Security experts demonstrated at the annual Black Hat Europe conference a new undetectable rootkit that can be used to sabotage critical industrial equipment.
The Undetectable Rootkits Can Poison Critical Industrial Infrastructure
Two researchers presented at the Black Hat Europe conference in London a new method of infecting critical industrial equipment using a new undetectable rootkit. The demonstrations shows how an attacker can leverage the dangerous vector to cause sabotages to important infrastructure all over the world.
The virus attacks the PLCs (Programmable Logic Controllers) that run the industrial monitoring software and the actual equipment. Affected devices include controllers, valves, sensors, breakers, alarms and other related equipment.
The PLCs form the basis of every Industrial Control system and SCADA system, an acronym for Supervisory Control and Data Acquisition. They allow the operators to control and adjust the operation procedures for the various industrial equipment that are used in both local and remote locations.
In essence they are embedded systems that run a limited operating system. Their hardware is composed of a SoC (System-on-Chip) design which manages the electrical signals that are acquired from the input and sends it out via the built-in output connections which are part of the Input/Output module. The SoC chip also manages the Plc’s pin communications.
The two researchers Ali Abbasi from the University of Twente (The Netherlands) and Majid Hashemi (engineer at Quarslab) have targeted the I/O pin system to present an exploit. Their attacks uses an entirely new mechanism which regular security software do not inspect.
The Rootkit at Work
The rootkit infection is done by manipulating the dynamic memory of the PLCs. This is where the devices store their individual pin configuration options – this is a simple table that stores the list of pins that function as an input line, as well as those that work as outputs. By altering the parameters the remote attackers can generate counterfeit data readings from the internal sensors which can be used to trigger a command in the internal logic module or an action made by the human operator in response to the reading.
In addition the attackers can also alter the positions of the output pins which can prevent the operators from controlling the infected PLCs. A sabotage scenario that is given as an example – a changed configuration can prevent the automatic shutdown of a valve when the temperature has reached the critical value in a critical infrastructure environment. Another instance where sabotage is possible is the manipulation of tank pressure sensor readings in pressure sensitive boilers.
The attack relies in utilizing a security vulnerability to get root privileges to the operating system that powers the PLCs. This allows the attackers to write a Loadable Kernel Module (LKM) which is a method of loading a new module in the kernel without causing any interruptions. The LKM modules are run every the PLC reboots which is like a typical rootkit.
A few months ago we reported on a dangerous worm that targeted industrial PLCs, namely PLC Blaster.