A Security Evaluation of Industrial Radio Remote Controllers - - PowerPoint PPT Presentation

a security evaluation of industrial radio remote
SMART_READER_LITE
LIVE PREVIEW

A Security Evaluation of Industrial Radio Remote Controllers - - PowerPoint PPT Presentation

Mar 15, 2023 214 likes •910 views

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

slide-1
SLIDE 1

A Security Evaluation of Industrial Radio Remote Controllers

Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5

TL;DR SECURITY ANALYSIS FINDINGS

slide-6
SLIDE 6

TL;DR SECURITY ANALYSIS FIN

slide-7
SLIDE 7

1: No rolling codes VULNERABILITY

Replay

slide-8
SLIDE 8

1: No rolling codes VULNERABILITY

Replay

  • 11 deployments
  • 2 manufacturing plants
  • 8 construction sites
  • 1 transportation hub
  • 7 vendors
slide-9
SLIDE 9

2: No or weak message encryption VULNERABILITY

Forgery

slide-10
SLIDE 10

2: No or weak message encryption VULNERABILITY

Forgery Abuse

DoS

E-STOP E-STOP E-STOP

slide-11
SLIDE 11

2: No or weak message encryption VULNERABILITY

Forgery Abuse Hijack

DoS

E-STOP E-STOP E-STOP

slide-12
SLIDE 12

3: No Firmware Integrity VULNERABILITY

Trojanize

slide-13
SLIDE 13

1: No rolling codes 2: No or weak message encryption 3: No Firmware Integrity VENDORS VULNERABILITY

ALL ALL ALL PART PART Replay Forgery Abuse Trojanize Hijack

DoS

E-STOP E-STOP E-STOP

slide-14
SLIDE 14

BOTTOM LINE "ZERO" SECURITY AWARENESS

slide-15
SLIDE 15

VULNERABILITY DISCLOSURE

slide-16
SLIDE 16

VULNERABILITY DISCLOSURE

CVE-2018-19023 CVE-2018-17903 CVE-2018-17921 CVE-2018-17923 CVE-2018- 17935 ZDI-18-1362 ZDI-18-1336 ZDI-CAN-6183 ZDI-CAN-6185 ZDI-CAN-6187

slide-17
SLIDE 17

MIXED REACTIONS

  • We'll patch right away (and indeed released a patch)
slide-18
SLIDE 18

MIXED REACTIONS

  • We'll patch right away (and indeed released a patch)
  • What is a vulnerability?
slide-19
SLIDE 19

MIXED REACTIONS

  • We'll patch right away (and indeed released a patch)
  • What is a vulnerability?
  • I'll let you talk to you with our legals, …

○ ...probably we should sue you… ○ ...no wait, maybe we'll patch!

slide-20
SLIDE 20

MIXED REACTIONS

  • We'll patch right away (and indeed released a patch)
  • What is a vulnerability?
  • I'll let you talk to you with our legals, …

○ ...probably we should sue you… ○ ...no wait, maybe we'll patch!

  • Silence on the wire
slide-21
SLIDE 21

ROOT CAUSE OUTDATED THREAT MODEL ON RADIO ATTACKS

slide-22
SLIDE 22

"The attacker must be close"

slide-23
SLIDE 23

300m

Internal Use Only

slide-24
SLIDE 24

300m kilometers

Internal Use Only

slide-25
SLIDE 25

"It takes money and skills!"

slide-26
SLIDE 26

100% HARDWARE, EXPENSIVE, LARGE

slide-27
SLIDE 27

$299 $480

99% SOFTWARE, VERY LOW BARRIER

$99 $40

slide-28
SLIDE 28

TARGET FAR AWAY ATTACKER LOCAL BRIDGE $40

slide-29
SLIDE 29

ANALYSIS METHODOLOGY BLACKBOX

slide-30
SLIDE 30
slide-31
SLIDE 31

FREQUENCY RANGE 315/433/868/915MHz

slide-32
SLIDE 32

MODULATION

slide-33
SLIDE 33

ALPHABET

slide-34
SLIDE 34

ALPHABET

slide-35
SLIDE 35

ALPHABET & SYMBOL LENGTH

slide-36
SLIDE 36
slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39
slide-40
SLIDE 40

Preamble Sync Words ... ??? ??? ???? Many captures under all conditions

EXAMPLE

slide-41
SLIDE 41

Preamble Sync Words ... SEQ.ID

EXAMPLE

slide-42
SLIDE 42

Fixed Sequential ID

EXAMPLE

slide-43
SLIDE 43

Repeating 4 bytes

EXAMPLE

slide-44
SLIDE 44

4-bytes pairing code!

EXAMPLE

slide-45
SLIDE 45

Pairing code: 20 10 77 C8 Original captures

slide-46
SLIDE 46

Zeroed code: 00 00 00 00 00 00 00 00 Pairing code: 20 10 77 C8 Original captures "zeroed" captures

slide-47
SLIDE 47

Preamble Sync Words Trailer SEQ.ID Pairing Code Original captures "zeroed" captures XOR =

slide-48
SLIDE 48

Preamble Sync Words Trailer SEQ.ID Command Pairing Code

S U M S U M

slide-49
SLIDE 49

TOOL

slide-50
SLIDE 50

ANALYSIS METHODOLOGY WHITEBOX

slide-51
SLIDE 51
slide-52
SLIDE 52
slide-53
SLIDE 53
slide-54
SLIDE 54

SPI

0011..11011010..11101001..1110 ...result...

BITSTREAM

slide-55
SLIDE 55

0011..11011010..11101001..1110 ...result...

slide-56
SLIDE 56

0011..11011010..11101001..1110 ...result...

R/W REGISTERS

slide-57
SLIDE 57

...01001...11...10000 ...result...

SEND COMMAND

slide-58
SLIDE 58

...1100111010..111010..01..1110 ...result...

R/W FIFO

slide-59
SLIDE 59

...1100111010..111010..01..1110 ...result...

BITSTREAM SEMANTIC

slide-60
SLIDE 60
slide-61
SLIDE 61

WHERE ARE WE?

  • Findings
  • Disclosure process
  • Complete knowledge of the protocol
slide-62
SLIDE 62

WHERE ARE WE?

  • Findings
  • Disclosure process
  • Complete knowledge of the protocol
  • Open-source RF research framework

BONUS

slide-63
SLIDE 63

https:/ /github.com/trendmicro/RFQuack

SDRs RF Dongles

Supported Radios Any (software) One radio Any (even multi radio) Client Support Lots of options RFCat client Developer-friendly API Open Software Not all Not completely Yes, Arduino compatible Open Hardware Depends Not all Yes, modular Connectivity USB, Gigabit USB or BT USB, WiFi, Cellular, BT Price $20–2000 >= $110 >= $40

slide-64
SLIDE 64

WHY? TO INCREASE THE AWARENESS LEVEL

slide-65
SLIDE 65
slide-66
SLIDE 66
slide-67
SLIDE 67

WHERE ARE WE?

  • Findings
  • Disclosure process
  • Complete knowledge of the protocol
  • Open-source RF research framework
  • Automated protocol reversing

FUTURE

slide-68
SLIDE 68

WHERE ARE WE?

  • Findings
  • Disclosure process
  • Complete knowledge of the protocol
  • Open-source RF research framework
  • Fully-automated protocol reversing
  • Questions from the audience!

NOW!