On the heels of the recent activity with Stuxnet, the industrial process control computer worm that targeted Iranian nuclear centrifuges, a Blackhat talk by Thanassis Giannetsos explains how to hack yet another commonly used family of controllers. We have mused that this trend, targeting critical infrastructure nodes, is but a shade of things yet to come. Mr. Giannetsos set up a proof-of-concept with a series of wireless controllers, showing the communication relationship between them all, and that (if correctly accessed) control can be gained and commands sent to disable or change their function in non-trivial ways.
The Stuxnet efforts were specifically targeted at Siemens PLC equipment. While Siemens equipment is common, there are various other control/sensor families that have a large install bases, and are ripe for the hacking. The Tmote Sky controllers used in the demonstration were just one such family. The devices are susceptible to a combination of eavesdropping, interception, alteration, replay, or injection of malicious packets. I have blogged about other families of network device hacks at Blackhat, but this one focuses on widespread low cost simple wireless monitoring sensors, used in applications like Smart Grid and remote monitoring for temperature and other data gathering/logging. Mr. Giannetsos spent a considerable amount of the presentation dissecting the hack, focusing on memory related vulnerabilities and code injection. Also, for those aspiring hackers who want to give it a shot, there is a tool which can be used to simplify the exercise, called Spy-Sense.
One of the difficulties involved in the hack is physically locating the sensor, since they tend to be deployed autonomously in remote locations. Also, it requires reverse-engineering the topology of the network, which can vary substantially.
One boon for a hacking attempt on these devices is the simplicity of the chips utilized. Unlike powerful x86 architecture computers, these sensors tend to use stripped down, resource limited 8 or 16 bit microcontrollers. After all, they are made for simple functions, and must be cost and power conscious. Because of the simplicity of the microcontrollers, adding hefty crypto functionality is non-trivial, especially due to the low-cost niche they fill in the market, where price sensitivity is paramount.
The goal of this blog is not to enable hackers to do “very bad things”, it is targeted at education, in this case the device manufacturers, to encourage them to bulk up the security for their devices. If device manufacturers get a copy of the software, they may be able to start a sort of penetration testing on their own devices, a sort of internal sanity check prior to release. It may also be that they are able to push a firmware update that will help the situation. If you missed the talk, you missed some critical reverse engineering steps that are required for the hack, but manufacturers and installation sites should note that hacks may soon be hitting the streets, so it might be time for a security check up on your wireless sensors.
Author Cameron Camp, ESET