Draped across the automobile’s front license plate is a printout, attached like it came off a roll of Scotch Tape. On the printout is a SQL statement; probably the last thing anyone would expect to see as a hood ornament. No one knows where the photograph came from or whether someone was trying to be funny, or legitimately trying to compromise the backend system controlling the traffic camera in the same photo. But one thing is for sure, this clever stunt has helped shed light on the insecurity of control systems.
The photo was Tweeted March 17 by IOActive CTO Gunter Ollmann, and re-Tweeted more than 2,000 times as the best SQL injection attempt ever. Ollmann said in a blogpost that the driver was hoping to drop a database table in the control system controlling the cameras as they actively monitor traffic on the roads, reading license plates of violators.
“At some point, the video captures of the passing vehicle’s license plate must be converted to text and stored—almost certainly in some kind of backend database,” Ollmann wrote. “The hope of the hacker that devised this attack was that the process would be vulnerable to SQL injection—and crafted a simple SQL statement that could potentially cause the backend database to [delete] the table containing all of the license plate information.”
It’s doubtful the SQL injection would work in this case unless the hacker had inside knowledge of the control system managing the camera. Regardless, the issue is becoming more prevalent as physical surveillance and monitoring control systems integrate with digital backend processes, Ollmann said. For example, RFID tags are becoming a de facto tracking technology. They are increasingly common in toll booths, allowing drivers express passage through a toll, or in inventory systems logging the contents of shipping containers – and could be vulnerable to the same type of attack. If they accept an unlimited data set, for example, an attacker could present the reader with malicious code that could manipulate or delete a backend database.
“With Web app assessments, there are thousands of tools capable of testing for SQL injection that are easy to set up and run and you can just monitor the results,” Ollmann told Threatpost. “With physical embedded devices, it’s much more difficult to automate and assess systems. Developers tend to be more physical engineers than software engineers and are far less aware of things like SQL injection, so they are typically more vulnerable to successful attacks.”
Attacks, in turn, Ollmann said, are also more difficult to launch without working understanding of the target system, and are often a manual, labor intensive process. Rather than target what are often old legacy systems, some kind of middleware acting as a go-between for the device and the backend is the most logical place to look.
Meanwhile, industrial control systems and SCADA networks that manage ICS devices are increasingly more Internet-connected. Those that are Web-enabled can be found by a number of tools, including the Shodan search engine and are vulnerable to a host of attacks. The answer has always been to layer on more security on top of these legacy systems and middleware connecting them to devices. The additional layers bring additional complexity and often, unanticipated vulnerabilities.
“It’s very complicated and horrendously expensive,” Ollmann said. “Unlike the process of hunting for SQL injection vulnerabilities within Internet accessible Web applications, you can’t just point an automated vulnerability scanner at the application and have at it. Assessing the security of complex physical monitoring systems is generally not a trivial task and requires some innovative approaches. Experience goes a long way.”
