Leaking Beeps: Are You In Control Of Your Own Automation?
Industrial Control Systems (ICS) are a hot topic in the security industry today, thanks to the prevalence of software that is often riddled with security flaws and legacy protocols that were designed without any type of security. Many of these systems were designed in a different time, when the world was quite different. ICS systems used to be isolated, Internet access was rare and expensive, and hacking knowledge was not as widespread as it is today. It would be very difficult for a programmer to have foreseen some of the security issues that have now come about. As a result, however, this often translates to cases where solutions are developed to get the most out of the system while maintaining a cost-conscious mindset. As a result, there are cases where software and protocols that were never meant to be part of an ICS system end up as part of such a system.
When my fellow researcher Philippe Lin and I earlier set out to find the security issues in the use of pagers in the healthcare industry, it was quickly observed that the research should not just be limited to the healthcare industry. Other industries have been observed using the same communication paths.
In some cases, observed communications from ICS systems were at a volume that would be unrealistic for one person to review. This led researchers to believe that some of these systems were being utilized by automation systems as remote wireless communications for monitoring of remote sensors. This is one of the biggest threats to these systems. Outdated pager technology doesn’t feature any authentication that a receiver can use to validate the sender. Because of this, spoofed messages with wrong data could be sent to these systems.
A wide variety of ICS environments were observed to be using pager systems. These included theme parks, electrical substations, and facilities for power generation, chemical processing, and building automation. While most of the transmitted information was purely informational, the system could still be abused and cause harm based on the information found within the messages. In the cases of substation information, the information could lead to violation of standards if it was presented to power traders, as it would give them unfair insight into purchasing. This could then lead to the implementation of price increases in areas that are having issues with downed transmission lines.
Like with the previous research on the use of pager communications in the healthcare industry, this was all achieved with a Software Defined Radio (SDR) that cost less than $20. In some cases, the data was received from a distance, depending on the pager system support in the area. This problem is not just limited to the United States, but is a problem found in other countries as well.
We discuss the various information from unencrypted pages that could be used as passive intelligence in our second Leaking Beeps research: Unencrypted Pager Messages in Industrial Environments.