Skip to main content
SpringerLink
Log in

A Security Evaluation of Industrial Radio Remote Controllers

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

Heavy industrial machinery is a primary asset for the operation of key sectors such as construction, manufacturing, and logistics. Targeted attacks against these assets could result in incidents, fatal injuries, and substantial financial loss. Given the importance of such scenarios, we analyzed and evaluated the security implications of the technology used to operate and control this machinery, namely industrial radio remote controllers. We conducted the first-ever security analysis of this technology, which relies on proprietary radio-frequency protocols to implement remote-control functionalities. Through a two-phase evaluation approach we discovered important flaws in the design and implementation of industrial remote controllers. In this paper we introduce and describe 5 practical attacks affecting major vendors and multiple real-world installations. We conclude by discussing how a challenging responsible disclosure process resulted in first-ever security patches and improved security awareness.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    An Arduino-based open-hardware/software research framework to analyze sub-GHz radio protocols: https://github.com/trendmicro/rfquack.

  2. 2.

    Multi transmitter and multi receiver scenarios are possible.

  3. 3.

    For example: http://www.hetronic.com/Control-Solutions/Receivers/Serial-Communication.

  4. 4.

    Liebherr and Schneider Electric use Bluetooth Low Energy (BLE).

  5. 5.

    Searchable FCC ID database at https://fccid.io.

  6. 6.

    Autec (established in 1986), Hetronic (1982), Saga (1997), Circuit Design (1974), Elca (1991), Telecrane (1985), Juuko (1994), HBC-radiomatic (1947), Cattron (1946), Tele Radio (1955), Scanreco (1980), Shanghai Techwell Autocontrol Technology (2005), Remote Control Technology (1982), Akerstroms (1918), Jay Electronique (1962), Itowa (1986), 3-Elite (1995).

  7. 7.

    https://www.airspayce.com/mikem/arduino/RadioHead/.

  8. 8.

    https://www.telecrane.it/en/tablet-with-original-software/.

  9. 9.

    https://www.nuand.com/product/bladerf-x115/.

  10. 10.

    https://www.ettus.com/product/details/UN210-KIT.

  11. 11.

    http://www.baudline.com/.

  12. 12.

    https://www.saleae.com/.

  13. 13.

    http://www.sagaradio.com.tw/SAGA1-L6B.html.

  14. 14.

    http://dangerousprototypes.com/docs/Bus_Pirate.

  15. 15.

    Write-only operations are normally permitted even without password, but only limited to the code area (i.e., not the boot loader). These are not very useful, because one could blindly write data into the flash.

  16. 16.

    http://www.juukoremotecontrol.com/en/products/transmitter/jk-800-en.

  17. 17.

    A FSK variant in which a Gaussian filter is applied to the signal to smoothen level transitions.

  18. 18.

    CVE-2018-19023, ZDI-CAN-6183 [1], ZDI-18-1336, ZDI-CAN-6185 [1], ZDI-18-1362, ZDI-CAN-6187 [1], CVE-2018-17903, CVE-2018-17921, CVE-2018-17923, CVE-2018-17935.

References

  1. Andersson, J., et al.: A security analysis of radio remote controllers for industrial applications. Technical report, Trend Micro, Inc., January 2019. https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf

  2. Arkansas: Heavy load accident (2013). https://cdn.allthingsnuclear.org/wp-content/uploads/2015/02/FS-181-PDF-File-with-links.pdf

  3. Balduzzi, M., Pasta, A., Wilhoit, K.: A security evaluation of AIS automated identification system. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, 8–12 December 2014, pp. 436–445 (2014). https://doi.org/10.1145/2664243.2664257

  4. Bhatti, J., Humphreys, T.E.: Hostile control of ships via false GPS signals: demonstration and detection. Navig. J. Inst. Navig. 64(1), 51–66 (2017)

    Article  Google Scholar 

  5. Blossom, E.: GNU radio: tools for exploring the radio frequency spectrum. Linux J. 2004(122), 4 (2004)

    Google Scholar 

  6. Costin, A., Francillon, A.: Ghost in the air (traffic): on insecurity of ADS-B protocol and practical attacks on ADS-B devices. In: Black Hat USA, pp. 1–12 (2012)

    Google Scholar 

  7. CYREN: Cyber pirates targeting logistics and transportation companies (2018). https://www.cyren.com/blog/articles/cyber-pirates-targeting-logistics-and-transportation-companies

  8. Fleury, T., Khurana, H., Welch, V.: Towards a taxonomy of attacks against energy control systems. In: Papa, M., Shenoi, S. (eds.) ICCIP 2008. TIFIP, vol. 290, pp. 71–85. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-88523-0_6

    Chapter  Google Scholar 

  9. Fouladi, B., Ghanoun, S.: Security evaluation of the Z-wave wireless protocol. In: Black Hat USA, vol. 24, pp. 1–2 (2013)

    Google Scholar 

  10. Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). Eidgenössische Technische Hochschule Zürich, Department of Computer Science (2011)

    Google Scholar 

  11. Goodspeed, T.: Practical attacks against the MSP430 BSL. In: Twenty-Fifth Chaos Communications Congress (2008)

    Google Scholar 

  12. Greenberg, A.: Crash override malware took down Ukraine’s power grid last December 2017. https://www.wired.com/story/crash-override-malware/

  13. Texas Instruments: CC1120 user’s guide (2013). http://www.ti.com/lit/ug/swru295e/swru295e.pdf

  14. Kamkar, S.: Drive it like you hacked it: New attacks and tools to wirelessly steal cars (2015). https://samy.pl/defcon2015/

  15. Kerns, A.J., Shepard, D.P., Bhatti, J.A., Humphreys, T.E.: Unmanned aircraft capture and control via GPS spoofing. J. Field Robot. 31(4), 617–636 (2014)

    Article  Google Scholar 

  16. Papp, D., Ma, Z., Buttyan, L.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: 2015 13th Annual Conference on Privacy, Security and Trust (PST), pp. 145–152. IEEE (2015)

    Google Scholar 

  17. Pohl, J., Noack, A.: Universal radio hacker: a suite for analyzing and attacking stateful wireless protocols. In: 12th USENIX Workshop on Offensive Technologies (WOOT 2018). USENIX Association, Baltimore, MD (2018). https://www.usenix.org/conference/woot18/presentation/pohl

  18. Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 268–286, May 2017. https://doi.org/10.1109/SP.2017.20

  19. Texas-Instrument: CC1110Fx/CC1111Fx. http://www.ti.com/lit/ds/symlink/cc1110-cc1111.pdf

  20. TrendMicro: Triton wielding its trident - new malware tampering with industrial safety systems, December 2017. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/triton-wielding-its-trident-new-malware-tampering-with-industrial-safety-systems

  21. Vidgren, N., Haataja, K., Patino-Andres, J.L., Ramirez-Sanchis, J.J., Toivanen, P.: Security threats in ZigBee-enabled systems: vulnerability evaluation, practical experiments, countermeasures, and lessons learned. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 5132–5138. IEEE (2013)

    Google Scholar 

  22. Wilhoit, K.: KillDisk and BlackEnergy are not just energy sector threats, February 2016. https://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/

  23. Wright, J.: KillerBee: Practical ZigBee exploitation framework or wireless hacking and the kinetic world (2018)

    Google Scholar 

  24. Yaneza, J.: 64-bit version of Havex spotted, December 2014. https://blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/

  25. ZDI: Disclosure policy. https://www.zerodayinitiative.com/advisories/disclosure_policy/

Download references

Author information

Authors and Affiliations

  1. Trend Micro Research, Trend Micro, Inc., Tokyo, Japan

    Federico Maggi, Marco Balduzzi, Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano & Rainer Vosseler

Authors
  1. Federico Maggi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Balduzzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jonathan Andersson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Philippe Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Stephen Hilt
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Akira Urano
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Rainer Vosseler
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Federico Maggi .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Maggi, F. et al. (2019). A Security Evaluation of Industrial Radio Remote Controllers. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation