In many IT departments in industry, a 'security-by-obscurity' mindset still prevails. This means that the security of a system should be ensured simply by keeping its functionality secret. This is done, for example, by using proprietary protocols instead of known, standardized procedures. Additional security measures are often not implemented. Furthermore, systems are often not patched because this is very difficult, they are too important for operations or can only be taken off the grid at high cost. The long replacement cycles of such systems further increase the risk.

The radio remote controls examined by Trend Micro in summer 2018 from seven globally widespread manufacturers work on the basis of packet radio protocols and transmit digital data that is converted into radio waves through modulation. Various modulation schemes such as frequency shift keying (FSK), phase shift keying (PSK), minimum shift keying (MSK) or variations of these are used. The devices transmit in ISM bands in the high frequency range (mainly on 315, 433, 868 and 915 MHz). To ensure reliable transmission, the signals are transmitted in coded form.
The devices are certainly equipped with safety functions. However, these are primarily relevant in terms of safety. The most common measures here are the pairing of transmitter and receiver, passcode protection of the remote control, the necessary authorization of the operator using RFID or similar methods and the restriction of the operating radius by setting up a virtual fence, for example using infrared. However, these procedures are not sufficient for effective security, as they are relatively easy to circumvent

The detailed analysis revealed a number of security-relevant vulnerabilities in the systems examined:

• The remote controls examined do not use rolling code. This means that no special verification takes place for radio transmissions and every transmitted data packet is also recognized as valid in the future. This makes it easy to carry out replay attacks. The lack of this basic security function is surprising in that it is a standard feature of current devices for end users, such as vehicle keys or garage door openers.
• The data exchanged between transmitter and receiver is also not encrypted or only weakly encrypted and therefore easily predictable.
• The software used to load new firmware onto transmitters and receivers does not prevent unauthorized reprogramming of the devices.

In principle, these vulnerabilities are easy to patch. However, in the case of the first two vulnerabilities, the sheer number of devices to be patched and their often poor accessibility is an obstacle that should not be underestimated. The implementation of effective encryption may also require changes to the hardware.

The attack scenarios

As part of the investigation, five types of possible attacks on these devices were identified, which differ in terms of their degree of difficulty and potential impact. The last three types of attack mentioned below are based specifically on the mode of operation of the type of remote controls investigated.

Replay attacks

In replay attacks, radio signals previously recorded by software or hardware receivers are replayed. These signals cannot be distinguished from legitimate communication. The effects of replay attacks depend heavily on the attacker's knowledge of his target. The longer an attacker can intercept the commands and create a library from them, the better he can control the machine later. This does not require a constant physical presence in or near a factory hall or construction site: as part of the current research, Trend Micro developed and built a battery-operated device the size of a credit card that can receive, interpret and play back the corresponding signals. This can be easily hidden in a plant or deployed using a drone and, in conjunction with a mobile radio interface, also enables remote attacks.

Command injection

Attacks using command injection require in-depth knowledge of the protocol to be attacked. For this purpose, received packets are analyzed and the protocol is reconstructed using reverse engineering. This is used to derive individual control commands that can be used to control a system.

Misuse of the emergency stop function

Schematic representation of an attack using emergency stop abuse: By sending the emergency stop command in a continuous loop, an attacker can paralyze the system for a longer period of time.

© Trend Micro

Based on one of these two attack methods, a system can be paralyzed by misusing the emergency stop function, similar to a denial of service attack in classic IT security. All of the devices examined have such an emergency stop as a safety function, with most of them complying with the ISO 13850:2015 standard. If an attacker succeeds in either intercepting or creating a corresponding radio signal, the machine is switched off via two safety relays.

Malicious re-pairing

Schematic representation of a malicious re-pairing attack: By intercepting the pairing sequence, an attacker can obtain a fully functional remote control.

© Trend Micro

Most remote controls allow the transmitter to be 'cloned', which means that a system can be operated by several controls. To do this, a pairing sequence is initiated and a corresponding code is sent to the receiver. If an attacker succeeds in intercepting and copying this code, they can use malicious re-pairing to connect their own, fully functional remote control to the system and thus control it.

Malicious reprogramming

While these attack methods all require an - at least temporary - presence of the attacker or their hardware in the vicinity of the attack target, remote attack vectors are also conceivable. For example, if an attacker succeeds in compromising a computer belonging to the target company or the system integrator or reseller of the system, it can be maliciously reprogrammed. Many control systems are supplied with a dongle that enables reprogramming (e.g. reassigning buttons, adding new remote controls, etc.). If this process and the IT endpoints used for it are not protected, any type of valid firmware can be loaded onto the device. This makes it possible, among other things, to disrupt the control system or install so-called backdoors.

The prototype of the self-developed 'RFQuack' tool. The entire device is smaller than a credit card and therefore extremely inconspicuous.

© Trend Micro

The attack scenarios described can be carried out using either different hardware - such as the well-known 'Yard Stick One' hacking dongle - or software-defined radios. As both types of devices reached their limits during the investigation, Trend Micro developed a new, modular hardware tool with which the research work could be continued. The tool, called 'RFQuack', consists of a CC112x transceiver and an ESP8266-based development board. To enable remote attacks, a WLAN transceiver was also installed that can be connected to a 4G hotspot. The hardware has a total value of less than 35 euros. For around 20 euros more, a cellular modem could also be installed, making the 4G hotspot superfluous. The firmware is a proprietary development. In view of the low-cost hardware, it is likely that a skilled attacker would also succeed in developing such an attack tool.

The possible consequences

The fact that attacks on industrial radio remote controls are relatively easy to carry out does not mean that they will happen. Rather, a motive is also required on the part of potential attackers. Experience has shown that there are three possible motives, some of which are sector-specific:

In the industrial and construction sectors, sabotage is particularly likely. Attackers could either disrupt production processes or even cause accidents, damage equipment or endanger workers. In this scenario in particular, material damage is compounded by the potential loss of image.

In the logistics sector in particular, such an attack can also lead to the theft of goods. A large number of remote-controlled cranes and similar equipment are used here in particular. If an attacker manages to take control of them, goods could be unobtrusively loaded onto their own vehicles and stolen.

In the case of attackers with economic motivation, both attack scenarios can be combined with possible blackmail. For example, a monetary payment can be demanded in order to reactivate paralyzed systems, stop sabotage attempts or return 'hijacked' goods.

What needs to be done?

Due to the long lifespan of the products examined, the vulnerabilities discovered will be around for years, possibly decades. But it is possible to patch them. Trend Micro has already contacted the affected manufacturers before the investigation was published and supported them in improving security. Some have already taken the necessary countermeasures and provided software updates. Others will improve security in future generations of devices. In general, however, availability requirements and high downtime costs make patching more difficult.

Manufacturers, integrators and users of radio remote controls are well advised to introduce a number of security measures in order to provide the best possible protection against the attack scenarios described.

Manufacturers should

• Develop and implement suitable security mechanisms and provide secure firmware upgrades for existing devices. The upgrades should include rolling code protection, as is already common in other device classes, to prevent replay attacks. It is also recommended that the inner workings of the devices are better protected against tampering in order to make reverse engineering more difficult.
• Consider installing transceivers that support encryption on the hardware side.
• Build new products on open, known and standardized protocols such as Bluetooth Low Energy, where security-by-design is already implemented.
• take technological advances into account when developing future product generations. For example, a network connection for remote controls would enable over-the-air firmware upgrades and the distributed generation of encryption keys. This would make security easier to manage.

System integrators and users should

• be aware of the technical basics. This includes, for example, thoroughly reading technical manuals before making a purchase decision. Only devices that support configurable pairing codes should be purchased and these codes should be replaced regularly during operation.
• Back up computers and update them regularly. If the remote controls are programmable, the computer used for programming should either be disconnected from the network or hardened as if it were a critical endpoint. Most remote attack opportunities require the programming computer as an attack vector.
• Consider next-generation products when making purchasing decisions. In addition, products that are based on two different technologies (for example, infrared and wireless) and use open, standardized protocols such as Bluetooth Low Energy should be preferred.gh

A white paper with further technical details is available for download on the Trend Micro website.

Author:
Udo Schneider is a Security Evangelist at Trend Micro.