Exploiting the Remote Server Access Support of CoAP Protocol

Annie Gilda Roselin, Priyadarsi Nanda, Surya Nepal, Xiangjian He, Jarod Wright

Research output: Journal PublicationArticlepeer-review

12 Citations (Scopus)


The constrained application protocol (CoAP) is a specially designed Web transfer protocol for use with constrained nodes and low-power networks. The widely available CoAP implementations have failed to validate the remote CoAP clients. Each CoAP client generates a random source port number when communicating with the CoAP server. However, we observe that in such implementations it is difficult to distinguish the regular packet and the malicious packet, opening a door for a potential off-path attack. The off-path attack is considered a weak attack on a constrained network and has received a less attention from the research community. However, the consequences resulting from such an attack cannot be ignored in practice. In this article, we exploit the combination of IP spoofing vulnerability and the remote server access support of CoAP is to be launch an off-path attack. The attacker injects a fake request message to change the credentials of the 6LoWPAN smart door keypad lock system. This creates a request spoofing vulnerability in CoAP, and the attacker exploits this vulnerability to gain full access to the system. Through our implementation, we demonstrated the feasibility of the attack scenario on the 6LoWPAN-CoAP network using smart door keypad lock. We proposed a machine learning (ML)-based approach to mitigate such attacks. To the best of our knowledge, we believe that this is the first article to analyze the remote CoAP server access support and request spoofing vulnerability of CoAP to launch an off-path attack and demonstrate how an ML-based approach can be deployed to prevent such attacks.

Original languageEnglish
Article number8843970
Pages (from-to)9338-9349
Number of pages12
JournalIEEE Internet of Things Journal
Issue number6
Publication statusPublished - Dec 2019
Externally publishedYes


  • 6LoWPAN
  • Internet of Things (IoT) security
  • constrained application protocol (CoAP)
  • machine Learning (ML) model
  • off-path attack

ASJC Scopus subject areas

  • Signal Processing
  • Information Systems
  • Hardware and Architecture
  • Computer Science Applications
  • Computer Networks and Communications


Dive into the research topics of 'Exploiting the Remote Server Access Support of CoAP Protocol'. Together they form a unique fingerprint.

Cite this