a security evaluation of industrial radio remote
play

A Security Evaluation of Industrial Radio Remote Controllers - PowerPoint PPT Presentation

Mar 15, 2023 •214 likes •908 views

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

  1. A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler

  5. TL;DR SECURITY ANALYSIS FINDINGS

  6. TL;DR SECURITY ANALYSIS FIN

  7. VULNERABILITY 1: No rolling codes Replay

  8. VULNERABILITY 1: No rolling codes Replay - 11 deployments - 2 manufacturing plants - 8 construction sites - 1 transportation hub - 7 vendors

  9. VULNERABILITY 2: No or weak message encryption Forgery

  10. VULNERABILITY 2: No or weak message encryption Forgery Abuse E-STOP DoS E-STOP E-STOP

  11. VULNERABILITY 2: No or weak message encryption Forgery Abuse E-STOP DoS E-STOP E-STOP Hijack

  12. VULNERABILITY 3: No Firmware Integrity Trojanize

  13. VENDORS VULNERABILITY 1: No rolling codes Replay ALL 2: No or weak message encryption Forgery ALL Abuse ALL E-STOP DoS E-STOP E-STOP Hijack PART 3: No Firmware Integrity Trojanize PART

  14. BOTTOM LINE "ZERO" SECURITY AWARENESS

  15. VULNERABILITY DISCLOSURE

  16. VULNERABILITY DISCLOSURE CVE-2018-19023 CVE-2018-17903 CVE-2018-17921 CVE-2018-17923 CVE-2018- 17935 ZDI-18-1362 ZDI-18-1336 ZDI-CAN-6183 ZDI-CAN-6185 ZDI-CAN-6187

  17. MIXED REACTIONS We'll patch right away (and indeed released a patch) ●

  18. MIXED REACTIONS We'll patch right away (and indeed released a patch) ● What is a vulnerability? ●

  19. MIXED REACTIONS We'll patch right away (and indeed released a patch) ● What is a vulnerability? ● I'll let you talk to you with our legals , … ● ...probably we should sue you… ○ ...no wait, maybe we'll patch ! ○

  20. MIXED REACTIONS We'll patch right away (and indeed released a patch) ● What is a vulnerability? ● I'll let you talk to you with our legals , … ● ...probably we should sue you… ○ ...no wait, maybe we'll patch ! ○ Silence on the wire ●

  21. ROOT CAUSE OUTDATED THREAT MODEL ON RADIO ATTACKS

  22. "The attacker must be close"

  23. 300m Internal Use Only

  24. kilometers 300m Internal Use Only

  25. "It takes money and skills!"

  26. 100% HARDWARE, EXPENSIVE, LARGE

  27. $480 $299 $40 $99 99% SOFTWARE, VERY LOW BARRIER

  28. TARGET FAR AWAY ATTACKER LOCAL BRIDGE $40

  29. ANALYSIS METHODOLOGY BLACKBOX

  31. FREQUENCY RANGE 315/433/868/915MHz

  32. MODULATION

  33. ALPHABET

  34. ALPHABET

  35. ALPHABET & SYMBOL LENGTH

  40. Many captures under all conditions EXAMPLE Preamble Sync Words ??? ??? ???? ...

  41. EXAMPLE Preamble Sync Words SEQ.ID ...

  42. EXAMPLE Fixed Sequential ID

  43. EXAMPLE Repeating 4 bytes

  44. EXAMPLE 4-bytes pairing code!

  45. Original captures Pairing code: 20 10 77 C8

  46. Original captures "zeroed" captures 00 00 00 00 Zeroed code: 00 00 00 00 Pairing code: 20 10 77 C8

  47. XOR Original captures "zeroed" captures = Preamble Sync Words SEQ.ID Pairing Code Trailer

  48. S S Preamble Sync Words SEQ.ID Pairing Code Command Trailer U U M M

  49. TOOL

  50. ANALYSIS METHODOLOGY WHITEBOX

  54. 0011..11011010..11101001..1110 BITSTREAM ...result... SPI

  55. 0011..11011010..11101001..1110 ...result...

  56. R/W REGISTERS 0011..11011010..11101001..1110 ...result...

  57. SEND COMMAND ...01001...11...10000 ...result...

  58. R/W FIFO ...1100111010..111010..01..1110 ...result...

  59. SEMANTIC ...1100111010..111010..01..1110 BITSTREAM ...result...

  61. WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ●

  62. WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ● BONUS Open-source RF research framework ●

  63. https:/ /github.com/trendmicro/RFQuack SDRs RF Dongles Supported Radios Any (software) One radio Any (even multi radio) Client Support Lots of options RFCat client Developer-friendly API Open Software Not all Not completely Yes, Arduino compatible Open Hardware Depends Not all Yes, modular Connectivity USB, Gigabit USB or BT USB, WiFi, Cellular, BT Price $20–2000 >= $110 >= $40

  64. WHY? TO INCREASE THE AWARENESS LEVEL

  67. WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ● Open-source RF research framework ● FUTURE Automated protocol reversing ●

  68. WHERE ARE WE? Findings ● Disclosure process ● Complete knowledge of the protocol ● Open-source RF research framework ● Fully-automated protocol reversing ● NOW! Questions from the audience! ●

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control Overview RICHMOND AMATEUR RADIO CLUB SEPTEMBER 2015 Why operate Remote? Some of us are

Control Overview RICHMOND AMATEUR RADIO CLUB SEPTEMBER 2015 Why operate Remote? Some of us are

Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB SEPTEMBER 2015 Why operate Remote? Some of us are getting OLDER! Remote Ops can be used from Apartments, Assisted Living Facilities, Condos, and Family Member's home who might

445 views • 16 slides
IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
the damned dam research this event, at the time I thought it was just an urban legend.

the damned dam research this event, at the time I thought it was just an urban legend.

In the year 2000 a group of progressive radio broadcasters aired a radio drama entitled Catastrophe on Radio Lukavac (Lukavac is a small industrial town in Bosnia and Herzegovina). The radio drama tells of the nearby dam breaking. The

160 views • 3 slides
Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB MAY 2017 What are we trying to

Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB MAY 2017 What are we trying to

Remotehams Remote Control Overview RICHMOND AMATEUR RADIO CLUB MAY 2017 What are we trying to do? Internet Icom IC-7100 Specs Icom AH-4 Specs Diamond X50 Specs RARC Remote Equipment RemoteHams Android Client Remote Controlled Rig Useful 3

506 views • 15 slides
Dept. of Commerce Office of Technology Evaluation, Bureau of Industry and Security Brad Botwin,

Dept. of Commerce Office of Technology Evaluation, Bureau of Industry and Security Brad Botwin,

Dept. of Commerce Office of Technology Evaluation, Bureau of Industry and Security Brad Botwin, Director of Industrial Studies U.S. DEFENSE INDUSTRIAL BASE Challenges Ahead U.S. Department of Commerce Bureau of Industry and Security Brad

419 views • 17 slides
Software Defined Radio using the Linux Industrial IO framework - A Hardware Abstraction Layer -

Software Defined Radio using the Linux Industrial IO framework - A Hardware Abstraction Layer -

Software Defined Radio using the Linux Industrial IO framework - A Hardware Abstraction Layer - Lars-Peter Clausen, Analog Devices What is IIO? Industrial Input/Output framework Not really just for Industrial IO All non-HID IO

1.33k views • 41 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows FTP General Countermeasures

1.48k views • 104 slides
Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows X-Windows FTP General

765 views • 52 slides
DESIGN AND IMPLEMENTATION OF REMOTE RFI MONITORING SYSTEM For Ghana Radio Astronomy

DESIGN AND IMPLEMENTATION OF REMOTE RFI MONITORING SYSTEM For Ghana Radio Astronomy

DESIGN AND IMPLEMENTATION OF REMOTE RFI MONITORING SYSTEM For Ghana Radio Astronomy Obervatory-Nkutunse BY Joseph A. K. Nsor September 21, 2020 (GSSTI) GRAO September 21, 2020 1 / 33 OUTLINE OF PRESENTATION 1 Abstract 2 Introduction 3

496 views • 33 slides
WP3 - Remote Sensing Scallop Evaluation Scottish Inshore Fisheries Conference - 27 th April 2017

WP3 - Remote Sensing Scallop Evaluation Scottish Inshore Fisheries Conference - 27 th April 2017

WP3 - Remote Sensing Scallop Evaluation Scottish Inshore Fisheries Conference - 27 th April 2017 European Maritime & Fisheries Fund Remote Sensing Scallop Evaluation The project will assess the potential of novel, automated technologies

394 views • 10 slides
Stationary Brake Test Units TMM Telematic Modul Handheld Radio remote control Presentation

Stationary Brake Test Units TMM Telematic Modul Handheld Radio remote control Presentation

Stationary Brake Test Units TMM Telematic Modul Handheld Radio remote control Presentation page 1 About us. 2001 - Foundation as IT-Trading company 2002 - Formation to Danisch Kommunikationstechnik GmbH Markets - Public transport

146 views • 11 slides
Winners and Losers in Industrial Policy Mohamed Ali Marouani & Michelle 2.0 : An Evaluation

Winners and Losers in Industrial Policy Mohamed Ali Marouani & Michelle 2.0 : An Evaluation

Industrial Upgrading in Tunisia Winners and Losers in Industrial Policy Mohamed Ali Marouani & Michelle 2.0 : An Evaluation of the impacts of the Marshalian Tunisian Industrial Upgrading Program Introduction Data Description &

411 views • 23 slides
Remote Visualization of Large Multi-dimensional Radio Astronomy Data Sets Pavol Federl

Remote Visualization of Large Multi-dimensional Radio Astronomy Data Sets Pavol Federl

Remote Visualization of Large Multi-dimensional Radio Astronomy Data Sets Pavol Federl Institute for Space Imaging Science University of Calgary Thursday 26 January 2012 CyberSKA www.cyberska.org develop (cyber)

562 views • 22 slides
RADIO RADIO Ca Cate tegor gory y Br Breakdo eakdown wn Radio Radio Cr Crea eativity

RADIO RADIO Ca Cate tegor gory y Br Breakdo eakdown wn Radio Radio Cr Crea eativity

This i his is s your br our brain ain on on RADIO RADIO Ca Cate tegor gory y Br Breakdo eakdown wn Radio Radio Cr Crea eativity tivity Radio makes the difference Canadian Radio Study partnering with the largest companies

677 views • 51 slides
Security Analysis of Zigbee Networks with Zigator and GNU Radio Dimitrios-Georgios Akestoridis,

Security Analysis of Zigbee Networks with Zigator and GNU Radio Dimitrios-Georgios Akestoridis,

Security Analysis of Zigbee Networks with Zigator and GNU Radio Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague Carnegie Mellon University GNU Radio Conference 2020 Introduction The Zigbee protocol

446 views • 27 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
WHAT IS PROPEL SAN DIEGO ? Grant initiative from the Office of Economic Adjustment (OEA)

WHAT IS PROPEL SAN DIEGO ? Grant initiative from the Office of Economic Adjustment (OEA)

WHAT IS PROPEL SAN DIEGO ? Grant initiative from the Office of Economic Adjustment (OEA) Purpose is to Strengthen Our Regional Defense Industrial Base WHY SAN DIEGO? WHY SAN DIEGO? WHY SAN DIEGO? PARTNERS TIMELINE Phase I July 1,

536 views • 30 slides
Flow-Secure Access Controls Integration of Simple flow controls into the access control

Flow-Secure Access Controls Integration of Simple flow controls into the access control

Flow-Secure Access Controls Integration of Simple flow controls into the access control mechanisms of say operating systems. General: p can read from x1,. . . , xm and write into Y1, . . . . Yn only if This automatically

1.06k views • 36 slides
TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Several of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and

555 views • 27 slides
Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Trustworthy Cyber Infrastructure for the Power Grid Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol University of Illinois Dartmouth College Cornell University Washington State

335 views • 7 slides
ECE 7970 Machine Learning in Cyber Security Chapter 0: Important information Dr. Mohamed

ECE 7970 Machine Learning in Cyber Security Chapter 0: Important information Dr. Mohamed

ECE 7970 Machine Learning in Cyber Security Chapter 0: Important information Dr. Mohamed Mahmoud Dr. Mostafa Fouda 1 - Course I nform ation I nstructors : Dr. Mohamed M. E. A. Mahmoud Office: Brown Hall - 332 E-mail:

2.98k views • 11 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
A Security Kernel for Protected Module Architectures Alexandru Madalin Ghenea Master of

A Security Kernel for Protected Module Architectures Alexandru Madalin Ghenea Master of

1 A Security Kernel for Protected Module Architectures Alexandru Madalin Ghenea Master of Engineering: Computer Science Promotor: Prof. Frank Piessens Advisors: Jan Tobias Mhlberg Jo Van Bulck 2 Introduction Growing trend towards

513 views • 27 slides

More recommend