Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

Radio frequency (RF) technology is being used in operations to control various industrial machines. However, the lack of implemented security in RF communication protocols could lead to production sabotage, system control, and unauthorized access.

A Security Analysis of Radio Remote Controllers for Industrial Applications View A Security Analysis of Radio Remote Controllers for Industrial Applications

By: Trend Micro Research

Radio frequency (RF) remote controllers might look like your typical remote controllers: While some come in belt packs, most are pocket-sized and hand-held with buttons and joysticks. In principle, consumer and industrial radio remote controllers are very similar. Each device uses a transmitter (TX) that sends out radio waves corresponding to a command (or a button press), which a receiver (RX) interprets and reacts to, for example, lift a garage door open or lift a load via an overhead crane.

The rugged and unassuming ones, however, come with heavy-duty purposes: control and automation of machines in various industrial sectors such as construction, manufacturing, logistics, and mining. And unlike the consumer-grade devices, industrial radio remote controllers are pervasively embedded in safety-critical applications.

Risky Radio
Remotes:Attack Classes and Attacker Models

In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we’ve outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator’s having issued an emergency stop (e-stop).

The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.

A Security Analysis of Radio Remote Controllers for Industrial Applications

Various industrial machines are operated using remote controllers that rely on radio frequency (RF) technology. But the lack of security implemented in the use of these devices in safety-critical applications can lead to sabotage and injury.
Analyzing Vulnerabilities in Industrial Radio Frequency Protocols

The lack of security in the use of radio frequency (RF) protocols in industrial remote controllers can lead to vulnerabilities that can allow attackers to carry out malicious activities such as command injection and emergency-stop abuse.

What Kinds of Attacks Are Possible?

We found that controllers that use RF are susceptible to command spoofing, where an attacker within range can capture radio traffic, selectively modify the packets, and automatically craft arbitrary commands.

An attacker can just be within the range of a construction site, pretend to be a bystander, hide a battery-powered, coin-sized device (with an inexpensive radio transceiver at that), and use it remotely to craft arbitrary packets to control an industrial machine or persistently simulate a malfunction. Considering commercial garage door remote controllers that use RF protocols, we found that the garage door controllers are actually more secure than industrial remotes as they implement better security through rolling-code mechanisms.

Attack 1 AttackerTXRXOperatorCommandsAttackerTX rangeRecord commandsCapturedataTransmit recorded commands123

Attack 1: Replay Attack

Difficulty: Easy

Access: Local or temporary local

The attacker records RF packets and replays them to obtain basic control of the machine.

Attack 2 AttackerTXRXOperatorOffline reverseengineeringAttackerTX rangeRecord commandsCapturedataTransmit othercommandsDerive othercommands1243

Attack 2: Command Injection

Difficulty: Intermediate

Access: Temporary local

Knowing the RF protocol, the attacker can arbitrarily and selectively modify RF packets to completely control the machine.

Attack 3 TX rangeengineeringCommandsE-stopcommandAttack loopTXOperatorRX“Start”“Move”“Stop”1234

Attack 3: E-Stop Abuse

Difficulty: Easy

Access: Temporary local

The attacker can replay e-stop (emergency stop) commands indefinitely to engage a persistent denial-of-service (DoS) condition.

Attack 3 TX rangeOffline reverseengineeringCommandsE-stopcommandAttack loopTXOperatorRX“Start”“Move”“Stop”1234
Attack 4 TX rangeTX 2AttackerPairingsequenceTX 1OperatorBefore attackAttacker(paired)TX 1(unpaired)OperatorAfter attackRXMoveCaptureReplay1234

Attack 4: Malicious Re-Pairing

Difficulty: Intermediate

Access: Local or temporary local

The attacker can clone a remote controller or its functionality to hijack a legitimate one.

Attack 5 RXUSBFWSystem integration or service and maintenance

Attack 5: Malicious Reprogramming and Remote Attack Vectors

Difficulty: Hard

Access: Remote or temporary local

The attacker “trojanizes” the firmware running on the remote controllers to obtain persistent, full remote control.

Note: “Temporary local” means that an attacker needs to only briefly drop by the target facility or use a drone to facilitate an attack.

Through the aforementioned attack classes, we were able to control tower cranes, industrial cranes, and mobile hoists in real production settings. It should be noted that safety features in radio remote controllers such as authorization, pairing mechanism, passcode protection, and virtual fencing do exist. However, these are meant to prevent operator injuries or unexpected conditions and are not designed with cybersecurity in mind. Simply put, these features do not prevent active attacks, as they are not designed for that purpose in the first place.

Who Would Exploit These Devices?

Compromising the security of industrial remotes and machines would require transmission protocol know-how and the right tools. Launching a replay attack or e-stop abuse, for instance, would need only an appropriate device that costs a few hundred U.S. dollars. Meanwhile, attacks such as command injection, malicious re-pairing, and malicious reprogramming could require target equipment, which can cost from a hundred to a few thousand U.S. dollars. Attacker motivations may vary, but ultimately, significant business impact such as financial losses, system unavailability, and operator injuries could come into play as safety-critical machinery is involved.


Antenna mounted by the passenger window used in our testing for local attacks
  • Local Attacks: Adversary Within Range

    From inside a car (as shown in the image), we were able to detect signals from a transmitter on the field that was 300 meters away. A casual attacker with no advanced skills whatsoever (could be a contractor, disgruntled employee, or script kiddie) equipped with a software-defined radio (SDR) can record a command and replay it under risky conditions. An attacker equipped with signal amplifiers and professional antennas could extend the range to several kilometers.

    An attacker with the knowledge of the RF protocol, on the other hand, can carry out attacks in a variety of ways. This adversary will know how to perform reverse engineering on a radio protocol. A visit to the targeted site or recording of the commands will no longer be needed to run attacks like command injection.
  • Remote Attacks: Adversary Out of Range

    An attacker can casually drop or plant a battery-powered, pocket-sized embedded device in a targeted facility to have sustained remote access while its battery lasts. A truly remote attacker, meanwhile, can launch attacks in the supply chain via a compromised computer used to software-program or -control remotes. Such an attacker could alter the functionality of remotes and implement more persistent and sophisticated attacks.
  • Target Reconnaissance: Adversary on the Lookout

    An attacker can survey a company by pairing open-source intelligence (OSINT) with RF reconnaissance. For instance, we were able to sniff a target area to identify systems in use and rely on OSINT sources to refine the search. Such information can then be used to carry out target-specific attacks whenever needed. Such attacks could be done without the knowledge, let alone the consent, of the company that malicious activity is in progress in their systems.

Securing Industrial Radio Remote Controllers Against Attacks

Industrial radio remote controllers have higher replacement costs and longer service life spans than run-of-the-mill consumer remotes. This means that vulnerabilities can persist for years, if not for decades. During our research, we found industrial remote controllers that had been deployed in production for more than 15 years. Industrial devices are also relatively more difficult to promptly patch because some of them are deployed in isolation, left undisturbed until one gets worn out and needs replacement. Some companies that use industrial radio remotes may even expect patching to interfere with business continuity and add up to operational costs.

We still strongly recommend applying timely patches to prevent attackers from taking advantage of vulnerabilities to get into systems. System integrators should also look into devices with virtual fencing features, which disable the devices when the remote controllers are out of range. To be sure, this will not eliminate the possibility of vulnerability exploitation that we pointed out, but it is a step in the right direction. Ultimately, the long-term solution of abandoning proprietary RF protocols in favor of open, standard ones should be adopted. Without standard protocols in use, interoperability, reliability, and security can be at risk.

In our research paper, A Security Analysis of Radio Remote Controllers for Industrial Applications,” we review the possible threats to industrial radio remote controllers, make in-depth analyses of vulnerabilities we found, and share recommendations on how to prevent risks. We have followed responsible-disclosure procedures to alert manufacturers, some of which have already taken action (see ICSA-18-296-03, for instance). Vulnerability disclosures aside, with this report we aim to alert concerned parties that breaking the security of these controllers is possible and their functionality and security should be improved for safe and uninterrupted operations.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.