Industrial Remote Controller: Safety, Security, Vulnerabilities

Presented at Black Hat Asia 2019, March 29, 2019, 10:15 a.m. (60 minutes).

Radio-frequency (RF) remote controllers are widely used in the manufacturing, construction, transportation, and many other industrial applications. Cranes, drillers, and miners, among others, are commonly equipped with RF remotes, which have become the weakest link in these safety-critical applications, characterized by high replacement costs, long lifespans, and cumbersome patching processes.

Our research reveals that RF remote controllers are distributed globally, and millions of vulnerable units are installed on heavy industrial machinery and environments. Our extensive in-lab and on-site analysis of 7 popular vendors reveals a lack of security features at different levels, with obscure, proprietary protocols instead of standard ones. Therefore, they are vulnerable to command spoofing, so an attacker can selectively alter their behavior by crafting arbitrary commands—with consequences ranging from sabotage, injury, theft, or extortion.

This is not a replay attack. We will disclose the reverse engineering of the radio protocols and show how to forge valid commands for a target. To make the attack more elegant, we developed RFQuack, a pocket-sized research hardware tool, and show how to persistently and remotely take control or simulate the malfunction of the attached machinery, and provide concrete examples of attacks like command injection, emergency-stop abuse, and malicious re-pairing. We will also demonstrate how to attack controller programmers, which lack any security measures, opening the remote controllers to remote attack vectors. We will show how to extract, analyze, and alter their firmware to implement persistent and sophisticated attacks. Given the pervasive connectivity promoted by the Industry 4.0 trend, additional attack opportunities may arise.

We have reported our 0-day vulnerabilities to the vendors who acknowledged our findings and are working on suitable mitigations.


Presenters:

  • Philippe Lin - Senior Threat Researcher, Trend Micro Inc.
    Philippe Lin works in data analysis, machine learning, and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.
  • Akira Urano - Senior Threat Researcher, Trend Micro Incorporated (Japan)
    Akira Urano is a Senior Threat Researcher with 4-year working experience in the field of computer security, in addition to his 17-year military background. He mainly focuses on cybercrime, future threat research and underground community.


Links:

Similar Presentations: