Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn't matter: they're alarmingly vulnerable to being hacked, according to Trend Micro.
Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one's own custom havoc-wreaking commands to remotely controlled equipment.
"Our findings show that current industrial remote controllers are less secure than garage door openers," said Trend Micro in its report – "A security analysis of radio remote controllers" – published today.
As a relatively obscure field, from the IT world's point of view at any rate, remotely controlled industrial equipment appears to be surprisingly insecure by design, according to Trend: "One of the vendors that we contacted specifically mentioned multiple inquiries from its clients, which wanted to remove the need for physically pressing the buttons on the hand-held remote, replacing this with a computer, connected to the very same remote that will issue commands as part of a more complex automation process, with no humans in the loop."
Even the pairing mechanisms between radio frequency (RF) controllers and their associated plant are only present "to prevent protocol-level interferences and allow multiple devices to operate simultaneously in a safe way," Trend said.
Yes, by design some of these pieces of industrial gear allow one operator to issue simultaneous commands to multiple pieces of equipment.
In addition to basic replay attacks, where commands broadcast by a legitimate operator are recorded by an attacker and rebroadcast in order to take over a targeted plant, attack vectors also included command injection, "e-stop abuse" (where miscreants can induce a denial-of-service condition by continually broadcasting emergency stop commands) and even malicious reprogramming. During detailed testing of one controller/receiver pair, Trend Micro researchers found that forged e-stop commands drowned out legitimate operator commands to the target device.
One vendor's equipment used identical checksum values in all of its RF packets, making it much easier for mischievous folk to sniff and successfully reverse-engineer those particular protocols. Another target device did not even implement a rolling code mechanism, meaning the receiving device did not authenticate received code in any way prior to executing it, like how a naughty child with an infrared signal recorder/transmitter could turn off the neighbour's telly through the living room window.
Trend Micro also found that of the user-reprogrammable devices it tested, "none of them had implemented any protection mechanism to prevent unattended reprogramming (e.g. operator authentication)".
While the latter may sound scary, factories and construction sites do enjoy a measure of physical security; while this is (notoriously) far from perfect, it does at least dissuade a casual hacker from climbing up a crane on a site to pair his laptop or home-made controller with it, or to try and reflash it with malicious firmware. Yet this is no substitute for proper device security.
Just to keep site managers' blood pressure high, Trend Micro highlighted that not only could script kiddies carry out some of these types of attack against industrial plants, a remote attacker could achieve persistent access by using a battery-powered cellular modem dropped off at a quiet part of a site with a drone.
Trend Micro pointed out: "Generally, there is a friction in patching because of the high downtime costs and business continuity constraints. Also, there's no such thing as 'forensics' in this field. Incidents are scrutinized in the 'physical world', and parts are just replaced to restore normal operations as quickly as possible. In other words, digital attacks are not considered a possibility in this field."
The infosec firm advised system integrators to be on high alert for potential vulns in customer-specified kit. In the long term, the infosec research firm said companies ought to abandon "proprietary RF protocols" in favour of open standards, highlighting Bluetooth Low Energy as having a tad more baked-in security than some of the standards they reverse-engineered, some of which they said had "none at all".
Just three months ago, US-CERT advised some customers of Telecrane gear to patch their control systems – after the disclosure of a security bug that could allow a nearby attacker to wirelessly hijack equipment. The vuln in the Telecrane F25 series of controllers, if left unpatched, would have allowed miscreants to remotely operate cranes via radio signals.
Ken Tindell, CTO of Canis Automotive Labs, mused to El Reg: "It's really a philosophical issue rather than a technical one. On one hand, you don't want to load something down with security implementations when it's a strictly private offline network. On the other, you don't want to put such a lethal thing into the hands of customers that don't appreciate the issues and will naturally do the equivalent of sticking a wet finger into a mains socket." ®