Presented by: Lucas Apa and Carlos Mario Penagos, IOActive
Abstract: The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made might be modified, this could lead to unexpected, harmful, and dangerous consequences.
This presentation demonstrates attacks that exploit key distribution vulnerabilities we recently discovered in every wireless device made by three leading industrial wireless automation solution providers. We will review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions.
2. About
Us
Vulnerability
Research
Exploita<on
Cryptography
Reverse
Engineering
ICS/SCADA
2
Lucas
Apa
Carlos
Penagos
Argen<na
Colombia
Security
Consultants
and
Researchers
3. Agenda
§ Mo<va<on
§ Industries
and
Applica<ons
§ Wireless
Standards
§ Journey
of
Radio
Encryp<on
Keys
§ Vendor1
Wireless
Devices
§ Vendor2
Wireless
Devices
§ Vendor3
Wireless
Devices
3
4. Mo<va<on
4
§ Cri<cal
Infrastructures
becoming
targets
§ Insider
aLacks
(Lately)
§ Devices
connected
to
Internet
§ 0days
to
reach
the
PLC,
RTU,
HMI…
§ Stealth
and
precise
aLacks
§ Incident
response
at
hazardous
sites
§ ALack
families
of
devices
(+
reliable)
5. Industrial
Wireless
Automa<on
5
§ Copper
wires
are
used
to
monitor
and
control
§ Corrosion,
Duc<lity,
Thermal
Conduc<vity
§ Cost
of
wires,
trenching,
moun<ng
and
installa<on
§ Industrial
Wireless
Solu<ons
§ Eliminate
cost
of
hardwiring,
logis<cs,
installa<on
§ Heavy
machinery
involved
§ Remote
control
and
administra<on
(Geography)
§ Minimize
Safety
Risk
&
Dangerous
Boxes
§ Adds
durability
7. Industries
and
Applica<ons
(2)
7
Energy
-‐
U<li<es
Waste
&
Waste
Water
§ Transformer
temperature
§ Natural
gas
flow
§ Power
outage
repor<ng
§ Capacitor
bank
control
§ kV,
Amp,
MW,
MVAR
reading
§ Remote
pumping
sta<ons
§ Water
treatment
plants
§ Water
distribu<on
systems
§ Wastewater/sewer
collec<on
systems
§ Water
irriga<on
systems/agriculture
8. Industrial
Wireless
Challenges
8
§ Defeat
electromagne<c
interference
(EMI)
§ Handle
signal
aLenua<on
and
reflec<ons
§ Reliability
is
far
more
important
than
Speed
§ Higher
transmiLer
power
levels
§ Site
surveys
to
assess
the
consistency
and
reliability
of
the
plant
§ Mainly
using
2.4Ghz
or
900Mhz
(ISM
Band)
§ No
“business”
protocols
9. Cryptographic
Key
Distribu<on
(WSN)
9
§ Distribute
secrets
on
a
large
number
of
nodes
§ Base
sta<ons
with
clusters
surrounding
§ Limita<ons:
§ Deployment
in
public
or
hos<le
loca<ons
§ Post-‐deployment
knowledge
§ Limited
bandwidth
and
transmission
power
§ Methods
for
crypto
key
distribu<on:
§ Out-‐of-‐band
§ In-‐band
§ Factory
pre-‐loaded
10. IEEE
802.15.4
Standard
§ Wireless
Radios
(Low
Power/Speed)
§ Set
the
encryp<on
algorithm
and
AES
Key
§ Upper
Layer
Responsibility
§ Each
node
can
have
an
ACL
§ MAC
for
upper
layers:
§ ZigBee
§ WirelessHart
§ ISA
SP100
§ IETF
IPv6
-‐
LoWPAN
10
11. ZigBee
2007
(Standard
Security
Mode)
§ Goal:
Understand
Key
Schemes
§ Suite
of
high
level
communica<on
protocols
§ Based
on
IEEE
802.15.4
(Low
level
layers)
§ ISM
radio
bands
§ Trust
Center
introduced
in
2007
11
Two
Key
Distribu<on
Mechanisms:
1. Pre-‐Installa<on
2. Over
the
air
§ Network
Key
(AES
128-‐bit)
§ Pre-‐installed
(Factory
Installed)
§ Individually
Commissioned
(Commissioning
tool)
§ Managed
by
the
Trust
Center
A
Trust
Center
B
12. ZigBee
Pro
2007
(High
Security
Mode)
§ Many
enhancements
§ More
memory
requirements
§ New
keys
introduced
12
A
B
MasterKey_TA
LinkKey
TA
NetworkKey
MasterKey_AB
LinkKey
AB
MasterKey_TB
LinkKey
TB
NetworkKey
MasterKey_AB
LinkKey
AB
MasterKey_TA
LinkKey
TA
NetworkKey
MasterKey_TB
LinkKey
TB
Trust
Center
① Master
Key
§ Unsecured
Transport
L
§ Out-‐of-‐band
Technique
J
§ Secure
other
keys
② Link
Key
§ Unicast
§ Unique
between
nodes
③ Network
Key
• Regenerated
at
Intervals
• Needed
to
join
the
NWK
13. E
n
d
U
s
e
r
D
e
v
i
c
e
DeviceVendorID
Key
in
Firmware
Per-‐Client
Encryp<on
Key
Change
Encryp<on
Key
Per-‐Client
Encryp<on
Key
Device
Company
Encryp<on
Key
Device
Company
Encryp<on
Key
Change
Encryp<on
Key
No
Encryp<on
Key
Set
Encryp<on
Key
No
Encryp<on
key
No
Encryp<on
Key
The
Journey
of
Radio
Encryp<on
Keys
13
R
a
d
i
o
14. Reusing
Radio
Keys
§ Device
Company
Key
aLack
1. Buy
same
Device
(Buy
same
Key)
2. Remove
Radio
Module
3. Connect
to
USB
Interface
4. Interact:
API
&
AT
Command
Mode
5. Send
frames
using
the
unknown
key
Warning:
Not
possible
if
exists
a
Per-‐Client
Encryp<on
Key
14
§ End-‐User
Node
Key
Storage
§ Shared
Secret
§ Same
Firmware
or
Same
Radio
Key
15. Exploi<ng
Vendor1
Devices
§ Company
Profile
(+1990)
§ Frequency
Hopping
Wireless
Devices
§ Great
for
long
or
short
range
wireless
SCADA
applica<ons
§ Secure
proprietary
FHSS
with
128
bit
AES
encryp<on
§ Hazardous
loca<on
approvals,
Perfect
for
outdoor
Ethernet
SCADA
or
indoor
PLC
messaging
§ 30+
miles
point
to
point
with
high
gain
antennas
15
16. Vendor1
Key
Distribu<on
“<Vendor1
Tool>
is
easy
to
use
and
intuiBve.
Default
values
built
into
the
so0ware
work
well
for
ini4al
installa4on
and
tesBng
making
it
easy
for
first-‐Bme
users.
<Vendor1
Tool>
manages
all
important
se8ngs
to
ensure
that
the
network
performs
correctly.”
(User
Guide)
16
§ RF
Encryp<on:
A
128-‐bit
encryp<on
level
key
is
suggested
for
the
user.
§ Blank:
No
encrypted
packets
§ 5-‐7
Chars:
Field
is
translated
into
a
40-‐bit
encryp<on
level.
§ 15-‐24
Chars:
Field
is
translated
into
a
128-‐bit
encryp<on
level.
17. Reversing
Passphrase
Genera<on
Compiled
C++
Binary:
§ srand
seeds
PRNG
§ <me
returns
epoch
§ srand(<me(NULL))
§ Low
Entropy
Seed
§ Same
algorithm
§ rand()
§ Bad
ANSI
C
func<on
17
20. Comissioning
Tool
Audit
§ Easily
breakable
by
an
outsider
§ Further
Research
with
the
Devices
§ Comissioning
Tools
needs
deep
tes<ng
20
Bruteforce
Passphrase
2570
Passphrases
Mixed
lower
case
alphabet
plus
numbers
and
common
symbols
Impossible
to
calculate
all
passphrases
Need
to
derive
AES
128-‐bit
key
on
real<me
Weak
PRNG
ALack
~156
Million
Passphrases
Every
second
passed,
one
more
key
Only
a
few
seconds
to
calculate
all
passphrases
Calculate
once
and
create
a
database
with
all
possible
AES
128-‐bit
key
deriva<ons
vs
21. Vendor2
Wireless
Devices
§ Market
leadership:
Oil
&
Gas
§ Wireless
and
wired
solu<ons
for
the
digital
oil
field
automa<on
§ Trusted
by
top
companies
in
different
industries
§ Family
System
(Point
to
Mul<point):
§ Wireless
Gateways
§ Wireless
TransmiLers
§ I/O
Expansion
Modules
§ Hardwire
Sensors
21
25. Secure
Communica<ons
25
§ How
the
devices
access
the
wireless
informa<on?
§ “Enhanced
Site
Security
Key”
§ Security
Key
==
Encryp<on
Key
???
§ Legacy
Devices
Without
Encryp<on???
The
Enhanced
Site
Security
feature
designed
to
provide
an
addiBonal
level
of
protec4on
for
RF
packets
sent
and
received
between
<Vendor2>
devices
and
minimizes
the
possibility
of
interference
from
other
devices
in
this
area.
This
feature
is
not
available
on
some
older
versions
of
legacy
devices.
26. Key
Genera<on
and
Distribu<on
26
§ Comissioning
Tool
§ Create
a
“Project
File”
and
update
all
Nodes
§ From
documenta<on:
This
Key
MUST
be
somewhere
on
the
Project
File
“If
the
project
file
name
is
changed,
a
new
Site
Security
Key
will
be
assigned”
Possible
Scheme:
Per-‐Site
Encryp4on
29. 29
§ Support
Center
§ Firmware
Images
&
Documenta<on
§ Radio
Modules,
Architectures
&
Processors
Component
IdenSficaSon
RISC
30. Understanding
Firmware
Image
(RISC)
CrossWorks for MSP430
§ Industry
Standard
Format
§ @Address
and
content
§ Incomplete
Image
(Update)
§ Only
compiler
strings
33. No
Per-‐Client
Key
Dear
<<Reseller
Sales
Eng>>,
We
are
going
to
borrow
a
used
“Analog
Transmider”
from
one
of
our
partners,
We
are
going
to
test
it
for
a
few
weeks
and
let
you
know
if
we
decide
to
buy
a
new
one.
Are
there
any
specific
concern
we
might
take
into
account
when
deploying
this
device
to
connect
it
with
our
<Device>?
Or
just
upgrade
all
project
configuraBon
files?
Thank
you
33
Lucas,
You
just
need
to
upgrade
the
configuraBon
files.
Thanks.
34. Finding
Embedded
Keys
34
§ Two
kind
of
Firmwares
(ARM
and
MSP430)
§ One
possible
hardcoded
key
in
both
firmwares
§ “Binary
Equaling”
35. Acquiring
the
Devices
35
§ Wireless
Gateway
§ Gateways
are
responsible
for
receiving/
collec<ng
data
from
wireless
end
nodes
§ The
collected
data
can
be
communicated
with
third-‐party
Modbus
device
such
as
a
RTU,
PLC,
EFM,
HMI,
or
DCS
§ RTD
Temperature
TransmiLer
§ Integrates
Pla<num
100
ohm
RTD
Sensor
§ Ideal
for
use
in
various
mission-‐cri<cal
industrial
applica<ons.
§ Ideal
for
Monitoring
Air,
Gas,
Water,
or
Liquid
Temperatures
36. § Steal
and
extract
§ Site
Security
Key
§ Project
File
Resilience
and
Node
Capture
36
Stolen
Node
Gateway
Tx
Tx
Tx
S
e
r
i
a
l
C
a
p
t
u
r
e
FF
41
06
00
0A
00
00
00
33
2E
1D
CC
FF
41
0A
00
0A
00
00
00
04
00
AB
D0
9A
51
B0
...
37. A
crypto
aLack
disappointment
§ Protocol
Reverse
Engineering
§ Device
has
a
debug
interface
§ Developed
a
custom
tool
to
receive
and
send
802.15.4
data
§ 2.4ghz
Transceiver
(Modified
Firmware
and
Reflashed
by
JTAG)
§ PyUsb,
IPython
§ Scapy
Dissectors,
etc.
§ Against
the
perfect
scheme:
Per-‐Site
EncrypSon
Key
37
§ Key
not
really
used
for
data
encrypSon
§ Key
only
used
to
”authenScate”
devices
(capture
SiteSecurityKey)
§ No
integrity
and
confidenSality
§ No
protecSon
for
RF
Packets
L
(vendor
lied)
§ Predict
IEEE
802.15.4
next
seqnums
to
inject
A
crypto
aLack
38. Temperature
Injec<on
Live
Demo
§ Designed
an
HMI
Project
§ Developed
an
OPC
based
driver
for
the
HMI
§ Developed
an
exploita<on
framework
(Map/Inject)
§ Chemical
Safety
Board
(US)
background
video
§ Cost
of
the
aLack:
$40
USD
§ Live
Demo
38
40. Remote
Memory
Corrup<on
§ Iden<fy
all
the
protocol
fields
§ Memory
corrup<on
bug
using
unhandled
values
on
a
parsing
func<on
§ Remotely
exploitable
over
the
air
§ Plant
Killer
=>
§ We
recorded
a
demo
(no
leak
today)
40
42. Vendor3
Devices
42
§ Company
Profile
§ Self-‐proclaimed
leader
in
process
and
industrial
automa<on,
“Undisputed
leader
in
sensors”
§ Clients:
Nearly
all
manufacturing
companies
from
Fortune
500
§ 22.000
different
products
across
40
industries
§ Wireless
System
(Family)
§ Wireless
Gateway
§ Master
device
used
to
control
network
<ming
and
comm
traffic
§ Nodes
§ Collect
data
-‐>
TX
Gateway
44. Research
44
§ Wireless
Family
Technical
Note:
“Mul<-‐layer
security
protocol
protects
your
data”
§ Network
Security
§ Data
Security
§ Data
Integrity
and
Control
Reliability
“The
wireless
I/O
systems
provide
a
level
of
security,
data
integrity,
and
reliability
far
exceeding
most
wireless
systems
on
the
market
today”
45. Quotes
(Network
Security)
“This
family
is
designed
to
completely
eliminate
all
Internet
Protocol
(IP)
based
security
threats.
Wi-‐Fi
access
points
have
the
poten<al
to
route
any
and
all
data
packets,
which
is
why
these
systems
use
encryp<on”
45
Route
packets
=>
Use
encrypSon
§ One
model
=>
Ethernet
Data
Radio
§ Uses
AES-‐256
key
J
§ Other?
No
encryp<on
46. Quotes
(Data
Security)
“The
protocol
only
carries
sensor
data
values.
Only
I/O
data
is
transmiLed
in
the
wireless
layer.”
“A
hacker,
if
they
managed
to
receive
wireless
data,
would
only
see
the
actual
sensor
data,
not
what
the
sensor
was
reading
or
what
role
the
sensor
played
within
the
wireless
I/O
network."
46
§ Insecure
I/O
data
§ Sensor
Readings
§ Binding
codes
47. Quotes
(Comm
Protocols)
“Widely
used
open
protocols
such
as
Wi-‐Fi
have
serious
security
issues.
Even
a
high
degree
of
encryp<on
may
not
protect
your
data.
It
is
common
for
new
encryp<on
schemes
to
be
hacked
within
months
of
implementa<on.
Proprietary
systems
are
more
difficult
to
hack
than
an
open
standard.”
47
§ Encryp<on
is
useless
§ Open
standards
are
easier
to
hack
48. Quotes
(Comm
Protocols)
“Vendor
achieves
data
security
by
using
a
proprietary
protocol,
pseudo-‐random
frequency
hopping,
and
generic
data
transfer.
The
protocol
only
carries
I/O
data,
making
it
impossible
for
a
malicious
executable
file
to
be
transmiLed.”
48
§ FHSS
to
avoid
sniffing
§ The
family
is
malware
safe
49. Quotes
(Integrity)
“When
the
data
is
transmiLed,
a
CRC
algorithm
ensures
that
the
data
arrives
intact.
If
the
CRC
algorithm
fails,
the
corrupt
data
packet
is
discarded
and
the
data
is
automa<cally
retransmiLed
using
a
new
frequency
during
the
next
communica<on
cycle.”
49
§ Cyclic
Redundancy
Check
§ No
integrity
§ No
security
§ Only
for
network
errors
50. Quotes
(Comm
Protocols)
“This
protocol
does
not
operate
like
an
open
protocol
such
as
Wi-‐Fi
and
is
not
subject
to
the
risks
of
an
open
protocol.”
50
51. Disclosure
and
Coordina<on
§ 8
vulnerabili<es
reported
(today’s
vendors)
§ 1
patched
=>
PRNG
Vulnerability
(ICSA-‐13-‐248-‐01)
§ Are
vendors
responsible?
§ Did
they
no<fy
their
customers?
§ Is
documenta<on
truly
aligned?
§ Is
firmware
upgrade
easy?
52. Conclusions
(Securing
the
scheme)
52
§ Out
of
bands
methods
§ Pre-‐share
a
strong
secret
for
the
ini<al
link
(eg:
serial
comm)
§ Also
802.15.4
AES
Encryp<on
at
lower
layers
(MAC)
§ Secure
the
Node
Physical
Access
(Mainly
KDC)
§ Use
hardware
An<-‐tamper
mechanisms
§ Audit
Source
Code
//
Audit
Site
regularly
§ ICS-‐CERT
Hardening
Guides
§ Don’t
trust
vendor’s
documenta<on,
go
further.
53. Conclusions
53
§ Problem
space
has
always
been
an
open
topic
§ The
journey
of
keys
allows
prac<cal
aLacks
§ WSN’s
standards
maturity
is
growing
§ Vendors
can
fail
when
implemen<ng
them
§ No
evidence
of
previous
security
reviews
§ Tes<ng
the
field
loca<on
is
possible
with
the
proper
Hardware
and
open
source
So_ware
CC1111
RZUSB
TelosB
HackRF
54. Aknowledgements
54
§ ICS/CERT
–
US/CERT
§ References:
Piotr
Szcezechowiak,
Haowen
Chan,
A.
Perrig,
Seyit
A.
Camtepe,
Bulent
Yener,
Rob
Havelt,
Travis
Goodspeed,
Joshua
Wright…
§ All
IOAc<ve,
Inc.
55. THANK
YOU
!
Lucas
Apa
(lucas.apa@ioac<ve.com)
Carlos
Penagos
(carlos.hollman@ioac<ve.com)
@lucasapa
@binaryman<s