Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Never Trust Your Inputs or how to fool an ADC


Published on

BlackHat Asia presentation about some specifics of ADC usage and security problems that could be caused by it.

Published in: Devices & Hardware
  • Be the first to comment

Never Trust Your Inputs or how to fool an ADC

  2. 2. ; CAT /DEV/USER 2 Alexander @dark_k3y Bolshev, Ph.D. Security Researcher @ IOActive Assistant Professor @ SPbETU “LETI” Marina @marmusha Krotofil Security Researcher @HoneywellSec
  3. 3. 3 AGENDA q Problem statement q Analog-to-Digital Converters (ADC) q “Racing” with ADC clock q Invalid amplitude range of signal q Attack vectors in ICS q Mitigations
  4. 4. Workstation Workstation Firewall ModemOperator Console Firewall SQL Server PLC RTU Maintenance File Server Webserver Corporate LAN SCADA network Webservices Active Directory Sensor Ventil Active Directory Engineering Workstation Process LAN 4 Physical application INDUSTRIAL CONTROL SYSTEMS
  5. 5. 5 PROCESS CONTROL IN A NUTSHELL Actuators Control system Physicalprocess Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior
  6. 6. 6 IMPACT OF IMPROPER SIGNAL PROCESSING how-to-hack-a-chemical-plant-and-its-implication-to-actual-issues-at-a-nuclear-plant/ q Two identically built nuclear plants. One had flow induced vibration issue. And another did not. q The vibrations indication showed itself as hf noise - Field engineer has filtered the signal to get rid of annoying noise - Loss of view into vibration issue Equipment damage at nuclear plant
  7. 7. Workstation Workstation Firewall ModemOperator Console Firewall SQL Server PLC RTU Maintenance File Server Webserver Corporate LAN SCADA network Webservices Active Directory Sensor Ventil Active Directory Engineering Workstation Process LAN 7 Catastrophic consequences REASON TO SECURE CONTROL SYSTEMS
  10. 10. 10 CONSIDER A FIELD ARCHITECTURE Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI 0V (actuator is OFF) MV – Manipulated Variable q What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON)
  11. 11. 11 BUT IT’S ANALOG CONTROL LINE! Are you sure? q It’s impossible to have two different MVs on the same line at the same time!
  12. 12. 12 NOTE TO EE AND DSP GUYS: Are you sure? (2) q Yes, we know that most part our talk is about aliasing, and this is easily could be fixed by antialiasing filters.. q And it “should be” obvious, that such filters are everywhere… q But:
  13. 13. DEMO SETUP 13 “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200)
  14. 14. 14 DEMO 1 DEMO VIDEO -- Two devices, two different MVs --
  15. 15. 15
  17. 17. 17 WHAT IS ADC? q Converts a continuousanalog signal (voltage or amperage) to a digital number that represents signal's amplitude t x(t)
  18. 18. 18 ADC IN A NUTSHELL Quantizing & Encoding … • Frequency • Phase • Amplitude Sampling & Holding (S/H) circuit Resolution MSB ADC Clock uI(t) VREF uI’(t) fs Dn-1 D1 D0 Conversion time Input signal
  19. 19. 19 TYPES OF ADC There are many ADC types (>10). The most common are: q Successive-approximation ADC (SAR) q Sigma-delta ADC q Pipeline
  20. 20. 20 EXPLOITABLE ADC DESIGN CONSTRAINS q Sampling frequency should follow Nyquist rule ( > 2 ) -Otherwise the signal will appear of false (alias) frequency fs f
  21. 21. 21 EXPLOITABLE ADC DESIGN CONSTRAINS q Amplitude of the input signal should not exceed ADC’s dynamic range -It is determined by the reference voltage Time 5 10 V 0
  23. 23. 23 BLOCK DIAGRAM - DAC = Digital-to-Analog converter - EOC = End of Conversion - SAR = Successive Approximation Register - S/H = Sample and Hold circuit - VIN = Input Voltage - VREF = Reference Voltage SAR DAC S/H + - Clock EOC Comparator VIN VREF DN-1 DN-2 D1 D0
  24. 24. 24 SAR: WEIGHING PROBLEM q SAR algorithm is based on one of the solutions to weighing problem by Niccolò Fontana Tartaglia, Italian mathematician and engineer in 1556 q The objective is to determine the least number of weights which would serve to weigh an integral number of pounds from 1 lb to 40 lb using a balance scale
  25. 25. 25 ADC: WEIGHING PROCESS VIN VREF ¾ VREF ½ VREF ¼ VREF VDAC BIT 2 = 1 BIT 0 = 1BIT 1 = 0BIT 3 = 0 Time (MSB) (LSB)
  26. 26. LETS SETUP EXPERIMENT Experimental setup: - Arduino Leonardo (Atmega32U4 with build-in ADC, 125kHz int clock) - Si5351 generator Algorithm: 1. Generate square signal with specific frequency and phase, 2. Read 120 ADC values in row and average them, 3. Output to serial port (PC), 4. Increase phase and frequency, 5. GOTO 1.
  27. 27. 27 RESULT What is this?!
  29. 29. 29 LETS REPEAT OUR EXPERIMENT Frequency = around 8.9kHz
  30. 30. for(;;){ asm("cbi 0x0e, 6"); val = __fastAnalogRead(A0); //inline function asm("sbi 0x0e, 6"); sum += val; step++; if(step > 120){ if(phase >= 170){ phase = 0; freq += 100; }else phase += 10; si5351.set_freq(freq, 0ULL, SI5351_CLK0); si5351.set_phase(SI5351_CLK0, phase); Serial.print(sum * 1.0/step); 30 LETS REPEAT OUR EXPERIMENT Let’s introduce “counter” to our code for averaging 120 ADC conversions: Fast analog read Average, frequency changing and out to serial port goes here We’re putting here an outgoing Zero-peak signal to see when ADC do actual work
  32. 32. 32 FROM ATMEGA 32U4 DATASHEET Chapter 24 on ADC , page 302 125kHz / 14 ~ 8928Hz (112μs) We’ve just breached through sampling rate precision of the ADC!
  33. 33. 33 NOT ONLY BUILT-IN ADCS Test results for MCP3201 ADC fCLK = 125kHZ fCLK = 8MHZ 14.3kHz 292.5kHz
  34. 34. 34 “RACING“ WITH ADC CLOCK -- Delta-Sigma ADC --
  35. 35. 35 DELTA SIGMA ADC q Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding analog signals into digital signals as found in an ADC. q Typically, delta-sigma ADCs clocks from high-frequency signal, but the resulting sample rate is much slower than for other types of ADC q Example: AD7706 ADC, clock frequency – 2MHz, output sample rate – 25-500 samples per second. q This allows to produce results with bigger resolution and much reliability.
  36. 36. 36 MODUS OPERANDI
  37. 37. 37 DEMO 3 Still exploitable? LIVE DEMO -- delta-sigma --
  38. 38. 38
  39. 39. 39 ATTACK EFFORTS: SIGMA-DELTA VS. SAR q SAR ADCs are much easier to exploit (due its simple nature), however increasing SAR clock frequency could produce more problems for attacker q Delta-sigma ADCs allows only a few ways to craft reliable attack, however the result could overwhelm your needs.
  40. 40. 40 -- ADC access timing -- SOFTWARE-RELATED PROBLEMS
  41. 41. 41 DEMO 3 DEMO VIDEO -- One signal, two ADCs --
  42. 42. 42 FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS Wait, but why? Timing diagrams can explain ;-)
  43. 43. 43 EVERYTHING IS MUCH EASIER IN THE ICS WORLD q In many real-world ICS applications ADC doesn’t sample input signal with highest possible frequency - Typical sampling rate is 1-100 times per second Malicious part of signal
  44. 44. 44 HURDLES OF THE ATTACKER q How to figure out the required phase and frequency to craft needed malicious signal? q Send some peak signals and monitor output of the ADC (directly/indirectly) q E.g. by hacking into switch you can monitor/control both data flow to control PLC AND digital data output from Monitoring PLC/logger/DAQ/Safety PLC/etc
  45. 45. 45 FIGURING OUT SIGNAL PARAMETERS Control PLC Actuator HMI Compromised industrial switch Monitoring PLC/ Logger/DAQ/Safety PLC
  46. 46. 46 -- ADC conversion time -- SOFTWARE-RELATED PROBLEMS
  47. 47. 47 ADC IN CRITICAL APPLICATIONS Be careful when using ADC in critical applications q Industrial PLCs also have analog inputs and built-in ADCs q Let’s test at one of the most popular PLCs S7 1200
  48. 48. 48 Let’s check the real conversion time of S7 1200 ADC Arduino Waveform generator S7 1200 Analog signal S7 Protocol S7 input amplitudeFrequency I2C Reads value from PLC every N time EXPERIMENT SETUP
  49. 49. 49Frequency is fixed N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  50. 50. 50
  51. 51. 51 Nothing, really. You just need to read datasheet more thoroughly Text in small letters WHAT’S WRONG?
  53. 53. 53 q Consider a 5-10V signal which is consumed by ADC with ranges 0-15 V q What will happen if you send signal lower than 5V or higher 10V? Time 5 10 V From the real life code: uint8_t val = readADC(0); // reading 8-bit ADC value with ranges 0V -15 V val = val – 85; // Normalization -> 85 == 5 Volts (255/3) Any signal of less them 5 V (val < 85)will cause integer overflow in val BREAKING SOFTWARE DEFINED RANGES
  54. 54. 54 BREAKING HARDWARE DEFINED RANGES What if the attacker sends signal outside of the ADC hardware defined range (>Vref)? q ADC will output max value (all bit set to 1) q ADC might be damaged q Values on other inputs could be distorted
  55. 55. 55 DEMO SETUP USB UART Negative Voltage source Atmega328p Optical Isolator
  56. 56. 56 DEMO 4 DEMO VIDEO -- Negative input signal -- (breaking hardware range)
  57. 57. 57
  58. 58. 58 ANOTHER EXAMPLE Breaking HW RANGES for NXP LPC 11U24F internal ADC (3.3VRef) ADC/Ref Volts A-3 A-2 A-1 A-0 A+1 A+2 A+3 NXP LPC 11U24F (3.3VRef) 0.48 0.0 0.48 1.58 3.3 3.39 0.0 3.3 1.59 3.3 4.1 0.087 3.3 1.729 3.3 4.65 0.17 3.3 1.974 3.3 5.1 0.44 3.3 2.212 3.3 5.9 0.0 2.035 1.561 3.3 6.1-9.8 ~ ~ ~ ~ -0.48 0.0 0.0 1.58 3.3 -1.1 0.0 0.0 1.64 3.20 -1.5 0.025 0.0 1.71 3.07 -1.7 0.0 0.0 2.5 2.9 -2 ~ ~ ~ ~
  60. 60. 60 Line coupling circuit (usually OpAmp/Transformer) Total setup cost 50$ (1kHz) -- 400$ (50MHz) DIRECT ACCESS ATTACK TOOL KIT (RARE CASE)
  61. 61. 61 ATTACKING FROM ICS DEVICE qCompromising one of the field components (PLC, sensor, actuator, DAQ, logger, etc.) - Most MCUs inside transmitters/actuators are capable of generating arbitrary signals up to 500-1000Hz - Some devices allow to generate signals of 44kHz and above
  62. 62. 62 ATTACK FROM TRANSMITTER HART transmitter reference design ;-) DAC with s/r up to 100kHz (smooth sine wave at ~ 5kHz) transmitter.html?cmp_id=7&news_id=222918850
  63. 63. 63 MITIGATIONS
  65. 65. 65 LPF FILTERS (ANTIALIASING) IN REFERENCE DESIGN q Low-pass filter attenuate signals with a frequency higher than its cutoff frequency q Buffer ADC input with LPF q Good design dictates ADC fs > LPF fc
  66. 66. 66 LPF FILTERS IN REFERENCE DESIGN “We included LPF in our design" ADC with fs ~ 470Hz LPF with fc near 15 kHz
  67. 67. 67 SOLUTION
  68. 68. 68 FLIP SIDE OF USING LPF q When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies ”Securing” may lead to more vulnerabilities q E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases!
  69. 69. 69 NOTE: DIGITAL LPF WON’T WORK! Do not use digital LPF after the ADC! q ADC will be already compromised by a malicious intended signal and no digital filter will fix the matters
  70. 70. 70 USE ADC WITH HIGHER BANDWIDTH/LOWER CONVERSION TIME (OR OTHER TYPE OF ADC) q Using ADC with higher sampling frequency (mostly for SARs) can mitigate “racing with ADC” attack as the attacker will have to generate signal of much higher frequency q Or just use delta-sigma ADCs q Generating ~1MHz signal or injecting it into analog line is much harder than generating or injecting ~1kHz signal - H/f signals subjected to greater attenuation and more affected by noise
  71. 71. 71 SCALE SIGNAL AMPLITUDE BEFORE ADC q To avoid abuse of ADC voltage ranges, normalize signal amplitude before feeding the signal to ADC - Simplest option: voltage divider + OpAmp, - Signal conditioning circuits or even dynamic range compression Select what is suitable for your OT process
  73. 73. 73 SAMPLING FREQUENCY RANDOMIZATION SAMPLING FREQUENCY RANDOMIZATION q Certain randomness in sampling frequency will make attacker’s job much harder -Many of the discussed attacks will be much more challenging to execute q Small variation of 𝒇) won’t degrade signal understanding process. On the contrary, it will produce a signal sample of better quality. 𝒇) = 𝑓 + rand(△) Time V 0
  74. 74. 74 APLY SECURE CODING TECHNIQUES q Scrutinize your ADCs/PLC datasheets to figure out effective ranges, conversion time, frequency and other critical parameters q Even if it is sufficient to control the process with one value per second, sample the signal with higher frequency and average converted values q When receiving value from ADC, treat it as an absolute value (all bits received from ADC are significant)
  75. 75. 75 DON’T SLEEP! (WHILE ON DUTY J ) Avoid writing/using the following code (if you don’t completely understand your process) Val = readADC(); Output(Val); Sleep(Timeout);
  76. 76. 76 BLACK HAT SOUND BYTES q Aliasing attacks and attacks using voltage ranges are still possible against modern ADC components inside ICS devices. (thanks, Cap!) q Most of these problems could be easily solved with antialiasing filters (LPF), however, these filters should have same cut-off frequencies. q Even good LPF and good ADC will not save you, if your software works with ADC incorrectly.
  78. 78. @dark_k3y @marmusha