Compromising Industrial Facilities From 40 Miles Away

Presented at Black Hat USA 2013, Aug. 1, 2013, 3:30 p.m. (60 minutes).

The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities in industries such as energy production, oil, gas, water, utilities, refining, and petrochemical distribution and processing. Effective wireless sensor networks have enabled these companies to reduce implementation, maintenance, and equipment costs and enhance personal safety by enabling new topologies for remote monitoring and administration in hazardous locations.

However, the manner in which sensor networks handle and control cryptographic keys is very different from the way in which they are handled in traditional business networks. Sensor networks involve large numbers of sensor nodes with limited hardware capabilities, so the distribution and revocation of keys is not a trivial task.

In this presentation, we review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. We also demonstrate some attacks that exploit key distribution vulnerabilities, which we recently discovered in every wireless device developed over the past few years by three leading industrial wireless automation solution providers. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies.

An untrusted user or group within a 40-mile range could read from and inject data into these devices using radio frequency (RF) transceivers. A remotely and wirelessly exploitable memory corruption bug could disable all the sensor nodes and forever shut down an entire facility. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made can be modified. This can lead to unexpected, harmful, and dangerous consequences.


Presenters:

  • Lucas Apa - IOActive, Inc.
    Lucas Apa is a security researcher and consultant at IOActive, Inc. His main interests are vulnerability exploitation techniques, embedded reverse engineering, kernel vulnerability research and cryptography. Focused on offensive security he publicly discovered critical vulnerabilities in Windows, Siemens access controls and Apache projects. His work has been presented at world-renowned conferences including Black Hat Europe, Ekoparty and SecTor. He provides comprehensive security services working with majority of Global 500 companies including power and utility, game, hardware, financial, media, retail, aerospace, healthcare, high-tech, social networking, and software development organizations. Lucas is also currently finishing a degree in Computer Engineering.
  • Carlos Mario Penagos - IOActive
    Carlos is a senior security researcher and consultant for IOActive, has worked around the world doing consulting and security trainings. His main expertise are exploitation, reverse engineering, bug hunting and cryptography. Holds a Bachelor's degree in Computer Science and has been awarded with science merit honours for his graduation thesis. In his free time he had disclosure several vulnerability advisories to US-CERT, ICS-CERT and CN-CERT for world´s most used SCADA/HMI. He also likes coding theory, number theory and ECC.

Links:

Similar Presentations: