IOActive ICS

We put the Apa and Hollman’s Black Hat paper Compromising Industrial Facilities From 40 Miles Away in the Worth Reading last Friday. Later on Friday Walt Boyes savaged the researchers in a blog entry saying “There’s a word for cyber researchers like this: irresponsible.”

So is it worth reading or irresponsible? Probably both.

The paper looks at RF offerings from Prosoft’s RadioLinx, OleumTech, and Banner that are used in the ICS world. Specifically it analyzes the encryption and key management scheme used in these solutions.

The researchers tell a very important message: crypto is hard; and it is likely that a proprietary encryption and key management can be broken. They prove their case with technical details. Read the paper and see:

  • weak pseudo random number generators for crypto key generation
  • finding crypto keys in project files
  • low entropy in key generation
  • finding keys in firmware
  • authentication bypass
  • cleartext establishment of secure sessions

The three vendors tend to promote and defend their proprietary security system through emphatic assertion, and the researchers have a number of these quotes in the paper. Clearly the researchers have proven that the vendor confidence in their security is unwarranted. With RFcatHackRF and other software defined radio peripherals, the barrier to entry to hack RF comms is plummeting.

This is an important, worth reading paper to drive home the point that proprietary crypto should not be trusted unless it has undergone extensive third party testing and analysis.

However, Walt has a point as well. The paper and particularly the presentation conflate wireless technologies and add a fair amount of unnecessary hype. The security issues with Zigbee were older work and unrelated to the proprietary crypto issue. Hopefully when they mentioned ISA100.11a and WirelessHART they noted that they had a different security protocol than Zigbee and was developed in the open and has undergone significant scrutiny.

It’s true that the three vendors were self-proclaimed leaders or leading in the industry, but unless I missed the sarcasm the researchers shouldn’t be parroting vendor hype while pointing out vendor falsehoods on the bulletproof security. The researchers can’t be judged on press coverage as they have no control on what the press picks up.

On balance the work is a big net plus and hopefully will spur the industry to think twice about developing or buying proprietary security solutions.

Image by Clover_1