Attacks Against Industrial Radio Remote Controllers
In our research, we found that it is possible to perform attacks within or out of RF range. For remote attackers, there are two possibilities: do a computer-borne attack or have temporary physical access to the facility to drop an embedded device.
Radio frequency (RF) protocols used to control industrial machines support simple operations such as turning on a motor, lifting a load, or maneuvering a heavy-duty vehicle. These commands are sent over the air, and one of the obvious problems that have cropped up is the possibility of an attacker, armed with the right RF equipment, crafting commands to take control of the industrial devices.
In our research, we found that it is possible to perform attacks within or out of RF range. For remote attackers out of the transmission range, there are two possibilities: be a truly remote attacker and do a computer-borne attack (that is, to take control of a computer used to software-program or -control the RF devices), or have temporary physical access to the facility to drop a battery-powered, pocket-sized embedded device for remote access. As a proof of concept (PoC), we developed such a device to show the feasibility.
Analyzing vulnerabilities in industrial RF protocols
In the course of our research, we experimented with various devices and realized the need for a more versatile research tool. Given the modularity of Arduino-compatible hardware and the flexibility of modern RF-hacking software stacks, we figured that it was possible to build a modular hardware tool that would apply to a variety of RF transceivers. The result: “RFQuack,” an inconspicuous, pocket-sized device that we can use as a research tool in implementing attacks.
Figure 1. Our first RFQuack RF-hacking hardware device prototype
RFQuack can be controlled remotely via Message Queuing Telemetry Transport (MQTT) messages, which can be sent from a client-side interactive console that we built around it. It also works under Wi-Fi, 3G, and 4G conditions. When powered up, the device stays idle to save power. When set to receiving mode, it goes into deep-sleep mode and wakes up only when a valid radio packet is received. When a valid packet is received, its default behavior is to resend it immediately enough times to make the target receiver “obey” the command. In fact, before retransmission, RFQuack has modified the packet on the fly, according to a configurable set of rules. Alternatively, RFQuack can be used to collect radio packets or just send manually crafted packets.
Attacks against controllers can lead to malicious actors being able to control construction cranes, industrial cranes, and mobile hoists on real production implementations. In the video below, we show how RFQuack can be used to keep industrial radio remote controllers in a persistent denial-of-service (DoS) state through emergency stop (e-stop) abuse and even gain control over the machines through command injection. https://youtu.be/WXHVA9gGh4o
Cybersecurity checklist for users, system integrators, and manufacturers of industrial radio remote controllers
These industrial devices tend to have a very long life in production. These often include systems to be deployed in production long after the manufacturers’ official support for the products has ended. In that case, the manufacturers would never develop patches and would instead offer new product lines.
Given the very real possibility of attacks against industrial radio remote controllers, we advise system integrators to alert their clients and at least adopt devices that have virtual fencing features, which disable the devices when the remote controllers are out of range. This means that for an attack to be launched, an adversary needs to either be on-site or know when the legitimate transmitter is enabled. As for the long-term solution, we recommend for manufacturers to abandon proprietary RF protocols and focus on open and standard ones. Doing this will heighten security and eliminate the burden on manufacturers to design or integrate custom RF protocols. Note that none of the products that we inspected used a rolling-code mechanism. However, even though RF protocols with rolling codes are more secure than those with fixed codes, they’re still not immune from attacks.
Any employee or operator in a company’s supply chain can start with following our recommended security measures to reduce the risk of cyberattacks that take advantage of vulnerabilities in radio transceivers and remote controllers.
Operators can minimize the risk of attacks in their controllers and machines by:
- Inspecting technical manuals before purchasing a device (most of the manuals are available even online) and ensuring that some form of configurable pairing is available.
- Periodically changing the fixed (ID) code, if possible.
- Keeping the programming computer off the network or hardening its security as if it were a critical endpoint.
- Preferring remote control systems that offer dual-technology devices, such as those with virtual fencing.
- Choosing devices that use open, well-known, and standard protocols such as Bluetooth Low Energy.
For businesses, it is important to ensure secure protocols and processes by:
- Implementing rolling-code mechanisms (or better) and providing firmware upgrades to devices.
- Building on open, well-known, and standard protocols like Bluetooth Low Energy (which some vendors are already doing).
- Considering future evolutions when designing next-generation systems.
- Using tamper-proof mechanisms to hinder reverse engineering (most of the products that we’ve analyzed are easily accessible).
To learn more about possible security risks and mitigations, how we implemented attacks using RFQuack, and our vulnerability analyses, read our paper, “A Security Analysis of Radio Remote Controllers for Industrial Applications.”