The Internet of Things brings new innovations to industrial applications by making automation and remote control more practical and intelligent. As industrial engineers implement radio frequency controllers, new security risks are emerging that use them as a new attack vector.
Trend Micro Research reported the results of a recent research project in an article that sheds light on the types of cyber attacks that industrial radio remote controllers make possible. “We found that it is possible to perform attacks within or out of RF range,” they concluded after creating an inconspicuous device that they could plant in an industrial setting. With it, they were able to access nearby industrial remote controllers and exploit vulnerabilities of the communication protocol used by current RF receivers. They dubbed it “RFQuack.”
How Trend Micro Found Vulnerabilities in RF Protocols
In order to exploit weaknesses in existing RF protocols, Trend Micro developed a series of devices that they could place in an industrial facility and use to communicate with remote controllers within range. After a number of experiments, they settled on a pocket-sized Arduino-based device that’s battery-powered and small enough to place in inconspicuously. They loaded it with exploit software and deployed it to demonstrate how RF protocols could be hacked by anyone with access to a facility.
How Does RFQuack Work?
Trend Micro designed RFQuack as a proof-of-concept device that’s controlled using Message Queuing Telemetry Transport (MQTT), Wi-Fi, 3G, or 4G communications. This means that an attacker could control it over a cellular internet connection or a local Wi-Fi connection.
Once deployed, RFQuack can be set up to wait until it receives a radio packet from a remote controller broadcasting in the area. It can be programmed to simply passively record the radio packet traffic it detects, or it can respond to radio controllers. Trend Micro developed a couple of different attacks that sent pre-determined commands to controllers or modified packets on the fly depending on what it received.
The Types of Attacks RFQuack Could Execute
The researchers found that most RF receivers are not designed with security in mind. They developed a simple program that was able to passively receive a radio frequency packet and determine how to communicate with the receiver. Once RFQuack had retrieved the secret code used to pair an RF controller with a receiver, it was able to impersonate a controller and send commands to the equipment controlled by an RF receiver.
They were able to create custom commands to some industrial radio remote controllers or send E-STOP commands that disabled equipment by shutting it down. If the controller uses a known protocol, RFQuack is then capable of sending a start command to the receiver and begin controlling the equipment with documented RF commands.
How Systems Administrators Can Keep Industrial Radio Controllers Secure
Industrial remote controllers clearly are a security risk for facilities that can be accessed even temporarily by unauthorized personnel. If an attacker can plant a device like RFQuack within range of RF receivers, they could conduct similar operations to disable or damage equipment.
The first line of defense is choosing RF controllers that are secure. System designers installing industrial radio remote controllers should source them from vendors that use security features that disable receivers when a transmitter is out of range. Called virtual fencing, this feature makes it more difficult for an attacker to communicate with a remote controller.
Here are a few other recommendations Trend Micro suggests:
- Check before purchasing RF controllers that the pairing codes can be custom configured
- Change the pairing codes periodically
- Select tamper-proof controllers that are difficult to reverse engineer
- Use controllers that implement open RF communication protocols
- Implement rolling-code systems that make hacking difficult
Given the critical nature of remote-controlled industrial equipment like construction cranes and hoists, it’s important to harden the remote controller technology used if the premises cannot be completely secured. Thanks to security firms like Trend Micro, industrial firms can stay a step ahead of the evolving cybersecurity threats that they face.
Our systems don’t have these sort of issues because they are industrial rated and they operate with digital encoding and supervised transmission as well as frequency band selection.