Weak Key Generation Plagues Wireless Industrial Automation Software

A hacker miles away can conduct a brute-force attack against industrial automation software used worldwide in the gas, oil, water and electric industries.

Industrial automation software used worldwide to create and configure wireless radios that connect devices in environments such as oil and gas is vulnerable to attack by a hacker armed with an antenna from as far as 30 miles away.

Though the vulnerability in the ProSoft Technology RadioLinx ControlScape pseudo random number generator has been patched through a firmware update released last month, it’s unlikely many of these devices will be patched in short order. IOActive researchers Lucas Apa and Carlos Penagos said these devices are deployed in often difficult-to-reach locations and must be disconnected and attached to a PC to receive the update.

“It is not possible to do these updates over the air,” Apa said. “It is not the same as business wireless.”

The affected software application does many things, including acting as a visualization tool that provides a graphical representation of the industrial radio network. It also manages all important configurations and settings for the network and monitors its performance; it is primarily used with Rockwell Automation and Schneider Electric industrial products used in the oil and gas industries, as well as water, wastewater and electric utilities.

The vulnerability discovered by Apa and Penagos is an issue with the passphrase generated upon creation of a new radio network connection, specifically in a setting for secure communication between the network and industrial devices. The software uses the local time as the seed for the new passphrase, making it relatively simple for a hacker to guess the password via a brute force attack or another type of cryptographic attack.

“By being able to guess the passphrase, an attacker could communicate with the network the device is connected to with devastating consequences,” Penagos said.

If an attacker is successful using a brute-force attacker to guess the passphrase and gain network access, they could conduct further attacks such as sending modified packets to industrial processes through the network, causing catastrophic failures, the Penagos and Apa said.

All of this, the researchers said, can be done remotely with an antenna and without Internet access. Similar research was presented at by the two IOActive researchers at Black Hat this summer in Las Vegas.

The new firmware is v6.00.040, which Panagos and Apa said they have not tested yet. ProSoft recommends updating as soon as possible and also suggests changing the default seed passphrase which will increase the entropy of the passphrase generation process, the company said.

“Our goal is to ensure that workers in the field have a secure environment in which to work,” Apa said. “This is what we want.”

Suggested articles