Sensors widely used in the energy industry to monitor industrial processes are vulnerable to attack from 40 miles away using radio transmitters, according to alarming new research.
Researchers Lucas Apa and Carlos Mario Penagos of IOActive, a computer security firm, say they’ve found a host of software vulnerabilities in the sensors, which are used to monitor metrics such as temperature and pipeline pressure, that could be fatal if abused by an attacker.
Apa and Penagos are scheduled to give a presentation next Thursday at the Black Hat security conference in Las Vegas but gave IDG News Service a preview of their research. They can’t reveal many details due to the severity of the problems.
“If you compromise a company on the Internet, you can cause a monetary loss,” Penagos said. “But in this case, [the impact] is immeasurable because you can cause loss of life.”
An emphasis on industrial protection
The U.S. and other nations have put increased focus in recent years on the safety of industrial control systems used in critical infrastructure such as nuclear power plants, energy and water utilities. The systems, often now connected to the Internet, may have not had thorough security audits, posing a risk of life-threatening attacks from afar.
Apa and Penagos studied sensors manufactured by three major wireless automation system manufacturers. The sensors typically communicate with a company’s home infrastructure using radio transmitters on the 900MHz or 2.4GHz bands, reporting critical details on operations from remote locations.
Apa and Penagos found that many of the sensors contained a host of weaknesses, ranging from weak cryptographic keys used to authenticate communication, software vulnerabilities and configuration errors.
For example, they found some families of sensors shipped with identical cryptographic keys. It means that several companies may be using devices that all share the same keys, putting them at a greater risk of attack if a key is compromised.
They tested various attacks against the sensors using a specific kind of radio antennae the sensors use to communicate with their home networks. They found it was possible to modify readings and disable sensors from up to 40 miles (64 kilometers) away. Since the attack isn't conducted over the Internet, there's no way to trace it, Apa said.
In one scenario, the researchers concluded that by exploiting a memory corruption bug, all sensors could be disabled and a facility could be shut down.
Fixing the sensors, which will require firmware updates and configuration changes, won't be easy or quick. "You need to be physically connected to the device to update them," Apa said.
Apa and Penagos won’t identify the vendors of the sensors since the problems are so serious. They’ve handed their findings to the U.S. Computer Emergency Readiness Team, which is notifying the affected companies.
“We care about the people working in the oil fields,” Penagos said.