Vulnerable Radiation Monitoring Devices Won’t Be Patched

Three radiation monitoring device vendors will not patch a handful of vulnerabilities that could be abused by hackers, including a backdoor that affords high privileges on one device.

LAS VEGAS—Three radiation monitoring device vendors have told researchers they will not be fixing a handful of vulnerabilities that could be abused by hackers, including a backdoor that affords high privileges on one device.

The flaws were privately disclosed by IOActive researcher Ruben Santamarta to Ludlum, Mirion and Digi, manufacturers of radiation portal monitors, gate monitors, RF modules, management systems and other industrial gear used at border crossings, airports and nuclear power plants, among other locations.

All three acknowledged the vulnerabilities, but each had different rationales for their decision not to patch. Ludlum, for example, said its monitoring devices are deployed in secure locations, which it said is enough to deter successful exploits. Mirion said a patch would break interoperability with the WRM2 protocol it uses for communication; it also has contacted its customers about the vulnerabilities. Digi, meanwhile, said it did not consider the issues related to its devices a security issue.

“In terms of a potential attack, it’s very feasible,” Santamarta said.

Santamarta is scheduled today at Black Hat to present technical details about potential attack vectors against these devices, including radio-frequency based attacks, firmware- and hardware-based attacks. The attacks are relatively simple to perform once an attacker has some knowledge of the environment and the devices in use; some of the devices are relatively inexpensive and obtainable, while others are more difficult to acquire and study.

Santamarta said that a Mirion iPAM-TX transmitter for radiation monitoring devices, for example, can be purchased on eBay for around $200. Issues in the protocol allow an attacker to send data to a monitoring device and interfere with its operation.

“It’s likely an attacker could perform this type of attack. And it’s something that Mirion did not understand,” Santamarta said. “Even in the letter they sent to customers, they didn’t recognize the potential of this attack. They acknowledged there are some vulnerabilities, but they tried to downplay the risk, which is something I don’t agree with because it’s really simple.”

Ludlum portal and gate monitors are bit more difficult to analyze given their cost and availability to individuals. These are large monitors that detect gamma radiation in or on people or vehicles, for example, that pass through the portal or gate monitors. Santamarta, however, said he was able to download binaries from the Ludlum site that allowed him to examine the code.
It was in the Ludlum Portal Monitor where he found a backdoor password hardcoded in the binary that would allow an attacker to bypass existing authentication and take over a device. An attacker could disable it in such a way that it would not fire alarms when necessary, Santamarta said.

He also found issues in the Ludlum Gate Monitors, which has monitoring software that runs on Windows and collects and archives data from driving lanes where they are installed. The devices set off monitor for radiation, can set off alarms, capture images of vehicles and generate reports for admins. Communication between each gate monitor and the software runs over two protocols, Port 20034/UDP and Port 23/TCP, each of which contain vulnerabilities that allow an attacker to do anything from changing device settings, falsify readings or disable alarms via man-in-the-middle attacks.

The Mirion and Digi devices are often deployed in nuclear power plants, and monitor for radiation leaks and provide other critical data that empower operators to call for evacuations, for example, in a dire emergency.

Santamarta said he examined the Mirion Lazarus DRM2, a small radiation monitoring device that communicates over a WRM2-based radio, and the Mirion WRM-2 base transceiver and the iPAM-TX teledosimetry module. The WRM2 standard is built on top of OEM modules developed by Digi.

Santamarta examined two software applications running on the hardware, one .NET-based, the other Java. He was able to discover the keys used to encrypt the firmware files. In the Digi XBee XSC Pro firmware, he found that the firmware files are encrypted using a hardcoded key. The could ultimately allow an attacker to upload new firmware. An attacker with physical access could also carry out hardware hacks, he said.

The consequences could be that an attacker sends falsified readings simulating radiation leaks, or carrying out denial of service attacks against WRM2 devices.

“I can say for an attacker, it’s easy to perform these attacks, but it’s not easy to acquire the knowledge to perform these attacks,” Santamarta said. “To perform a sophisticated attack against a plant, you need resources and to know certain things. To perform a dumb attack where you send malicious information and see what happens, these are simple to do [if you have studied a device.]”

Santamarta hopes his talk influences the vendors to reconsider whether they patch.

“I was expecting to find some issues, but I was also expecting to find stronger security,” Santamarta said. “My impression is that they were not thinking about security when they designed these devices.”

Suggested articles