This document discusses practical attacks on analog-to-digital converters (ADCs). It begins with an anecdote about compromising a programmable logic controller (PLC) and bypassing monitoring systems. It then covers different types of ADCs and their vulnerabilities. Examples are provided of proof-of-concept attacks injecting arbitrary waveform signals and altering the digital representation of analog signals. Various hardware is demonstrated for evaluating ADCs, including signal generators, function generators, and data acquisition systems. Mitigation techniques are proposed, such as implementing appropriate anti-aliasing filters and randomizing sampling frequencies.

1. Tools for Practical Attacks on
Analog-to-Digital Conversion
Alexander ‘dark_k3y’ Bolshev
With a help from:
Marina Krotofil
Gabriel Gonzalez
Andrey Dolgikh

2. ; CAT /DEV/USER
Alexander ‘dark_k3y’ Bolshev
Ph.D., security consultant @ IOActive Madrid
HW Lab
Distributed systems researcher
“the more complex & strange is the system ->
the better”

3. Important Disclaimer
The whole presentation is mostly discussed on the first lections of
‘Control theory’ and ‘Digital Signal Processing’ university courses, so in
fact it won’t be about something new.

4. Quick intro to ICS + ADC
problems

5. Dialog with (some) ICS engineer during
pentest
Me: You have …vulns……vulns……vulns… and as a result I could
compromise your PLC!
Engineer: You will achieve nothing with it, because my monitoring
system will stop you when the analog signal that is generated by this
PLC will be out of 10% range. After it, backup PLC will be launched in a
very short time
Me: Okay... (went away crying)
(some time passed)
Me: But I will be back!

6. From Michael Ossmann:

7. Correct interpretation of data is important, because embedded and
industrial control systems uses analog inputs to create the picture of
controlled system’s state.
ICS field level
Actuators
Control
system
Sensors
Measure
process state
Computes control
commands for
actuators
Adjust themselves
to influence
process behavior
Physical Process
ADCDAC

8. Consider the following architecture
Analog control
loop
Control PLC
Actuator
Monitoring PLC/
Logger/DAQ/Safety PLC
HMI
Attacker

9. Consider the following architecture
Analog control
loop
Control PLC
Actuator
Monitoring PLC/
Logger/DAQ/Safety PLC
HMI
0V (actuator is OFF)
MV – Manipulated Variable
What if MV value on actuator will be
different from MV value on logger?
1.5V (actuator is ON)
Attacker

10. Proof-of-Concept demo from the past
“HMI Panel”
“Control PLC”
(arduino)
“Actuator”
(motor)
“Monitoring
PLC”
(S7 1200)
See v1_motor_arduino_vs_plcadc.m4v video

11. How is it possible at all? MV
is represented by analog
signal!
Because we’re talking not about altering the analog signal,
but about altering its digital representation (conversion).

12. Analog-to-Digital converter
[2]

13. • A device that converts a continuous physical quantity (usually voltage)
to a digital number that represents the quantity's amplitude.[3]
• An ADC is defined by its bandwidth (the range of frequencies it can
measure) and its signal to noise ratio (how accurately it can measure a
signal relative to the noise it introduces).
• Bandwidth of an ADC is characterized primarily by its sampling rate,
and to a lesser extent by how it handles errors such as aliasing.
What is ADC?
ADC
Input
Signal
Reference
Digital
Representation

14. Types of ADCs
There are many types of ADCs, the most common are three:
• Successive-approximation ADC (SAR)
• Sigma-delta ADC
• Pipeline (usually based on flash)

15. Aliasing
• Sampling frequency should follow Nyquist rule ( fs > 2f )
• Otherwise the signal will appear of false (alias) frequency

16. Anti-aliasing filters: “input validation” in ADC
world
• Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g.
ADC) to attenuate the power of signal in high frequency ranges for
approximate or complete satisfying the sampling theorem (fs > 2f)
• As a representative of low-pass filters (LPF) family, AAF could be characterized
by cut-off frequency (fc) and stop-band frequency (fsb)
[4]

17. Attacks against ADCs
• Frequency and phase:
• Arbitrary Waveform signal, i.e. signal with waveform that
could be somehow misinterpreted by ADC. (see ep.1)
• High-Frequency function signal, i.e. generating sine wave
with kHz or MHz frequency that could somehow be
misinterpreted by ADC.
• OverSampling attack against SAR (see ep.1)
• Special-frequency attack against ΔΣ (see ep. 2)
• Amplitude (out-of-voltage-range signal) (see ep.1)

18. Attacks: AWG against
“ADC()” call

19. But how…?
“HMI Panel”
“Control PLC”
(arduino)
“Actuator”
(motor)
“Monitoring
PLC”
(S7 1200)

20. …Easy!
3.3V
100 ms
…
while (1) {
pinOutput(tip120PIN, 200);
delay(395);
for(i = 0; i < 20; i++){
pinOutput(tip120PIN, 0);
delay(2);
pinOutput(tip120PIN, 200);
delay(2);
}
pinOutput(tip120PIN, 200);
delay(495);
}
2,5ms

21. Siemens S7 1200 analog I/O ADC

22. Siemens S7 1200 analog I/O ADC
N=8.3ms
N=9ms
N=7ms
N=4.5ms
N=2.5ms

23. Siemens S7 1200 analog I/O ADC
N=8.3ms
N=9ms
N=7ms
N=4.5ms
N=2.5ms

24. AWG signal against “lazy-call” ADC
Val = readADC();
Sleep(Timeout); /* or doSmth(Timeout) */
Output(Val);

25. But this is just Arduino, not real controller!
Ok, let’s try without Arduino…

26. Ok, let’s try something more real…
SIMATIC S7-1200, ANALOG OUTPUT SB 1232,
1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA
(11 BIT RES)
Problem: no public information on real SPS for these module… 

27. Ok, what’s inside?
Logic buffer
EEPROM
OpAmp
XTR300

28. XTR300?

29. Let’s test for max stable SPS…

30. Proof-of-Concept demo with real stuff
“HMI Panel”
“Control PLC”
(S7 1200)
“Actuator”
(motor)
“Monitoring
PLC”
(S7 1200)
See v2_motor_plc_vs_plcadc.m4v video

31. Signal generation SCL code
https://support.industry.siemens.com/cs/document/67295964/how-in-step-7-v5-x-do-you-program-signal-generation-(rectangle-sawtooth-triangle-sinus)-using-the-cyclic-interrupts-?dti=0&lc=en-WW

32. Pure frequency/phase
attacks

33. ΔΣ Modulation
• Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding
analog signals into digital signals as found in an ADC. [7]
• In Δ-modulation the change in the signal (its delta) is encoded, rather than the
absolute value. The result is a stream of pulses. In ΔΣ-modulation, the
accuracy of the modulation is improved by passing the digital output through a
1-bit DAC and adding (sigma) the resulting analog signal to the input signal,
thereby reducing the error introduced by the Δ-modulation. [7]

34. Delta-sigma ADC
• ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog
and digital:
• analog part generates a very high-frequency bitstream;
• digital part creates the real number output by filtering it with digital
filter and decimating it to the output samples per second value.
ΔΣ
Modulator
Digital
Low-Pass
filter
Decimation
Filter
Analog input 1-bit stream N-bit stream Output data
0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 …
Digital partAnalog part

35. Modulation process
[6]

36. Delta-Sigma ADCs
[6]
[6]

37. Demo: The mystery of the
ΔΣ AD7706 ADC…
See v3_mystery_sdadc1.mp4 video

39. Possible explanation from the datasheet?
• Expecting to have some noise
there than, but possibly not the
clear sin signal
• It explains just partly, and we
need some good hypothesis for
all these things.
In our case fCLKIN = 2.00MHz,
so fs = 31250

40. LP & Decimation (sinc3) filter
D = N = 64 for AD7706

41. USB UART
Atmega328
AD7706 & Vref
Signal
generator
Demo: The second mystery
of the ΔΣ AD7706 ADC…
See v4_mystery_various_signals.mov video

42. Hypothesis and frustrations
• Digital filter corner frequency/noise?
• No, sinus too clear for it
• sinc3 filter implemented in MCU and has integer overflow?
• ”Artificial gain” (No PGA), but just multiplication on digital output?
• That’s wrong according to chip decap image.

43. • Dynamic compression?
• Overflow in logic circuit?
• Pole-zero cancelation in filter?
Still mystery

44. 31.25kHz looks too much for a successful
attack
DAC with s/r up to 100kHz

45. Implementation
Renesas R5F100bG RL78/G13
27352 bytes firmware size => 4 – 36+kB for
payload

46. Ok, I got it, but what else I could use for
attack?
Line coupling circuit
(usually OpAmp/Transformer)
Signal/Function Generator
Two most common industrial analog line loops:
• Voltage (0-10V, 0-24(28)V, 0-48V
• Current (0-20mA)
Aka ADC research kit for Joseph FitzPatrick 

47. Voltage
Signal/Function Generator:
-> Si5351 + any MCU via I2C
Coupling circuit:
Buffer RtR OpAmp + H-V OpAmp
Gain = 1 + (R2/R1)
TI OPA551/OPA552
Fairchild LM358N
Buffering requirement depends on signal source

48. Current (0-20mA) -> Cypress PSoC
http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262
CY8CKIT-049-42XX
~<10EUR
MAX15006
Any suitable
and cheap
transistor for
such current

49. Other ΔΣ ADCs: ADS1015

50. Cypress PSoC5 built-in ADC*
What’s this?
What’s that?
[5]
*default configuration

51. Ok, let’s look at real device with behavior like ΔΣ ADC:
Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O
+
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3

52. Very weird results for real industrial PLC: 1 -> 24Hz
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3

53. 25Hz
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3

54. And… 24.9Hz!!!
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3

55. And… 24.9Hz!!!
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3

57. *Без обид Андрей, просто действительно забавно!
*

58. Flex I/O vs. PowerFlex
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3

59. Do we have at least one “normal” ΔΣ ADC?!
Yes, e.g. MAX11205
• Sinc4 filter with no visible
mistakes + postfiltering(?)
• Looks very reliable
Postfiltering?

60. Attacks summary: what you
can and what you cannot

61. Summary
ADC First ”attackable” f Required AAF fc Required AAF fsb Complexity
SAR ADC S/H frequency (S/H frequency)/2 - easy/medium
-- MCP3201 14.3kHz 7.1kHz - easy
S7 1200 PLC 121Hz 60Hz 120Hz easy
AB 1794-IE4XOE2* 24.9Hz 10Hz 20Hz very easy
AD7705/AD7706 31250/38400 Hz - 30kHz easy
ADS1015 ~86kHz 10-20kHz 50kHz medium/hard
MAX11205 n/a any reasonable any reasonable ~impossible
PSoC5 LP** ~1kHz 1kHz 2kHz easy
* research data by Andrey Dolgikh
** incorrectly configured (default configuration) PSoC module

62. What could you do?

63. Mitigations
• As hardware developers/vendors:
• Implement correct AA-filters in accordance to REAL characteristics of your
ADC (read latest/hidden datasheets, test you ADC manually)
• Remember: digital filters won’t help
• As software developers (incl. firmware and PLC program
development):
• Introduce sampling frequency randomization in software that works with ADC
• Avoid “sleepy” code
• As engineer:
• Implement same AA-filters all over your analog network in accordance with
your OT process

64. Vendors Sceptic’s replica:
• We already have correct AA-filters everywhere!
Are you sure?

65. Reference design of industrial sensor
“We included AA LPF in our design"
ADC with fs ~ 2kSPS
LPF with fc near 79 kHz

66. Reference design of industrial transmitter
“We included AA LPF in our design"
ADC with fs ~ 470sps
LPF with fc near 79 kHz

67. But we have … AA filters... Everywhere...

68. 2Vendor: also remember: digital filter won’t
help
• The signal is already ”compromised” by ”ADC features”, so any digital
filtering after ADC won’t help you.
• If you want full control, install ΔΣ modulator and implement digital
part of ΔΣ-ADC manually in FPGA
Analog
signal
Digital
representation
1-bit
stream

69. Developer: introduce sampling frequency
randomization
• Certain randomness in sampling frequency will make attacker’s job
much harder
• Many of the discussed attacks will be much more challenging to execute
• Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On
the contrary, it will produce a signal sample of better quality.
𝒇 𝑠 = 𝑓 + rand(△)
Time
V
0
http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html

70. Developer: Avoid sleepy code
Avoid writing/using the following code (if you don’t
completely understand your process):
Val = readADC();
Output(Val);
Sleep(Timeout);

71. • When adding LPF into an individual device, make sure that all
related devices have the same cut-off frequencies
• E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with
LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of
success increases!
Engineer: Use SAME AA-filters across all
analog line
Control PLC
𝒇 𝒄 = 𝟏𝒌𝑯𝒛
𝒇 𝒄 = 𝟓𝒌𝑯𝒛
Monitoring PLC

72. Thanksgiving service
• Marina Krotofil for being a co-researcher in ep. 1 and many bright
ideas
• Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for
information on Allen Bradley PLC behavior vs. different frequencies.
• Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for
help and support
• Fedor Savelyev for ideas and help with DSP (digital signal processing)
analysis
• Dmitry Nedospasov for many useful advices

73. Conclusions

74. Any questions?
http://ioactive.com/
@ioactive
@dark_k3y

75. 1. https://en.wikipedia.org/wiki/Control_theory , Picture by Orzetto - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=5000019
2. Picture from: http://maxembedded.com/2011/06/the-adc-of-the-avr/
3. Wikipedia: https://en.wikipedia.org/wiki/Analog-to-digital_converter
4. Picture from http://studentweb.niu.edu/7/~Z063757/lowpass2.bmp
5. Picture from: http://www.hdwallpaperpc.com/show-wallpaper/surprised_kitten_animal_cats_kitty_little_cat_136064.html
References