Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
View A Security Analysis of Radio Remote Controllers for Industrial Applications
By: Trend Micro Research
Radio frequency (RF) remote controllers might look like your typical remote controllers: While some come in belt packs, most are pocket-sized and hand-held with buttons and joysticks. In principle, consumer and industrial radio remote controllers are very similar. Each device uses a transmitter (TX) that sends out radio waves corresponding to a command (or a button press), which a receiver (RX) interprets and reacts to, for example, lift a garage door open or lift a load via an overhead crane.
The rugged and unassuming ones, however, come with heavy-duty purposes: control and automation of machines in various industrial sectors such as construction, manufacturing, logistics, and mining. And unlike the consumer-grade devices, industrial radio remote controllers are pervasively embedded in safety-critical applications.
Risky Radio Remotes:Attack Classes and Attacker Models
In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we’ve outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator’s having issued an emergency stop (e-stop).
The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.
What Kinds of Attacks Are Possible?
We found that controllers that use RF are susceptible to command spoofing, where an attacker within range can capture radio traffic, selectively modify the packets, and automatically craft arbitrary commands.
An attacker can just be within the range of a construction site, pretend to be a bystander, hide a battery-powered, coin-sized device (with an inexpensive radio transceiver at that), and use it remotely to craft arbitrary packets to control an industrial machine or persistently simulate a malfunction. Considering commercial garage door remote controllers that use RF protocols, we found that the garage door controllers are actually more secure than industrial remotes as they implement better security through rolling-code mechanisms.
Attack 1: Replay Attack
Access: Local or temporary local
The attacker records RF packets and replays them to obtain basic control of the machine.
Attack 2: Command Injection
Access: Temporary local
Knowing the RF protocol, the attacker can arbitrarily and selectively modify RF packets to completely control the machine.
Attack 3: E-Stop Abuse
The attacker can replay e-stop (emergency stop) commands indefinitely to engage a persistent denial-of-service (DoS) condition.
Attack 4: Malicious Re-Pairing
The attacker can clone a remote controller or its functionality to hijack a legitimate one.
Attack 5: Malicious Reprogramming and Remote Attack Vectors
Access: Remote or temporary local
The attacker “trojanizes” the firmware running on the remote controllers to obtain persistent, full remote control.
Note: “Temporary local” means that an attacker needs to only briefly drop by the target facility or use a drone to facilitate an attack.
Through the aforementioned attack classes, we were able to control tower cranes, industrial cranes, and mobile hoists in real production settings. It should be noted that safety features in radio remote controllers such as authorization, pairing mechanism, passcode protection, and virtual fencing do exist. However, these are meant to prevent operator injuries or unexpected conditions and are not designed with cybersecurity in mind. Simply put, these features do not prevent active attacks, as they are not designed for that purpose in the first place.
Compromising the security of industrial remotes and machines would require transmission protocol know-how and the right tools. Launching a replay attack or e-stop abuse, for instance, would need only an appropriate device that costs a few hundred U.S. dollars. Meanwhile, attacks such as command injection, malicious re-pairing, and malicious reprogramming could require target equipment, which can cost from a hundred to a few thousand U.S. dollars. Attacker motivations may vary, but ultimately, significant business impact such as financial losses, system unavailability, and operator injuries could come into play as safety-critical machinery is involved.
Industrial radio remote controllers have higher replacement costs and longer service life spans than run-of-the-mill consumer remotes. This means that vulnerabilities can persist for years, if not for decades. During our research, we found industrial remote controllers that had been deployed in production for more than 15 years. Industrial devices are also relatively more difficult to promptly patch because some of them are deployed in isolation, left undisturbed until one gets worn out and needs replacement. Some companies that use industrial radio remotes may even expect patching to interfere with business continuity and add up to operational costs.
We still strongly recommend applying timely patches to prevent attackers from taking advantage of vulnerabilities to get into systems. System integrators should also look into devices with virtual fencing features, which disable the devices when the remote controllers are out of range. To be sure, this will not eliminate the possibility of vulnerability exploitation that we pointed out, but it is a step in the right direction. Ultimately, the long-term solution of abandoning proprietary RF protocols in favor of open, standard ones should be adopted. Without standard protocols in use, interoperability, reliability, and security can be at risk.
In our research paper, “A Security Analysis of Radio Remote Controllers for Industrial Applications,” we review the possible threats to industrial radio remote controllers, make in-depth analyses of vulnerabilities we found, and share recommendations on how to prevent risks. We have followed responsible-disclosure procedures to alert manufacturers, some of which have already taken action (see ICSA-18-296-03, for instance). Vulnerability disclosures aside, with this report we aim to alert concerned parties that breaking the security of these controllers is possible and their functionality and security should be improved for safe and uninterrupted operations.
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.