Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies

Radio-enabled technologies are being increasingly adopted to enable large-scale connectivity of internet-of-things devices. Many industrial and critical installations, including manufacturing, logistics, transportation and several other businesses impacting on both society and human living, rely on radio-communication to fulfill the needs of increased efficiency, performance and cost reduction. However, recent research has shown that vendors not always take appropriate precautions in designing or implementing these technologies, leaving to miscreants the possibility of abusing vulnerable or badly designed systems. By relying on concrete examples of research that we conducted on several radio-enabled technologies and devices, we discuss how research could help anticipating potential risks and threats, and foster an improved security and protection.

  • Be the first to comment

SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies

  1. 1. Security risk assessment of radio-enabled technologies Dr. Marco Balduzzi, Senior Researcher at Trend Micro https://twitter.com/embyte / http://www.madlab.it
  2. 2. Radio-enabled technologies • Are everywhere, everyday life
  3. 3. Radio-enabled technologies • Mission critical systems
  4. 4. Wireless Technologies?
  5. 5. Wireless Technologies? • Complex and heterogeneous ecosystem • Custom and proprietary implementations • Security through obscurity – Low interest in standardization
  6. 6. Reinventing the wheel in 2020, really?
  7. 7. Security Concerns • Weak or buggy implementations of encryption schemes • No threat modelling • Lack of logging • Difficult updates
  8. 8. Perfect ecosystem for cybercriminals
  9. 9. Back in the days High barrier for wireless and radio-protocol analysis
  10. 10. $299$480 $99$1000 Nowadays
  11. 11. Example of setup
  12. 12. Research Goals • Anticipate threats and propose countermeasure • Collaborate with vendors and standard bodies • Raise awareness, papers and public speaking engagements
  13. 13. Vessel Tracking and Control
  14. 14. AutomaticIdentificationSystem(AIS)
  15. 15. Security Issues • AIS standard was conceived in a “hardware epoch” • No authentication • No integrity check • Cost reduction • We can fake a signal via software radio
  16. 16. AIS Transmitter Open-sourced at https://github.com/trendmicro/ais
  17. 17. Impersonate a fake vessel As shown on a victim’s transponder console
  18. 18. Impersonate a fake vessel As shown on a service provider over the Internet
  19. 19. Trigger a SOS • Fake a man-in-the-water distress beacon • Trigger a SOS visually and acoustically • Lure a victim vessel into navigating to a hostile and attacker-controller sea space – Mandatory by legislation
  20. 20. Trigger a SOS
  21. 21. Trigger a CPA alert • Fake a CPA alert (Closest Point of Approach) • Trigger a collision warning • Possibly alter course
  22. 22. DoS for Slot Starvation • Disable AIS on a large-scale • Impersonate port authorities to: – Fake a nearby base-station – Reserve all TDMA slots Step 1: Fake a Base Station
  23. 23. Industrial Radio Remote Controllers
  24. 24. TX RX MESSAGE 1 “UP”“UP”
  25. 25. TX RX MESSAGE 1 MESSAGE 2 “UP” “UP”
  26. 26. TX RX MESSAGE 1 MESSAGE 2 . . . . . . MESSAGE 100 “UP” “UP” MESSAGE 3
  27. 27. Record & Replay REPLYRECORD
  28. 28. Arbitrary Packet Spoofing
  29. 29. When compared with AIS Radio Controllers Proprietary Unknown modulation Unknown PKY specs Encoding? Message Integrity? AIS Standard Known modulation Known PHY specs Guessable Encoding No message integrity
  30. 30. Reverse Engineering the PHY layer 00 01 10 11 RF Analysis Looks like FSK modulation, but...
  31. 31. Reverse Engineering the PHY layer Logic Analyzer
  32. 32. Contextualizing the data from analyzer • Created a tool to emulate SPI operations (R/W register X)
  33. 33. Abstracting low-level operations • We can see what is being accessed, set, programmed
  34. 34. Juuko RX Radio
  35. 35. Reverse Engineering the APP layer
  36. 36. SID CODE … CHECKSUM OF “UP” UP REVERSE ENGINEERING
  37. 37. SID CODE … CHECKSUM OF “E-STOP” COMMAND REPLACEMENT For example: UP -> E-STOP UP E-STOP E-Stop Button
  38. 38. SID CODE … CHECKSUM OF “E-STOP” UP E-STOP DOS OF PRODUCTION!
  39. 39. Payload Reverse Engineering Preamble Sync Words Trailer??? ??? ???? Custom application protocol (with security through obscurity baked in, usually)
  40. 40. Play Around With the Pairing Code
  41. 41. Payload Reverse Engineering Pairing code: 20 10 77 C8
  42. 42. Payload Reverse Engineering Zeroed code: 00 00 00 00
  43. 43. Payload Reverse Engineering Pairing code: 20 10 77 C8 (Little Endian encoded) Preamble Sync Words TrailerSEQ.ID Pairing Code S U M Command S U M
  44. 44. Demo
  45. 45. Special Effects & Lighting Control
  46. 46. WhileatHITB...
  47. 47. (DMX512)
  48. 48. Universal Radio Hacker (URL) • Used to acquired the samples for analysis
  49. 49. Conclusions
  50. 50. • Same patterns of vulnerabilities observed over the years – No/weak authentication, integrity or encryption • Shift from hardware to software radios • Easier access to SDR equipment Enable security threats and attacks
  51. 51. • Very heterogeneous ecosystem • Untrivial responsible disclosure • Different language and difficult communication • Need for security programs, awareness We hope that our research effort will be useful :-)
  52. 52. Thanks! Questions Dr. Marco Balduzzi, Senior Researcher at Trend Micro https://twitter.com/embyte / http://www.madlab.it

×