Schneier on Security
A blog covering security and security technology.
« Breaking the Xilinx Virtex-II FPGA Bitstream Encryption |
| Developments in Facial Recognition »
August 2, 2011
Attacking PLCs Controlling Prison Doors
Embedded system vulnerabilities in prisons:
Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.
Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. including eight maximum-security prisons says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.
This seems like a minor risk today; Stuxnet was a military-grade effort, and beyond the reach of your typical criminal organization. But that can only change, as people study and learn from the reverse-engineered Stuxnet code and as hacking PLCs becomes more common.
As we move from mechanical, or even electro-mechanical, systems to digital systems, and as we network those digital systems, this sort of vulnerability is going to only become more common.
Posted on August 2, 2011 at 6:23 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
PLCs are already everywhere. I use to install them in water and waste water facilities 15 years ago. They were ubiquitous then, even more so now. Every large building built in the 30 years has them to run their hvac systems, many homes have them now. That said, every system I installed was independent and not connected to the internet - this was purely for security reasons. Given the route the stuxnet was introduced to nuclear facility, I would have to bet that is still true today.
I shudder to think what will happen when everyone's car is on the Internet, when you can remotely control a car from a smartphone app, and when these cars start sharing information with each other on the highway while hurtling at 80 mi/hr (128 km/hr) -- all features now being hyped by auto manufacturers as the next great advance in the driving experience.
Agree that linked and digital systems have large-scale vulnerabilities. I'm not sure that PLCs are notably vulnerable. It would help if the PLCs didn't use factory standard passwords...
> I would have to bet that is still true today.
I bet that it isn't.
Option 1, compeltely air gapped system where you have to send out a technician to do updates, check status, get measurements
Option 2, a well designed completely separate secure system using it's own sealed comms infrastructure designed by an expert in security
Option 3, Cheapest implementation whish also offers lots of convenient looking 'remote access' cost saving features. Written by somebody that had found a free http client in the RTOS and has no idea about security - I mean, who would want to hack a sewage plant?
See http://catless.ncl.ac.uk/Risks/26.51.html#subj7 which points to http://threatpost.com/en_us/blogs/...
'Remote access to cars, water plants, etc. (Dennis Fisher)'
Essentially, cars with built-in GSM systems often have no real security on those GSM systems, and can be hacked via properly crafted SMS messages.
To quote: "This is not technologically advanced. The fact is, you can own these kinds of systems in under a couple of hours," he said. "It's easy. There's no confidentiality or integrity built into the systems. We shouldn't have the equivalent of SQL injection in hardware, and that's what this is. That's the danger. It shouldn't be possible for any fly-by-night 12-year-old to do this."
"It shouldn't be possible for any fly-by-night 12-year-old to do this."
They shouldn't be up that late, for one thing!
As the community becomes more aware of what PLC systems are and, more importantly, how to use them, they will become more frequent targets for hacks, that much is clear. The GSM hacks on cars are scary enough, but infrastructure hacks are a little more terrifying.
I wonder, though, how hard/expensive it would be to properly secure these machines? Stuxnet had a fairly complicated screening program to make the PLC side of things think everything was going OK; granted, the code's available, but the implementation will be different from site to site based on the arrangement and that should help.
One thing these types of hacks show, though, is that people are still exploitable and that using USB keys is like having unprotected sex in a HIV-flush country...
I have a bad feeling about this.
PLCs were not designed with the goal of security, and the line engineers are often not interested in security.
The SCADASEC mailing list has some good discussion from earlier this year regarding the nature of SCADA/PLC systems.
Risk management is the name of the PLC game, and only when the cost of insecure PLC systems is higher than the cost of secure PLC systems will security be put in place.
I believe the US government is working to add risk in the form of legal requirements and penalties in the area of CIP.
mdb is not correct in that devices are not connected; some modern systems are designed to be viewed and managed over a LAN (independant of the modbus/iec control networks). Betcha that that LAN has a gateway to the 'net...
We had a discussion in an earlier thread about this, particularly about the rather alarmist connecting of this to prisons. I saw an article accentuating the alarmist nature by headlining, "Hackers could release killers from prison."
Of course, hackers could also release jaywalkers and savings bank executives from prison, too, but that wouldn't make for such a scary headline. :-)
In a lot of modern prisons today, those hackers would have to penetrate and control the PLCs for not just the cells, but ALL the gates between the housing units and the outside world.
They would also have to lock down some of the gates to keep the prison staff from rounding up the prisoners again - which lockdown would of course also continue to keep the prisoners penned in unless the hackers knew the exact layout of the prison and could open a "corridor" for prisoners to escape that would not also allow the guards to confront them.
Said hackers would also have to somehow lock down the armory or prevent the guards from accessing it, else the guards would be armed and the prisoners not.
All in all, it's not a vulnerability I would lose any sleep over, if I was a prisoner or a guard.
The general lack of security on PLCs in infrastructure terms is more interesting.
Every system is connected to a network, and because the systems I worked on were funded by taxpayers they were usually ridiculously over built networks (e.g. a redundant fibre optic network for the Waterbury CT sewer treatment plant in 2000), but the network was NOT connected to the internet in anyway.
One thing to keep in mind is that even a network which is NOT intended to be connected to the Internet probably CAN be connected if someone can gain physical access to it for a couple minutes.
All it needs is a tiny Linux box with a wireless card plugged into it somewhere where no one will notice to breach the "air gap". Of course that requires (temporary) physical access to the network, but in many cases that might well be feasible and sufficient.
Physical security is frequently as much or more a joke than computer security. Especially as it's usually considered separately from computer security when designing a physical system that ends up being controlled by a computer.
"Who would ever steal a sewer system?" So the physical security isn't that good. Which means the computer security is vulnerable to having its "air gap" breached as well.
Isn't there a TV commercial that is currently running in the US where a guy is talking to his girlfriend on the phone, and she is using her smartphone to remotely lock and unlock the doors on the car he is standing near?
I think it is a VW, so it seems that Volkswagen has it's own version of OnStar.
We live in interesting times indeed. Are Siemens & co. on their way to becoming the new Microsoft ?
actually, the Stuxnet work attacked WinCC, a MS Windows programming environment from Seimens; it did not attack the PLCs. OTOH, there *have* been S7 vulnerabilities announced since then, in which stored passwords blocking access to PLC code could be obtained by an attacker. to their credit, Siemens responded quickly, if only with a workaround (fix to follow later, IIRC).
I work somewhere that uses a heck of a lot of PLCs, for their intended purpose of programmably controlling things with logic. And I have to say, I am pretty surprised by Strauchs' claim that door controllers in prisons use PLCs. Especially high-end PLCs like the Siemens ones targeted by Stuxnet. For 3 simple reasons:
a) the kind of stuff you want to do in controlling a door isn't a great fit for what PLCs do, and how they are usually programmed. For example, one of those PLCs may typically be controlling dozens of relays (up to around 160), or generating several real-time, 12-bit resolution analogue signals. In comparison, a door controller's only outputs are one relay for the solenoid, and maybe a TTL line for an LED and sounder.
b) PLCs tend to be a couple of orders of magnitude more expensive than the sort of simple microcontroller that can be used to drive a door; and
c) door controllers that I have examined to date, have all used generic microcontrollers.
The only way this makes sense is if one PLC is controlling every door in a wing, with long high-current lines radiating out to solenoid relays at every door. If that is the case, then it's a bizarre but interesting architecture with all its own problems.
Prisons have another layer of defense in depth: if you have the resources to unlock someone's doors, you have the resources (at least according to endless news reports) to bring whatever creature comforts and communication tools they may want right to their cell. Once again, you don't have to make an attack impossible, just more expensive than the alternatives.
An organization that was trying to foment widespread unrest, rather than just freeing some small set of individuals, might be more interested in this kind of attack. Imagine if some random subset of prison doors in a state opened every night sometime between 2 and 4.
Roger: "The only way this makes sense is if one PLC is controlling every door in a wing, with long high-current lines radiating out to solenoid relays at every door. If that is the case, then it's a bizarre but interesting architecture with all its own problems."
Most prison systems pop all inmate doors at a given time several times a day, such as morning meals, or recreation periods. A lot of prisons these days have a central control booth or desk in each housing unit where the guard controls all the doors and other objects such as lights, intercoms, access to water in the sink (so they can cut it off as a coercion measure if you act up), etc.
So I suspect these PLCs are controlling a lot more than a door.
On the complexity of door controllers: As noted above, the doors are networked together to allow remote control and probably monitoring. It seems likely that advanced door controllers would also be capable of having a key/card/passcode peripheral attached -- even if this feature were not used in (most?) prison doors.
The military-grade part of Stuxnet wasn't really the technology - that could fairly easily be replicated by criminal actors. Rather, it was the intelligence-gathering that was done on the target network.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.