Radio frequency (RF) remote controllers might look like your typical remote controllers: While some come in belt packs, most are pocket-sized and hand-held with buttons and joysticks. In principle, consumer and industrial radio remote controllers are very similar. Each device uses a transmitter (TX) that sends out radio waves corresponding to a command (or a button press), which a receiver (RX) interprets and reacts to, for example, lift a garage door open or lift a load via an overhead crane.
The rugged and unassuming ones, however, come with heavy-duty purposes: control and automation of machines in various industrial sectors such as construction, manufacturing, logistics, and mining. And unlike the consumer-grade devices, industrial radio remote controllers are pervasively embedded in safety-critical applications.
Remotes:Attack Classes and Attacker Models
In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we’ve outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator’s having issued an emergency stop (e-stop).
The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.
What Kinds of Attacks Are Possible?
We found that controllers that use RF are susceptible to command spoofing, where an attacker within range can capture radio traffic, selectively modify the packets, and automatically craft arbitrary commands.
An attacker can just be within the range of a construction site, pretend to be a bystander, hide a battery-powered, coin-sized device (with an inexpensive radio transceiver at that), and use it remotely to craft arbitrary packets to control an industrial machine or persistently simulate a malfunction. Considering commercial garage door remote controllers that use RF protocols, we found that the garage door controllers are actually more secure than industrial remotes as they implement better security through rolling-code mechanisms.
Note: “Temporary local” means that an attacker needs to only briefly drop by the target facility or use a drone to facilitate an attack.
Through the aforementioned attack classes, we were able to control tower cranes, industrial cranes, and mobile hoists in real production settings. It should be noted that safety features in radio remote controllers such as authorization, pairing mechanism, passcode protection, and virtual fencing do exist. However, these are meant to prevent operator injuries or unexpected conditions and are not designed with cybersecurity in mind. Simply put, these features do not prevent active attacks, as they are not designed for that purpose in the first place.
Compromising the security of industrial remotes and machines would require transmission protocol know-how and the right tools. Launching a replay attack or e-stop abuse, for instance, would need only an appropriate device that costs a few hundred U.S. dollars. Meanwhile, attacks such as command injection, malicious re-pairing, and malicious reprogramming could require target equipment, which can cost from a hundred to a few thousand U.S. dollars. Attacker motivations may vary, but ultimately, significant business impact such as financial losses, system unavailability, and operator injuries could come into play as safety-critical machinery is involved.
Industrial radio remote controllers have higher replacement costs and longer service life spans than run-of-the-mill consumer remotes. This means that vulnerabilities can persist for years, if not for decades. During our research, we found industrial remote controllers that had been deployed in production for more than 15 years. Industrial devices are also relatively more difficult to promptly patch because some of them are deployed in isolation, left undisturbed until one gets worn out and needs replacement. Some companies that use industrial radio remotes may even expect patching to interfere with business continuity and add up to operational costs.
We still strongly recommend applying timely patches to prevent attackers from taking advantage of vulnerabilities to get into systems. System integrators should also look into devices with virtual fencing features, which disable the devices when the remote controllers are out of range. To be sure, this will not eliminate the possibility of vulnerability exploitation that we pointed out, but it is a step in the right direction. Ultimately, the long-term solution of abandoning proprietary RF protocols in favor of open, standard ones should be adopted. Without standard protocols in use, interoperability, reliability, and security can be at risk.
In our research paper, “A Security Analysis of Radio Remote Controllers for Industrial Applications,” we review the possible threats to industrial radio remote controllers, make in-depth analyses of vulnerabilities we found, and share recommendations on how to prevent risks. We have followed responsible-disclosure procedures to alert manufacturers, some of which have already taken action (see ICSA-18-296-03, for instance). Vulnerability disclosures aside, with this report we aim to alert concerned parties that breaking the security of these controllers is possible and their functionality and security should be improved for safe and uninterrupted operations.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.