Never Trust Your Inputs: Causing 'Catastrophic Physical Consequences' from the Sensor (or How to Fool ADC)

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration)

Our world is analog. Computers are digital. When a microcontroller in an Industrial Control System (ICS) or embedded system acquires data from the physical world it uses analog-to-digital converters (ADC) to transform amperage or voltage into a useful unit of measurement. Decisions on how to control physical applications are taken based on the interpretation of the measured data. Certain pieces of process data must be accurate at all times in order to maintain efficiency and safety of the process. Understanding data sources and their pathways is essential to understanding how the attacker might perturb the process potentially causing "catastrophic physical consequences." Development and usage of systems with ADCs is well understood and mastered to perfection. But let's look at it from the security perspective. In the production environment, the state of the physical process is estimated based on the measured physical phenomena like temperature or velocity which are converted to a voltage (V) value by a sensor or a transmitter. The signal may be consumed by two devices: process control equipment (PLC or RTU) and by Digital Acquisition system (DAQ) that sends data for historical logging and "big data" analysis. What if you want to perturb the process, but keep it secret to the monitoring systems like DAQ? What if you could generate a specific analog signal that will be interpreted by these two components in a completely different way? E.g. PLC will read 7 V and DAQ will read 1 V (corresponding to 400 and 20 units of temperature). You can do a lot of fun things if you understand how ADC works. In this talk, we will discuss a rarely-addressed topic of analog signals processing security. Tampering with the frequency and phase can cause ADC outputting spurious digital signal; modifying the ranges can cause integer overflow and trigger logic vulnerability in the PLC/embedded software. We will analyze several attack vectors on ADC, misconfiguration of signal scaling and every other design detail that allow the attacker to fool ADC (and all systems depending on its output signal). We will illustrate how outlined vulnerabilities can be exploited in the software (demo) and conclude with the consequences of such attacks in the context of exploiting physical processes.


Presenters:

  • Marina Krotofil - Honeywell Cyber Security Lab
    Marina Krotofil is a Cyber Security Researcher at the Honeywell Cyber Security Lab. Previously, she worked as a Senior Security Consultant at the European Network for Cyber Security. She completed doctoral degree research in ICS security at Hamburg University of Technology, Germany (final thesis under review). Her research over the last few years has been focused on the design and implementation of practical cyber-physical attacks and on the design of process-aware defensive solutions and risk assessment approaches. Marina authored more than a dozen of papers on cyber-physical security. She gives workshops on cyber-physical exploitation and is a frequent speaker at the leading security events around the world. She holds a MBA in Technology Management, MSc in Telecommunication and MSc in Information and Communication Systems.
  • Alexander Bolshev - IOActive
    Alexander Bolshev is a Security Consultant for IOActive. He holds a Ph.D. in computer security and also works as an assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, Server Side Request Forgery attacks, OLAP systems and ICS security. He has presented at conferences including Black Hat USA/EU/UK, ZeroNights, t2.fi, CONFIdence, and S4.

Links:

Similar Presentations: