The document discusses vulnerabilities found in industrial remote controllers. It identifies 5 main types of attacks that can exploit vulnerabilities in how the controllers operate and communicate wirelessly. These include record and replay attacks, command injection, abuse of emergency stop functions, malicious device pairing, and malicious reprogramming. The attacks can potentially allow unauthorized control of equipment, disruption of production, or installation of malware. The document calls for vendors and users to improve security of remote controllers through use of encryption, access control, and regular updates.

1. Industrial Remote Controllers
Safety, Security, Vulnerabilities
Dr. Marco Balduzzi Join work with J. Andersson, S. Hilt, P.
Lin, F. Maggi, U. Akira, and R. Vosseler

2. 2 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
CYBERCRIME TECHNOLOGY SOCIAL

3. 3 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
CYBERCRIME

4. 4 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
SOCIAL

5. 5 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TECHNOLOGY

6. 6 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Industrial Remote Controllers

7. 7 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

8. 8 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

9. 9 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

10. 10 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

11. 11 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

12. 12 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

13. 13 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
How they operate?

14. 14 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TRANSMITTER RECEIVER

15. 15 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
RECEIVER
ENGINE

16. 16 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
FACTORY

17. 17 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Preliminary on-site testing

18. 18 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

19. 19 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Software Defined Radio

20. 20 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TW SAGA
TW Juuko
IT Autec
IT ELCA
TW Telecrane
JP Circuit Design
DE Hetronic International
World-wide testing

21. 21 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Record & Reply
REPLYRECORD

22. 22 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
What happened?

23. 23 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

24. 24 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TX RX
MESSAGE 1 “UP”“UP”

25. 25 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TX RX
MESSAGE 1
MESSAGE 2
“UP” “UP”

26. 26 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TX RX
MESSAGE 1
MESSAGE 2
. . . . . .
MESSAGE 100
“UP” “UP”
MESSAGE 3

27. 27 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
ALL messages are
the same!

28. 28 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
1: Record & Replay
Difficulty CostVendors
ALL $$$$
ATTACKS

29. 29 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Arbitrary Execution

30. 30 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
101010101010101010101010 1001001100001011 101000111011110 00001101 10100010 11110101…

31. 31 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
SID CODE …
CHECKSUM OF
“UP”
UP
REVERSE
ENGINEERING

32. 32 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
SID CODE …
CHECKSUM OF
“E-STOP”
COMMAND
REPLACEMENT
UP
E-STOP

33. 33 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
SID CODE …
CHECKSUM OF
“E-STOP”
UP
E-STOP
DoS.. STOP OF PRODUCTION!

34. 34 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Example of Analysis

35. 35 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

36. 36 Copyright © 2019 Trend Micro Incorporated. All rights reserved.

37. 37 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Reverse Engineering
Logic Analyzer

38. 38 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Reverse Engineering
00
01
10
11
RF Analysis

39. 39 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Seq. ID
[SID] [PAIRING_ID(4 bytes)] [SUM1] [0x00] [CMD] [0x000000] [SUM2]
Cryptanalysis
CMD

40. 40 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
1: Record & Replay
2: Command Injection
3: E-Stop Abuse
4: Malicious
Re-pairing
ALL $$$$
ALL $$$$
ALL
PART
$$$$
$$$$
OFF
E-STOP
E-STOP
E-STOP
DIFFICULTY COSTVENDORSATTACKS

41. 41 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Long-Range Attacks

42. 42 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
TARGET
REMOTE
ATTACKER
LOCAL BRIDGE
$40

43. 43 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
IIoT Malware
• Clear-text password
transmission
• Unprotected firmware
• “Hijackable” checksum
• Backdoors

44. 44 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
1: Record & Replay
2: Command Injection
3: E-Stop Abuse
4: Malicious Re-pairing
$$$$
$$$$
$$$$
$$$$
OFF
E-STOP
E-STOP
E-STOP
5: Malicious
Re-programming $$$$
DIFFICOLTY COSTVENDORSATTACKS
ALL
ALL
ALL
PART
PART

45. 45 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Conclusions

46. 46 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Responsible Disclosure
• 10 new vulnerabilities
• TM’s Zero Day Initiative and ICS-Cert
• Long term coordination with vendors
(120+ days)
• Improved SDLC
• Awareness

47. 47 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Vendors Users
• Use open technologies
and standards (e.g.,
Bluetooth)
• Adopt rolling codes
and encryption
• Protect the firmware
• User maintenance!
• Promote vendors
adopting open
technologies
• Maintenance
– Updates
– Period change of
secrets

48. 48 Copyright © 2019 Trend Micro Incorporated. All rights reserved.
Thanks! Questions?
Contact: marco_balduzzi(at)trendmicro.com