NEVER TRUST YOUR INPUTS: CAUSING 'CATASTROPHIC PHYSICAL CONSEQUENCES' FROM THE SENSOR (OR HOW TO FOOL ADC) presented at BlackHatAsia 2016

by Alexander Bolshev, Marina Krotofil,

Summary : Our world is analog. Computers are digital. When a microcontroller in an Industrial Control System (ICS) or embedded system acquires data from the physical world it uses analog-to-digital converters (ADC) to transform amperage or voltage into a useful unit of measurement. Decisions on how to control physical applications are taken based on the interpretation of the measured data. Certain pieces of process data must be accurate at all times in order to maintain efficiency and safety of the process. Understanding data sources and their pathways is essential to understanding how the attacker might perturb the process potentially causing "catastrophic physical consequences."
Development and usage of systems with ADCs is well understood and mastered to perfection. But let's look at it from the security perspective. In the production environment, the state of the physical process is estimated based on the measured physical phenomena like temperature or velocity which are converted to a voltage (V) value by a sensor or a transmitter. The signal may be consumed by two devices: process control equipment (PLC or RTU) and by Digital Acquisition system (DAQ) that sends data for historical logging and "big data" analysis. What if you want to perturb the process, but keep it secret to the monitoring systems like DAQ? What if you could generate a specific analog signal that will be interpreted by these two components in a completely different way? E.g. PLC will read 7 V and DAQ will read 1 V (corresponding to 400 and 20 units of temperature). You can do a lot of fun things if you understand how ADC works.
In this talk, we will discuss a rarely-addressed topic of analog signals processing security. Tampering with the frequency and phase can cause ADC outputting spurious digital signal; modifying the ranges can cause integer overflow and trigger logic vulnerability in the PLC/embedded software. We will analyze several attack vectors on ADC, misconfiguration of signal scaling and every other design detail that allow the attacker to fool ADC (and all systems depending on its output signal). We will illustrate how outlined vulnerabilities can be exploited in the software (demo) and conclude with the consequences of such attacks in the context of exploiting physical processes.