Abbasi and Hashemi implemented their attack technique in a rootkit that functions as a loadable kernel module (LKM). This allows them to bypass existing host-based intrusion detection and control-flow integrity tools for embedded systems like Doppelganger and Autoscopy Jr.
"The novelty of our attack lies in the fact that to manipulate the physical process we do not modify the PLC logic instructions or firmware," the researchers said in their paper. "This can be achieved without leveraging traditional function hooking techniques and by placing the entire malicious code in dynamic memory."
The drawback of implementing the rootkit as an LKM -- essentially a driver -- is that deploying it requires root privileges. Because of this, the researchers also developed a version of the attack that uses existing features of the PLC runtime to reconfigure the pins, and this variant can be implemented by exploiting any memory corruption vulnerability that allows loading malicious code directly into dynamic memory.
Another attack technique targets a feature called pin multiplexing that allows the use of the same pins for different interfacing modes in addition to GPIO (general purpose input/output). The functionality of a pin can be re-assigned during runtime and again, there is no feedback to tell the OS something has happened.
"Let's say you're using a pin to connect to a motor and manage it via a pulse width modulation (PWM) controller inside the CPU," Abbasi said. "In the attack, what we do is multiplex that pin and change its functionality to something else, but the CPU doesn't tell the memory management unit (MMU), which translates virtual addresses into physical addresses, that the physical address that corresponds to that pin is no longer available. The MMU will continue to try to write to it, the CPU will ignore the request, but won't give back any error, and that's crazy because the PLC will still think that the motor is accessible."
According to Abbasi, we're not likely to see these kinds of I/O attacks in the wild soon, because there are currently easier ways to compromise PLCs. However, as vendors build the next generation of PLCs with better built-in security, it's important to keep in mind that firmware and logic manipulations are not the only attack options available to hackers.
Also, it's not only PLCs that are vulnerable to I/O attacks but all embedded devices for which I/O operations are critical, such as the electronic control units (ECUs) used in cars or the intelligent electronic devices (IEDs) used in the electric power industry.
In their paper, the researchers propose two research directions for new techniques that could be used to detect I/O attacks. They plan to use these as the basis for their future work.
Sign up for Computerworld eNewsletters.