Fotolia RAW -

Millions of industrial remote controllers open to attack

Millions of industrial remote controllers are open to cyber attack because of vulnerabilities in the radio frequency technology used, a study has revealed

Radio frequency (RF) remote controllers used to operate heavy industrial machinery, including cranes and drills, are extremely susceptible to cyber attack, security researchers have discovered.

“RF remote controllers are based on packet radio protocols, which involve modulating a byte-stream as radio waves,” the report said. “Their increased connectivity with other devices (e.g. CAN [controller area network] bus) makes them an interesting target for attackers.”

While cyber defences are constantly improving in the consumer sphere, Trend Micro’s report reveals that the same practices are not being applied for industrial applications. Remote controllers are vulnerable to attack due to the fact captured packets remain valid indefinitely and the lack of code update mechanisms, encryption and software protection.

Seven of the biggest global remote control manufacturers used in the manufacturing, construction and transportation industries are susceptible to attack, with hackers able to remotely hijack radio requests and take complete control of the machine, according to research by security firm Trend Micro.

The report on the security analysis of radio remote controllers for industrial applications highlights notes the use of obscure, proprietary protocols instead of standard ones makes controllers vulnerable to command spoofing, so an attacker can selectively alter their behaviour by crafting arbitrary commands, with consequences ranging from theft and extortion to sabotage and injury.

“The legacy and widespread RF technology used to control industrial machines is affected by serious security issues that impact several market verticals, applications, products and brands,” the report said.

The researchers warned that currently and widely used legacy RF technology for industrial applications can be abused for sabotage of equipment, theft of goods by manipulating equipment and extortion by demanding payment to hold off or cease equipment interference.

Read more about industrial cyber security

The report also identifies five main classes of attack:

  1. Replay attacks in which the attacker can record RF packets and replay them to obtain basic control of the machine;
  2. Command injection attacks in which the attacker can modify RF packets to control the machine;
  3. Emergency stop abuse attacks in which the attacker can replay e-stop commands indefinitely to cause a denial of service condition;
  4. Malicious re-pairing attacks in which the attacker can clone a remote controller or its functionality;
  5. Malicious reprogramming attack in which the attacker reprograms the firmware on the remote to obtain full control.

The report is aimed at raising awareness of the security issues discovered and urges RF controller makers to implement proper security mechanisms and provide secure firmware upgrades to existing devices to eliminate security vulnerabilities.

The Trend Micro researchers also recommend implementing tamperproof mechanisms to hinder reverse engineering.

The report also urges equipment makers to build on open, well-known, standard protocols such as Bluetooth Low Energy, which offers security by design as part of the protocol and to consider future evolutions or iterations when designing next-generation systems.

In particular, the report said network-connected remote control systems, while in principle opening more attack venues, also offer an opportunity to implement over-the-air (OTA) firmware upgrade capabilities and distributed key exchange schemes, which would make the security of future devices manageable.

Being aware of the basics

System integrators and user organisations should be aware of the basics of the technology, the report said, and inspect the technical manuals before purchasing a device to ensure that it supports configurable pairing codes, and change these codes periodically.

The report also recommends that system integrators and user organisations keep computers properly secured and up-to-date, and if the remote controllers are programmable, the programming computer should be kept off the network or hardened as if it were a critical endpoint.

When current deployments need replacements, the report said remote control systems that offer dual-technology devices such as infrared communication plus RF should be preferred, as should products that use open, well-known, standard wireless technologies rather than “custom” wireless technologies.

Trend Micro has shared its findings with the suppliers of remote controllers used in the study. The security firm said all suppliers have taken the security advice on board, with one issuing its first ever software security update.

The report notes that a number of the suppliers examined in the study have made “significant strides” towards taking accountability and acknowledging their shared responsibility in ensuring security, but the report concludes that manufacturers in general need to start thinking about moving to stronger open-source protocols rather than relying on security through obscurity.

“It could be challenging to balance the almost real-time requirements and secure RF transmission, but the hardware technology is there, ready to be used,” the report said.

Read more on Hackers and cybercrime prevention

Data Center
Data Management