Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attacking Industrial Remote Controllers (HITB AMS 2019)

482 views

Published on

Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications.

Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories.

In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Attacking Industrial Remote Controllers (HITB AMS 2019)

  1. 1. Hey operator, where’s your crane? Attacking Industrial Remote Controllers Marco Balduzzi, Federico Maggi, Jonathan Andersson Joint work with Philippe Lin, Akira Urano, Stephen Hilt and Rainer Vosseler
  2. 2. Industrial Remote Controllers
  3. 3. 8 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
  4. 4. Preliminary on-site testing
  5. 5. TW SAGA TW Juuko IT Autec IT ELCA TW Telecrane JP Circuit Design DEHetronic International World-wide testing
  6. 6. SDR
  7. 7. Record & Reply REPLYRECORD
  8. 8. What happened?
  9. 9. TX RX MESSAGE 1 “UP”“UP”
  10. 10. TX RX MESSAGE 1 MESSAGE 2 “UP” “UP”
  11. 11. TX RX MESSAGE 1 MESSAGE 2 . . . . . . MESSAGE 100 “UP” “UP” MESSAGE 3
  12. 12. ALL messages are the same!
  13. 13. 1: Record & Replay Difficulty CostVendors ALL $$$$ ATTACKS DEMO
  14. 14. Arbitrary Command Execution
  15. 15. 101010101010101010101010 1001001100001011 101000111011110 00001101 10100010 11110101…
  16. 16. SID CODE … CHECKSUM OF “UP” UP REVERSE ENGINEERING
  17. 17. SID CODE … CHECKSUM OF “E-STOP” COMMAND REPLACEMENT For example: UP -> E-STOP UP E-STOP E-Stop Button
  18. 18. SID CODE … CHECKSUM OF “E-STOP” UP E-STOP DOS OF PRODUCTION!
  19. 19. DEMO
  20. 20. Example of Analysis
  21. 21. Reverse Engineering 00 01 10 11 RF Analysis
  22. 22. Reverse Engineering is Challenging • Capture signal… then what?
  23. 23. Reverse Engineering is Challenging Logic Analyzer
  24. 24. Semantic of the controller
  25. 25. Decoding the data of logic analyzer • Created tool to convert waveforms to SPI operations (R/W register X) • Tedious to read SPI ops and determine many radio states – Boot, Idle – Press ‘UP’, Release ‘UP’ – Press ‘DOWN’…
  26. 26. Decoding the data of logic analyzer
  27. 27. SPI Ops to Radio Registers • Copy/Paste radio register set from datasheet into python • Now we can easily see what is being accessed, set, programmed. • But when you have 100’s of register operations…
  28. 28. SPI Ops to Radio Registers
  29. 29. Persist Radio Register State • Emulate internal radio registers – Default register states are in datasheet • Allow dumping of current radio state • Allow pausing at key triggers (TX/RX) • Now we know exact signal parameters at TX/RX
  30. 30. Persist Radio Register State
  31. 31. Exercising complex protocols
  32. 32. Exercising complex protocols
  33. 33. Developing complex attacks • Can instrument emulator at any point in the stack to determine state • Replay LA data to generate RF and interact with physical devices • Never touched a physical device…
  34. 34. Developing complex attacks
  35. 35. Juuko RX Radio
  36. 36. Payload Reverse Engineering
  37. 37. Payload Reverse Engineering Preamble Sync Words Trailer??? ??? ???? Custom application protocol (with security through obscurity baked in, usually)
  38. 38. 47 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Sequential ID Preamble Sync Words TrailerSEQ.ID
  39. 39. 48 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Fixed Sequential ID
  40. 40. 49 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Interesting 4 bytes
  41. 41. 50 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Play Around With the Pairing Code
  42. 42. 51 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Pairing code: 20 10 77 C8
  43. 43. 52 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Zeroed code: 00 00 00 00
  44. 44. 53 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Pairing code: 20 10 77 C8 Preamble Sync Words TrailerSEQ.ID Pairing Code
  45. 45. 54 Copyright © 2019 Trend Micro Incorporated. All rights reserved. Payload Reverse Engineering Preamble Sync Words TrailerSEQ.ID Pairing CodePairing Code S U M S U M
  46. 46. 1: Record & Replay 2: Command Injection ALL $$$$ ALL $$$$ DIFFICULTY COSTVENDORSATTACKS
  47. 47. 1: Record & Replay 2: Command Injection 3: E-Stop Abuse 4: Malicious Re-pairing ALL $$$$ ALL $$$$ ALL PART $$$$ $$$$ OFF E-STOP E-STOP E-STOP DIFFICULTY COSTVENDORSATTACKS
  48. 48. Malicious Re-Programming
  49. 49. FCC schematics of the SAGA radio controller. https://fccid.io/NCTSAGA1-L8/Schematics/schematics-4-273419 ?!
  50. 50. MSP430F1101A BSL • 1KB Bootloader • Password is 16 * 2 bytes 🡺 IVT • BSL ver 1.3
  51. 51. $ MSPFet.EXE +r "psw.txt“ –BLS=COM5 Check firmware integrity in the flash
  52. 52. Malicious Firmware • Clear-text password transmission • Unprotected firmware • Forgeable integrity check • Backdoors
  53. 53. 64 Copyright © 2019 Trend Micro Incorporated. All rights reserved. 1: Record & Replay 2: Command Injection 3: E-Stop Abuse 4: Malicious Re-pairing $$$$ $$$$ $$$$ $$$$ OFF E-STOP E-STOP E-STOP 5: Malicious Re-programming $$$$ DIFFICOLTY COSTVENDORSATTACKS ALL ALL ALL PART PART
  54. 54. Remote, Stealthy and Persistent Attacks
  55. 55. Lower Barrier $299$480 $99 $40
  56. 56. TARGET REMOTE ATTACKER LOCAL BRIDGE $40
  57. 57. DEMO
  58. 58. Responsible Disclosure Discussion Vendor CVE-ID Status Circuit Design ZDI-CAN-6185 (replay attack) Closed (No fix) SAGA CVE-2018-17903 (replay attack / command forgery) CVE-2018-20783 (malicious pairing) CVE-2018-17923 (malicious firmware upgrade) Patch Released Patch Released Patch Released Telecrane CVE-2018-17935 (replay attack) Patch Released Juuko ZDI-18-1336 (replay attack) ZDI-18-1362 (command forgery) 0day (No response) 0day (No response) ELCA CVE-2018-18851 (replay attack) Closed (EOL) Autec ZDI-CAN-6183 (replay attack) Closed (No fix) Hetronic CVE-2018-19023 (replay attack) Patch Released
  59. 59. Conclusions • Patterns of Vulnerabilities – No rolling-code – Weak or no encryption at all – Lack of software / firmware protection • Need for security programs / awareness in the field of IIoT
  60. 60. Vendors Users • Use open technologies and standards (e.g., Bluetooth) • Adopt rolling codes and encryption • Protect the firmware • User maintenance! • Promote vendors adopting open technologies • Maintenance – Updates – Period change of secrets
  61. 61. Paper • White-paper on Trend Micro Research https://tinyurl.com/indradio • Academic paper published at DIMVA ’19 http://www.madlab.it/papers/rfquack-dimva19.pdf
  62. 62. Thanks! Questions? Marco Balduzzi, Federico Maggi, Jonathan Andersson Joint work with Philippe Lin, Akira Urano, Stephen Hilt and Rainer Vosseler

×