Thursday 24 August 2017

Critical Vulnerabilities Discovered in Radiation Monitoring Devices (RDMs) at Power Plants and Airports

Experts discovered flaws in widely deployed Radiation Monitoring Devices (RDMs) that could be triggered to raise false alarms and worse.

By Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
Previously published on 28th July 2017

This week at Black Hat in Las Vegas, researchers at information security firm IO Active, disclosed their findings on radiation monitoring devices from Ludum, Mirion, and Digi that were found to contain multiple unpatched vulnerabilities.

These vulnerabilities would allow an attacker to disrupt, delay, or obfuscate the detection of radioactive material, including leaks, which could lead to either risk of personal safety levels being impacted, or potentially aid smuggling of radioactive materials at airport/ports.
The findings from the report focus on the following:
  • Ludlum
    • 53 Gamma Personnel Portal Monitor
    • Gate Monitor Model 4525
  • Mirion
    • WRM2 Transmitters
  • Digi
    • XBee-PRO XSC 900
    • Xbee S3B (OEM)
Some of the vulnerabilities highlighted include hard-coded passwords with the highest level of privileges, this particular vulnerability was identified by reverse engineering the publicly available binaries of the Ludlum 53 Gamma Personal Portal- which detects gamma radiation in or on personnel passing through the portal from either direction:

Because of this “backdoor”, the authentication of the system can be effectively bypassed by a malicious actor to take control of the device, and according to the research paper would allow an attacker to disable it preventing RPM from triggering the appropriate alarms.

Additionally, the Ludlum Gate Monitor 4525 which is used to detect radioactive material in lorries cargo at ports, had a series of major configuration and security weaknesses, that would enable an attacker to conduct a MiTM (man-in-the-middle), attack.

According to the report, the Gate Monitor used protocols such as Port 20034/UDP and Port 23/TCP which does not deploy any encryption, effectively allowing an attacker to intercept/drop packets and falsify information or disable alarms.

With both of these vulnerabilities, an attacker would need to have compromised the WLAN, or devices connected to it, therefore using those machines to pivot to the Gate Monitor.
What about nuclear power plants?

The report also covered this with findings in both Digi firmware and Mirion’s devices. The researcher at IO Active Ruben Santamarta tested the software and firmware for the Mirion radiation monitoring devices that detect medium to long range radioactive levels at NPP (Nuclear Power Plants).

The WRM2 Devices software is written in .Net and Java, and uses the OEM XBee S3B wireless transceivers. The WRM2 software was reverse engineered by IO Active to reveal the encryption algorithm used to encrypt the firmware files (in the XCS-Pro and S3B-XSC), essentially allowing an attacker to modify or create a modified firmware.

This would allow an attacker to bypass the XBee’s AT Command handles and bypass OEM Network ID Read only protection, and transmit or receive from any XBee network.

In this scenario, attackers could intercept data or transmit false data to NPP systems either creating a falsified reading of a Radiation leak or create a Denial of Service attack, by interfering with the frames being sent to the WRM2 compatible devices.

The Vendors were all contacted under a responsible disclosure policy via ICS-CERT or directly:
Ludlum acknowledged the report but refused to address the issues, due to the devices being located at secure facilities. Mirion also acknowledges the report but cited that patching would effectively break the systems but is working collaboratively with Digi to address the issues.

In summary, this report further highlights the risks that third party components can introduce to high-risk targets such as nuclear power plants. With recent reports in the US of such assets being targeted and breached, this is an area that needs focus, not only from the organizations that are being targeted but also the technology providers who support Critical National Infrastructure.