Hacking Wireless Ghosts Vulnerable For Years by Lucas Apa.
From the post:
Is the risk associated to a Remote Code Execution vulnerability in an industrial plant the same when it affects the human life? When calculating risk, certain variables and metrics are combined into equations that are rendered as static numbers, so that risk remediation efforts can be prioritized. But such calculations sometimes ignore the environmental metrics and rely exclusively on exploitability and impact. The practice of scoring vulnerabilities without auditing the potential for collateral damage could underestimate a cyber attack that affects human safety in an industrial plant and leads to catastrophic damage or loss. These deceiving scores are always attractive for attackers since lower-priority security issues are less likely to be resolved on time with a quality remediation.
In the last few years, the world has witnessed advanced cyber attacks against industrial components using complex and expensive malware engineering. Today the lack of entry points for hacking an isolated process inside an industrial plant mean that attacks require a combination of zero-day vulnerabilities and more money.
Two years ago, Carlos Mario Penagos (@binarymantis) and I (Lucas Apa) realized that the most valuable entry point for an attacker is in the air. Radio frequencies leak out of a plant’s perimeter through the high-power antennas that interconnect field devices. Communicating with the target devices from a distance is priceless because it allows an attack to be totally untraceable and frequently unstoppable.
In August 2013 at Black Hat Briefings, we reported multiple vulnerabilities in the industrial wireless products of three vendors and presented our findings. We censored vendor names from our paper to protect the customers who use these products, primarily nuclear, oil and gas, refining, petro-chemical, utility, and wastewater companies mostly based in North America, Latin America, India, and the Middle East (Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and UAE). These companies have trusted expensive but vulnerable wireless sensors to bridge the gap between the physical and digital worlds.
…
Another interesting summer project idea involving cybersecurity. Industrial control systems, the ones bed-wetters at the DHS worry about being hacked over the Internet?, well, they may be using insecure wireless devices. Not connected to the Internet but vulnerable all the same.
See the blog post and OleumTech™ Wireless Sensor Network devices for technical details.
Speaking of wireless devices, many cities now have automatic meter reading, which open up the potential to monitor utility usage of others and potentially over or under report usage to a central authority.
It would make an interesting map of a city to overlay a street map with the density of detected wireless devices.
I can only imagine what such a map would look like for petrochemical complex that runs along side the Mississippi River near Baton Rouge, Louisiana. For example, the ExxonMobil Baton Rouge Refinery:
That’s only one and as you follow the Mississippi down river, you will find Dow Chemical and a host of similar plants. I don’t know of any survey of wireless devices at these plants.