous vehicles • Air traffic control (ATC) • Railway management and • Control |
• Volkswagen and Bosch16 • Coflight Consortium (Thales, Selex-SI) • Nav Canada |
Examining DDS Attack Feasibility
Our expert team of researchers analysed the DDS standard and discovered multiple security vulnerabilities. Thirteen were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.
For a month, we scanned and found numerous distinct public-facing DDS services from over a hundred organisations in various industries like telecommunications, cloud, software and research from different countries. Some were identified and affected by the newly identified CVEs, while others were identifiable via nearly 90 90 internet service providers (ISPs) through hundreds of leaked private IP addresses and other internal network architecture details.
We also interviewed key DDS users and system integrators to get feedback on our findings and the importance of DDS for innovation in their research sectors. We then explored the specifications of DDS and the six most actively developed implementations maintained by certified vendors and with millions of deployments worldwide.
Because DDS is at the helm of the software supply chain, it makes for an attractive target for attackers. Between 2020 and 2021, 66% of attacks focused on the suppliers’ codes. While we were in the process of doing this research, we encountered an exposed source-code repository host in a proprietary implementation of DDS. Left open, this would have let an attacker infect the source code (MITRE ATT&CK T0873, T0839).
For this research, our findings between April and December 2021 were disclosed using Trend Micro’s Zero Day Initiative (ZDI) program with the support of the Cybersecurity and Infrastructure Security Agency (CISA) given the importance of the application for which DDS is used.
In part two of the series, we’ll explore the vulnerabilities associated with DDS—both known and newly discovered.
What to know more about DDS and its security? Download our compressive technical report, “A Security Analysis of the Data Distribution Service (DDS) Protocol”, here.