Undetectable ghost in the controller
Black Hat EU Security researchers have come up with another way to hack Programmable Logic Controllers (PLCs) at industrial plants.
Ali Abbasi, a PhD student at the University of Twente, and Majid Hashemi, a research engineer at Quarkslab, have developed an attack that involves tweaking the PIN configuration of a system chip in order to manipulate the physical process a PLC controls. “The attack is feasible due to lack of hardware interrupt on the PLC’s SoC and intensified by PIN Control subsystem inability for hardware level Pin Configuration detection,” the researchers explained.
During a presentation at the Black Hat EU conference last week, the duo showed how it was possible to use the approach to interfere with the on/off control of an LED to keep it permanently on while its associated controller thought it was blinking. Embedded controllers are used to control physical processes in power plants, factories and more so compromised devices present a significant security risk.
The researchers also demonstrated how to circumvent current host-based detection mechanisms by avoiding typical function hooking or modifying kernel data structure. Their talk was entitled, Ghost in the PLC: Designing an Undetectable Programmable Logic Controller Rootkit.
The duo hope their work will help lay the foundations for the design of more robust detection techniques specifically tailored for PLCs.
Hashemi stated that the talk on rootkits and associated hack techniques against industrial control systems was “not about developing another Stuxnet” (the presumed US-Israeli cyber-weapon that physically hobbled high-speed centrifuges at an Iranian nuclear plant).
For one, there are much easier ways to hack industrial control plants, according to Hashemi. “You see default passwords everywhere, even in critical systems,” he said.
Gabriel Gonzalez, principal security consultant at IOActive and an expert in SCADA security who attended the talk, said hackers would need to have secured control of a system in order to plant a rootkit and manipulate its operation in the way outlined by Abbasi and Hashemi. ®
Sponsored: Customer Identity and Access Management