Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tools for Practical Attacks on Analog-to-Digital Conversion

751 views

Published on

Mine presentation from S4 on attacks against ADCs and around

Published in: Engineering
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Tools for Practical Attacks on Analog-to-Digital Conversion

  1. 1. Tools for Practical Attacks on Analog-to-Digital Conversion Alexander ‘dark_k3y’ Bolshev With a help from: Marina Krotofil Gabriel Gonzalez Andrey Dolgikh
  2. 2. ; CAT /DEV/USER Alexander ‘dark_k3y’ Bolshev Ph.D., security consultant @ IOActive Madrid HW Lab Distributed systems researcher “the more complex & strange is the system -> the better”
  3. 3. Important Disclaimer The whole presentation is mostly discussed on the first lections of ‘Control theory’ and ‘Digital Signal Processing’ university courses, so in fact it won’t be about something new.
  4. 4. Quick intro to ICS + ADC problems
  5. 5. Dialog with (some) ICS engineer during pentest Me: You have …vulns……vulns……vulns… and as a result I could compromise your PLC! Engineer: You will achieve nothing with it, because my monitoring system will stop you when the analog signal that is generated by this PLC will be out of 10% range. After it, backup PLC will be launched in a very short time Me: Okay... (went away crying) (some time passed) Me: But I will be back!
  6. 6. From Michael Ossmann:
  7. 7. Correct interpretation of data is important, because embedded and industrial control systems uses analog inputs to create the picture of controlled system’s state. ICS field level Actuators Control system Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior Physical Process ADCDAC
  8. 8. Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI Attacker
  9. 9. Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON) Attacker
  10. 10. Proof-of-Concept demo from the past “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v1_motor_arduino_vs_plcadc.m4v video
  11. 11. How is it possible at all? MV is represented by analog signal! Because we’re talking not about altering the analog signal, but about altering its digital representation (conversion).
  12. 12. Analog-to-Digital converter [2]
  13. 13. • A device that converts a continuous physical quantity (usually voltage) to a digital number that represents the quantity's amplitude.[3] • An ADC is defined by its bandwidth (the range of frequencies it can measure) and its signal to noise ratio (how accurately it can measure a signal relative to the noise it introduces). • Bandwidth of an ADC is characterized primarily by its sampling rate, and to a lesser extent by how it handles errors such as aliasing. What is ADC? ADC Input Signal Reference Digital Representation
  14. 14. Types of ADCs There are many types of ADCs, the most common are three: • Successive-approximation ADC (SAR) • Sigma-delta ADC • Pipeline (usually based on flash)
  15. 15. Aliasing • Sampling frequency should follow Nyquist rule ( fs > 2f ) • Otherwise the signal will appear of false (alias) frequency
  16. 16. Anti-aliasing filters: “input validation” in ADC world • Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g. ADC) to attenuate the power of signal in high frequency ranges for approximate or complete satisfying the sampling theorem (fs > 2f) • As a representative of low-pass filters (LPF) family, AAF could be characterized by cut-off frequency (fc) and stop-band frequency (fsb) [4]
  17. 17. Attacks against ADCs • Frequency and phase: • Arbitrary Waveform signal, i.e. signal with waveform that could be somehow misinterpreted by ADC. (see ep.1) • High-Frequency function signal, i.e. generating sine wave with kHz or MHz frequency that could somehow be misinterpreted by ADC. • OverSampling attack against SAR (see ep.1) • Special-frequency attack against ΔΣ (see ep. 2) • Amplitude (out-of-voltage-range signal) (see ep.1)
  18. 18. Attacks: AWG against “ADC()” call
  19. 19. But how…? “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200)
  20. 20. …Easy! 3.3V 100 ms … while (1) { pinOutput(tip120PIN, 200); delay(395); for(i = 0; i < 20; i++){ pinOutput(tip120PIN, 0); delay(2); pinOutput(tip120PIN, 200); delay(2); } pinOutput(tip120PIN, 200); delay(495); } 2,5ms
  21. 21. Siemens S7 1200 analog I/O ADC
  22. 22. Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  23. 23. Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  24. 24. AWG signal against “lazy-call” ADC Val = readADC(); Sleep(Timeout); /* or doSmth(Timeout) */ Output(Val);
  25. 25. But this is just Arduino, not real controller! Ok, let’s try without Arduino…
  26. 26. Ok, let’s try something more real… SIMATIC S7-1200, ANALOG OUTPUT SB 1232, 1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA (11 BIT RES) Problem: no public information on real SPS for these module… 
  27. 27. Ok, what’s inside? Logic buffer EEPROM OpAmp XTR300
  28. 28. XTR300?
  29. 29. Let’s test for max stable SPS…
  30. 30. Proof-of-Concept demo with real stuff “HMI Panel” “Control PLC” (S7 1200) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v2_motor_plc_vs_plcadc.m4v video
  31. 31. Signal generation SCL code https://support.industry.siemens.com/cs/document/67295964/how-in-step-7-v5-x-do-you-program-signal-generation-(rectangle-sawtooth-triangle-sinus)-using-the-cyclic-interrupts-?dti=0&lc=en-WW
  32. 32. Pure frequency/phase attacks
  33. 33. ΔΣ Modulation • Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding analog signals into digital signals as found in an ADC. [7] • In Δ-modulation the change in the signal (its delta) is encoded, rather than the absolute value. The result is a stream of pulses. In ΔΣ-modulation, the accuracy of the modulation is improved by passing the digital output through a 1-bit DAC and adding (sigma) the resulting analog signal to the input signal, thereby reducing the error introduced by the Δ-modulation. [7]
  34. 34. Delta-sigma ADC • ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog and digital: • analog part generates a very high-frequency bitstream; • digital part creates the real number output by filtering it with digital filter and decimating it to the output samples per second value. ΔΣ Modulator Digital Low-Pass filter Decimation Filter Analog input 1-bit stream N-bit stream Output data 0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 … Digital partAnalog part
  35. 35. Modulation process [6]
  36. 36. Delta-Sigma ADCs [6] [6]
  37. 37. Demo: The mystery of the ΔΣ AD7706 ADC… See v3_mystery_sdadc1.mp4 video
  38. 38. Possible explanation from the datasheet? • Expecting to have some noise there than, but possibly not the clear sin signal • It explains just partly, and we need some good hypothesis for all these things. In our case fCLKIN = 2.00MHz, so fs = 31250
  39. 39. LP & Decimation (sinc3) filter D = N = 64 for AD7706
  40. 40. USB UART Atmega328 AD7706 & Vref Signal generator Demo: The second mystery of the ΔΣ AD7706 ADC… See v4_mystery_various_signals.mov video
  41. 41. Hypothesis and frustrations • Digital filter corner frequency/noise? • No, sinus too clear for it • sinc3 filter implemented in MCU and has integer overflow? • ”Artificial gain” (No PGA), but just multiplication on digital output? • That’s wrong according to chip decap image.
  42. 42. • Dynamic compression? • Overflow in logic circuit? • Pole-zero cancelation in filter? Still mystery
  43. 43. 31.25kHz looks too much for a successful attack DAC with s/r up to 100kHz
  44. 44. Implementation Renesas R5F100bG RL78/G13 27352 bytes firmware size => 4 – 36+kB for payload
  45. 45. Ok, I got it, but what else I could use for attack? Line coupling circuit (usually OpAmp/Transformer) Signal/Function Generator Two most common industrial analog line loops: • Voltage (0-10V, 0-24(28)V, 0-48V • Current (0-20mA) Aka ADC research kit for Joseph FitzPatrick 
  46. 46. Voltage Signal/Function Generator: -> Si5351 + any MCU via I2C Coupling circuit: Buffer RtR OpAmp + H-V OpAmp Gain = 1 + (R2/R1) TI OPA551/OPA552 Fairchild LM358N Buffering requirement depends on signal source
  47. 47. Current (0-20mA) -> Cypress PSoC http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262 CY8CKIT-049-42XX ~<10EUR MAX15006 Any suitable and cheap transistor for such current
  48. 48. Other ΔΣ ADCs: ADS1015
  49. 49. Cypress PSoC5 built-in ADC* What’s this? What’s that? [5] *default configuration
  50. 50. Ok, let’s look at real device with behavior like ΔΣ ADC: Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O + Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  51. 51. Very weird results for real industrial PLC: 1 -> 24Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  52. 52. 25Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  53. 53. And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  54. 54. And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  55. 55. *Без обид Андрей, просто действительно забавно! *
  56. 56. Flex I/O vs. PowerFlex Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  57. 57. Do we have at least one “normal” ΔΣ ADC?! Yes, e.g. MAX11205 • Sinc4 filter with no visible mistakes + postfiltering(?) • Looks very reliable Postfiltering?
  58. 58. Attacks summary: what you can and what you cannot
  59. 59. Summary ADC First ”attackable” f Required AAF fc Required AAF fsb Complexity SAR ADC S/H frequency (S/H frequency)/2 - easy/medium -- MCP3201 14.3kHz 7.1kHz - easy S7 1200 PLC 121Hz 60Hz 120Hz easy AB 1794-IE4XOE2* 24.9Hz 10Hz 20Hz very easy AD7705/AD7706 31250/38400 Hz - 30kHz easy ADS1015 ~86kHz 10-20kHz 50kHz medium/hard MAX11205 n/a any reasonable any reasonable ~impossible PSoC5 LP** ~1kHz 1kHz 2kHz easy * research data by Andrey Dolgikh ** incorrectly configured (default configuration) PSoC module
  60. 60. What could you do?
  61. 61. Mitigations • As hardware developers/vendors: • Implement correct AA-filters in accordance to REAL characteristics of your ADC (read latest/hidden datasheets, test you ADC manually) • Remember: digital filters won’t help • As software developers (incl. firmware and PLC program development): • Introduce sampling frequency randomization in software that works with ADC • Avoid “sleepy” code • As engineer: • Implement same AA-filters all over your analog network in accordance with your OT process
  62. 62. Vendors Sceptic’s replica: • We already have correct AA-filters everywhere! Are you sure?
  63. 63. Reference design of industrial sensor “We included AA LPF in our design" ADC with fs ~ 2kSPS LPF with fc near 79 kHz
  64. 64. Reference design of industrial transmitter “We included AA LPF in our design" ADC with fs ~ 470sps LPF with fc near 79 kHz
  65. 65. But we have … AA filters... Everywhere...
  66. 66. 2Vendor: also remember: digital filter won’t help • The signal is already ”compromised” by ”ADC features”, so any digital filtering after ADC won’t help you. • If you want full control, install ΔΣ modulator and implement digital part of ΔΣ-ADC manually in FPGA Analog signal Digital representation 1-bit stream
  67. 67. Developer: introduce sampling frequency randomization • Certain randomness in sampling frequency will make attacker’s job much harder • Many of the discussed attacks will be much more challenging to execute • Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On the contrary, it will produce a signal sample of better quality. 𝒇 𝑠 = 𝑓 + rand(△) Time V 0 http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
  68. 68. Developer: Avoid sleepy code Avoid writing/using the following code (if you don’t completely understand your process): Val = readADC(); Output(Val); Sleep(Timeout);
  69. 69. • When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies • E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases! Engineer: Use SAME AA-filters across all analog line Control PLC 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 𝒇 𝒄 = 𝟓𝒌𝑯𝒛 Monitoring PLC
  70. 70. Thanksgiving service • Marina Krotofil for being a co-researcher in ep. 1 and many bright ideas • Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for information on Allen Bradley PLC behavior vs. different frequencies. • Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for help and support • Fedor Savelyev for ideas and help with DSP (digital signal processing) analysis • Dmitry Nedospasov for many useful advices
  71. 71. Conclusions
  72. 72. Any questions? http://ioactive.com/ @ioactive @dark_k3y
  73. 73. 1. https://en.wikipedia.org/wiki/Control_theory , Picture by Orzetto - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=5000019 2. Picture from: http://maxembedded.com/2011/06/the-adc-of-the-avr/ 3. Wikipedia: https://en.wikipedia.org/wiki/Analog-to-digital_converter 4. Picture from http://studentweb.niu.edu/7/~Z063757/lowpass2.bmp 5. Picture from: http://www.hdwallpaperpc.com/show-wallpaper/surprised_kitten_animal_cats_kitty_little_cat_136064.html References

×