Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researchers build undetectable rootkit for programmable logic controllers

Lucian Constantin | Nov. 2, 2016
The rootkit implements a new attack against a PLC's input/output interface

Researchers have devised a new malware attack against industrial programmable logic controllers (PLCs) that takes advantage of architectural shortcomings in microprocessors and bypasses current detection mechanisms.

The attack changes the configuration of the input/output pins that make up the interface used by PLCs to communicate with other devices such as sensors, valves, and motors. PLCs are specialized embedded computers used to control and monitor physical processes in factories, power stations, gas refineries, public utilities, and other industrial installations.

The attack, which will be presented at the Black Hat Europe security conference in London on Thursday, was developed by Ali Abbasi, a doctoral candidate in the distributed and embedded system security group at the University of Twente in the Netherlands, and Majid Hashemi, a research and development engineer at Quarkslab, a Paris-based cybersecurity company.

One version of the I/O attack is called pin configuration and involves the use of malicious code that switches an I/O pin's configuration from output to input, or the other way around, without the PLC's OS or programs knowing.

For example, let's take the case of a PLC that's connected to a valve and is able to open or close it by sending a signal to an I/O pin configured as output. The same PLC also receives pressure readings from a sensor through another pin that's configured as input. A program running on the PLC -- known as the PLC logic -- monitors readings from the sensor and automatically opens the valve to release pressure when needed.

Malicious code injected by an attacker into the PLC can reconfigure the output pin as input, preventing the PLC logic from writing to it and opening the valve. It can also reconfigure the input pin as output and write bogus data to it. The result will be that the PLC will report to monitoring software that it has opened the valve and that pressure is going down -- due to the false readings now supplied by the attacker -- when in fact it hasn't.

The fundamental issue is that there are no hardware interrupts for pin configuration in the systems on a chip (SoCs) used in embedded devices like PLCs, so the OS will get no error from the processor when trying to write to a pin reconfigured as input, according to Abbasi. This means the PLC logic, which runs inside a runtime environment, will not crash and will continue to act as if the operation succeeded because, in the OS virtual memory, everything will look good.

"That's the core problem here," Abbasi said. "It seems that no SoC vendors have taken pin configuration feedback into consideration, and that might not be important for other embedded systems, but for PLCs, whose main operation is with the I/O, this becomes super important and can cause problems."


1  2  Next Page 

Sign up for Computerworld eNewsletters.