A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler
TL;DR SECURITY ANALYSIS FINDINGS
TL;DR SECURITY ANALYSIS FIN
VULNERABILITY 1: No rolling codes Replay
VULNERABILITY 1: No rolling codes Replay - 11 deployments - 2 manufacturing plants - 8 construction sites - 1 transportation hub - 7 vendors
VULNERABILITY 2: No or weak message encryption Forgery
VULNERABILITY 2: No or weak message encryption Forgery Abuse E-STOP DoS E-STOP E-STOP
VULNERABILITY 2: No or weak message encryption Forgery Abuse E-STOP DoS E-STOP E-STOP Hijack
VULNERABILITY 3: No Firmware Integrity Trojanize
VENDORS VULNERABILITY 1: No rolling codes Replay ALL 2: No or weak message encryption Forgery ALL Abuse ALL E-STOP DoS E-STOP E-STOP Hijack PART 3: No Firmware Integrity Trojanize PART
BOTTOM LINE "ZERO" SECURITY AWARENESS
VULNERABILITY DISCLOSURE
VULNERABILITY DISCLOSURE CVE-2018-19023 CVE-2018-17903 CVE-2018-17921 CVE-2018-17923 CVE-2018- 17935 ZDI-18-1362 ZDI-18-1336 ZDI-CAN-6183 ZDI-CAN-6185 ZDI-CAN-6187
MIXED REACTIONS We'll patch right away (and indeed released a patch) ●
MIXED REACTIONS We'll patch right away (and indeed released a patch) ● What is a vulnerability? ●
MIXED REACTIONS We'll patch right away (and indeed released a patch) ● What is a vulnerability? ● I'll let you talk to you with our legals , … ● ...probably we should sue you… ○ ...no wait, maybe we'll patch ! ○
MIXED REACTIONS We'll patch right away (and indeed released a patch) ● What is a vulnerability? ● I'll let you talk to you with our legals , … ● ...probably we should sue you… ○ ...no wait, maybe we'll patch ! ○ Silence on the wire ●
ROOT CAUSE OUTDATED THREAT MODEL ON RADIO ATTACKS
"The attacker must be close"
300m Internal Use Only
kilometers 300m Internal Use Only
"It takes money and skills!"
100% HARDWARE, EXPENSIVE, LARGE
$480 $299 $40 $99 99% SOFTWARE, VERY LOW BARRIER
TARGET FAR AWAY ATTACKER LOCAL BRIDGE $40
ANALYSIS METHODOLOGY BLACKBOX
FREQUENCY RANGE 315/433/868/915MHz
MODULATION
ALPHABET
ALPHABET
ALPHABET & SYMBOL LENGTH
Many captures under all conditions EXAMPLE Preamble Sync Words ??? ??? ???? ...
EXAMPLE Preamble Sync Words SEQ.ID ...
EXAMPLE Fixed Sequential ID
EXAMPLE Repeating 4 bytes
EXAMPLE 4-bytes pairing code!
Original captures Pairing code: 20 10 77 C8
Original captures "zeroed" captures 00 00 00 00 Zeroed code: 00 00 00 00 Pairing code: 20 10 77 C8
XOR Original captures "zeroed" captures = Preamble Sync Words SEQ.ID Pairing Code Trailer
S S Preamble Sync Words SEQ.ID Pairing Code Command Trailer U U M M
TOOL
ANALYSIS METHODOLOGY WHITEBOX
0011..11011010..11101001..1110 BITSTREAM ...result... SPI
0011..11011010..11101001..1110 ...result...
R/W REGISTERS 0011..11011010..11101001..1110 ...result...
SEND COMMAND ...01001...11...10000 ...result...
R/W FIFO ...1100111010..111010..01..1110 ...result...
SEMANTIC ...1100111010..111010..01..1110 BITSTREAM ...result...
WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ●
WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ● BONUS Open-source RF research framework ●
https:/ /github.com/trendmicro/RFQuack SDRs RF Dongles Supported Radios Any (software) One radio Any (even multi radio) Client Support Lots of options RFCat client Developer-friendly API Open Software Not all Not completely Yes, Arduino compatible Open Hardware Depends Not all Yes, modular Connectivity USB, Gigabit USB or BT USB, WiFi, Cellular, BT Price $20–2000 >= $110 >= $40
WHY? TO INCREASE THE AWARENESS LEVEL
WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ● Open-source RF research framework ● FUTURE Automated protocol reversing ●
WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ● Open-source RF research framework ● Fully-automated protocol reversing ● NOW! Questions from the audience! ●
Recommend
More recommend
