Abstract
Heavy industrial machinery is a primary asset for the operation of key sectors such as construction, manufacturing, and logistics. Targeted attacks against these assets could result in incidents, fatal injuries, and substantial financial loss. Given the importance of such scenarios, we analyzed and evaluated the security implications of the technology used to operate and control this machinery, namely industrial radio remote controllers. We conducted the first-ever security analysis of this technology, which relies on proprietary radio-frequency protocols to implement remote-control functionalities. Through a two-phase evaluation approach we discovered important flaws in the design and implementation of industrial remote controllers. In this paper we introduce and describe 5 practical attacks affecting major vendors and multiple real-world installations. We conclude by discussing how a challenging responsible disclosure process resulted in first-ever security patches and improved security awareness.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
An Arduino-based open-hardware/software research framework to analyze sub-GHz radio protocols: https://github.com/trendmicro/rfquack.
- 2.
Multi transmitter and multi receiver scenarios are possible.
- 3.
- 4.
Liebherr and Schneider Electric use Bluetooth Low Energy (BLE).
- 5.
Searchable FCC ID database at https://fccid.io.
- 6.
Autec (established in 1986), Hetronic (1982), Saga (1997), Circuit Design (1974), Elca (1991), Telecrane (1985), Juuko (1994), HBC-radiomatic (1947), Cattron (1946), Tele Radio (1955), Scanreco (1980), Shanghai Techwell Autocontrol Technology (2005), Remote Control Technology (1982), Akerstroms (1918), Jay Electronique (1962), Itowa (1986), 3-Elite (1995).
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
Write-only operations are normally permitted even without password, but only limited to the code area (i.e., not the boot loader). These are not very useful, because one could blindly write data into the flash.
- 16.
- 17.
A FSK variant in which a Gaussian filter is applied to the signal to smoothen level transitions.
- 18.
CVE-2018-19023, ZDI-CAN-6183 [1], ZDI-18-1336, ZDI-CAN-6185 [1], ZDI-18-1362, ZDI-CAN-6187 [1], CVE-2018-17903, CVE-2018-17921, CVE-2018-17923, CVE-2018-17935.
References
Andersson, J., et al.: A security analysis of radio remote controllers for industrial applications. Technical report, Trend Micro, Inc., January 2019. https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf
Arkansas: Heavy load accident (2013). https://cdn.allthingsnuclear.org/wp-content/uploads/2015/02/FS-181-PDF-File-with-links.pdf
Balduzzi, M., Pasta, A., Wilhoit, K.: A security evaluation of AIS automated identification system. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, 8–12 December 2014, pp. 436–445 (2014). https://doi.org/10.1145/2664243.2664257
Bhatti, J., Humphreys, T.E.: Hostile control of ships via false GPS signals: demonstration and detection. Navig. J. Inst. Navig. 64(1), 51–66 (2017)
Blossom, E.: GNU radio: tools for exploring the radio frequency spectrum. Linux J. 2004(122), 4 (2004)
Costin, A., Francillon, A.: Ghost in the air (traffic): on insecurity of ADS-B protocol and practical attacks on ADS-B devices. In: Black Hat USA, pp. 1–12 (2012)
CYREN: Cyber pirates targeting logistics and transportation companies (2018). https://www.cyren.com/blog/articles/cyber-pirates-targeting-logistics-and-transportation-companies
Fleury, T., Khurana, H., Welch, V.: Towards a taxonomy of attacks against energy control systems. In: Papa, M., Shenoi, S. (eds.) ICCIP 2008. TIFIP, vol. 290, pp. 71–85. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-88523-0_6
Fouladi, B., Ghanoun, S.: Security evaluation of the Z-wave wireless protocol. In: Black Hat USA, vol. 24, pp. 1–2 (2013)
Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). Eidgenössische Technische Hochschule Zürich, Department of Computer Science (2011)
Goodspeed, T.: Practical attacks against the MSP430 BSL. In: Twenty-Fifth Chaos Communications Congress (2008)
Greenberg, A.: Crash override malware took down Ukraine’s power grid last December 2017. https://www.wired.com/story/crash-override-malware/
Texas Instruments: CC1120 user’s guide (2013). http://www.ti.com/lit/ug/swru295e/swru295e.pdf
Kamkar, S.: Drive it like you hacked it: New attacks and tools to wirelessly steal cars (2015). https://samy.pl/defcon2015/
Kerns, A.J., Shepard, D.P., Bhatti, J.A., Humphreys, T.E.: Unmanned aircraft capture and control via GPS spoofing. J. Field Robot. 31(4), 617–636 (2014)
Papp, D., Ma, Z., Buttyan, L.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: 2015 13th Annual Conference on Privacy, Security and Trust (PST), pp. 145–152. IEEE (2015)
Pohl, J., Noack, A.: Universal radio hacker: a suite for analyzing and attacking stateful wireless protocols. In: 12th USENIX Workshop on Offensive Technologies (WOOT 2018). USENIX Association, Baltimore, MD (2018). https://www.usenix.org/conference/woot18/presentation/pohl
Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 268–286, May 2017. https://doi.org/10.1109/SP.2017.20
Texas-Instrument: CC1110Fx/CC1111Fx. http://www.ti.com/lit/ds/symlink/cc1110-cc1111.pdf
TrendMicro: Triton wielding its trident - new malware tampering with industrial safety systems, December 2017. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/triton-wielding-its-trident-new-malware-tampering-with-industrial-safety-systems
Vidgren, N., Haataja, K., Patino-Andres, J.L., Ramirez-Sanchis, J.J., Toivanen, P.: Security threats in ZigBee-enabled systems: vulnerability evaluation, practical experiments, countermeasures, and lessons learned. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 5132–5138. IEEE (2013)
Wilhoit, K.: KillDisk and BlackEnergy are not just energy sector threats, February 2016. https://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/
Wright, J.: KillerBee: Practical ZigBee exploitation framework or wireless hacking and the kinetic world (2018)
Yaneza, J.: 64-bit version of Havex spotted, December 2014. https://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/
ZDI: Disclosure policy. https://www.zerodayinitiative.com/advisories/disclosure_policy/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Maggi, F. et al. (2019). A Security Evaluation of Industrial Radio Remote Controllers. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)