By Gregory Hale
Using a simple replay attack and a digital watch using radio frequency (RF), it is possible to take control of a crane at manufacturing or construction facility, researchers said.
That is because RF technology is being used in operations to control various industrial machines, but the lack of security in communication protocols could lead to production sabotage, system control, and unauthorized access, said Stephen Hilt, senior threat researcher at Trend Micro and Jonathan Andersson, manager of the advanced security research at Trend Micro Research in a session at the S4x19 conference in Miami Beach, FL, last week.
Hilt and Andersson said there are five types of potential attacks:
1. Replay attack, where the attacker records RF packets and replays them to obtain basic control of the machine
2. Command injection, where the attacker knowing the RF protocol, he or she can arbitrarily and selectively modify RF packets to completely control the machine
3. E-Stop abuse, where the attacker can replay e-stop (emergency stop) commands indefinitely to engage a persistent denial-of-service (DoS) condition
4. Malicious repairing, where the attacker can clone a remote controller or its functionality to hijack a legitimate one
5. Malicious reprogramming and remote attack vectors, where the attacker “Trojanizes” the firmware running on the remote controllers to obtain persistent, full remote control
“We were able to control cranes in a very easy kind of attack,” the researchers said in an interview.
Compromising the security of industrial remotes and machines would require transmission protocol know-how and the right tools, Trend Micro researchers said in a paper on the subject.
Launching a replay attack or e-stop abuse, for instance, would need only an appropriate device that costs a few hundred U.S. dollars, they said. Meanwhile, attacks such as command injection, malicious re-pairing, and malicious reprogramming could require target equipment, which can cost from a hundred to a few thousand U.S. dollars. Attacker motivations may vary, but ultimately, significant business impact such as financial losses, system unavailability, and operator injuries could come into play as safety-critical machinery is involved.
In a testing of the attack, researchers were able to place an antenna on the roof of a car and from inside they were able to detect signals from a transmitter on the field that was 300 meters away. A casual attacker with no advanced skills whatsoever equipped with a software-defined radio (SDR) can record a command and replay it under risky conditions. An attacker equipped with signal amplifiers and professional antennas could extend the range to several kilometers.
Industrial radio remote controllers have higher replacement costs and longer service life spans. This means that vulnerabilities can persist for years, if not for decades. During the research, they found industrial remote controllers that had been deployed in production for more than 15 years.
Industrial devices are also relatively more difficult to promptly patch because some of them are deployed in isolation, left undisturbed until one gets worn out and needs replacement. Some companies that use industrial radio remotes may even expect patching to interfere with business continuity and add up to operational costs.
“All the companies that intended to patch have patched their products,” Andersson said. The catch is, however, while patches are available, when, and how, will end users patch the devices?
The Trend Micro researchers recommended applying timely patches to prevent attackers from taking advantage of vulnerabilities to get into systems.
Trend Micro released a research paper entitled, “A Security Analysis of Radio Remote Controllers for Industrial Applications” for a more indepth look at thje threats to industrial radio remote controllers.