Sensors used to monitor industrial processes in the energy industry are vulnerable to attack from 40 miles away using radio transmitters, new research found.
There is a host of software vulnerabilities in the sensors, used to monitor metrics such as temperature and pipeline pressure, that could be fatal if abused by an attacker, said researchers Lucas Apa and Carlos Mario Penagos of IOActive, a computer security firm.
Apa and Penagos are on the agenda to give a presentation Thursday at the Black Hat security conference in Las Vegas. They can’t reveal many details due to the severity of the problems.
“If you compromise a company on the Internet, you can cause a monetary loss,” Penagos said. “But in this case, [the impact] is immeasurable because you can cause loss of life.”
The U.S. and other nations have put increased focus in recent years on the safety of industrial control systems used in critical infrastructure such as nuclear power plants, energy and water utilities. The systems, often now connected to the Internet, may have not had thorough security audits, posing a risk of life-threatening attacks from afar.
Apa and Penagos studied sensors manufactured by three major wireless automation system manufacturers. The sensors typically communicate with a company’s home infrastructure using radio transmitters on the 900MHz or 2.4GHz bands, reporting critical details on operations from remote locations.
Apa and Penagos found quite a few of the sensors contained a host of weaknesses, ranging from weak cryptographic keys used to authenticate communication, software vulnerabilities and configuration errors.
For example, they found some families of sensors shipped with identical cryptographic keys. It means several companies may be using devices that all share the same keys, putting them at a greater risk of attack if a key ends up compromised.
They tested various attacks against the sensors using a specific kind of radio antennae the sensors use to communicate with their home networks. They found it was possible to modify readings and disable sensors from up to 40 miles (64 kilometers) away. Since the attack isn’t conducted over the Internet, there’s no way to trace it, Apa said.
In one scenario, the researchers found by exploiting a memory corruption bug, all sensors could end up disabled and they could shut down a facility.
Fixing the sensors, which will require firmware updates and configuration changes, won’t be easy or quick. “You need to be physically connected to the device to update them,” Apa said.
Apa and Penagos won’t identify the vendors or the sensors since the problems are so serious. They’ve handed their findings to the U.S. Computer Emergency Readiness Team, which is notifying the affected companies.
“We care about the people working in the oil fields,” Penagos said.