Never Trust Your Inputs or how to fool an ADC

NEVERTRUSTYOURINPUTS(ORHOWTOFOOLADC)

;CAT/DEV/USER

2

Alexander@dark_k3yBolshev,Ph.D.SecurityResearcher@IOActiveAssistantProfessor@SPbETU “LETI”

Marina @marmushaKrotofilSecurityResearcher@HoneywellSec

3

AGENDA

q Problemstatementq Analog-to-DigitalConverters(ADC)q “Racing”withADCclockq Invalidamplituderangeofsignalq AttackvectorsinICSqMitigations

Workstation

Workstation

Firewall

ModemOperatorConsole

Firewall

SQLServer

PLC

RTU

Maintenance

FileServer

Webserver

Corporate LAN

SCADAnetwork

Webservices

Active Directory

SensorVentil

Active Directory

EngineeringWorkstation

Process LAN

4

Physical application

INDUSTRIALCONTROLSYSTEMS

5

PROCESSCONTROLINANUTSHELL

Actuators

Controlsystem

Physical process Sensors

Measureprocessstate

Computescontrolcommandsforactuators

Adjustthemselvestoinfluence

processbehavior

6

IMPACTOFIMPROPERSIGNALPROCESSING

http://www.co

ntrolglobal.com

/blogs/unfettered/marina-krotofils-presentation-on-

how-to

-hack-a-chem

ical-plant-and-its-implica

tion-to-actual-issues-at-a-nuclear-plant/

q Twoidenticallybuiltnuclearplants.Onehadflowinducedvibrationissue.Andanotherdidnot.

q Thevibrationsindicationshoweditselfashf noise- Fieldengineerhasfilteredthesignaltogetridofannoyingnoise- Lossofviewintovibrationissue

Equipmentdamageatnuclearplant

Workstation

Workstation

Firewall

ModemOperatorConsole

Firewall

SQLServer

PLC

RTU

Maintenance

FileServer

Webserver

Corporate LAN

SCADAnetwork

Webservices

Active Directory

SensorVentil

Active Directory

EngineeringWorkstation

Process LAN

7

Catastrophic consequences

REASONTOSECURECONTROLSYSTEMS

8

PROCESSMONITORING

CONTROLSYSTEM PROCESSOPERATOR OPERATORCONSOLE(HMI)

9

PROCESSMONITORING

CONTROLSYSTEM PROCESSOPERATOR OPERATORCONSOLE(HMI)

10

CONSIDERAFIELDARCHITECTURE

Analog control loop

Control PLC

Actuator

Monitoring PLC/ Logger/DAQ/Safety PLC

HMI

0V (actuator is OFF)

MV – Manipulated Variable

qWhatifMV valueonactuatorwillbedifferentfromMV valueonlogger?

1.5V (actuator is ON)

11

BUTIT’SANALOGCONTROLLINE!

Areyousure?

q It’simpossibletohavetwodifferentMVs onthesamelineatthesametime!

12

NOTETOEEANDDSPGUYS:

Areyousure?(2)

q Yes,weknowthatmostpartourtalkisaboutaliasing,andthisiseasilycouldbefixedbyantialiasingfilters..

q Andit“shouldbe”obvious,thatsuchfiltersareeverywhere…q But:

DEMOSETUP

13

“HMI Panel”

“Control PLC”(arduino)

“Actuator”(motor)

“Monitoring PLC”(S7 1200)

14

DEMO1

DEMOVIDEO-- Twodevices,twodifferentMVs--

15

INTROTOANALOG-TO-DIGITALCONVERTERS (ADC)

17

WHATISADC?

q Convertsacontinuousanalogsignal(voltageoramperage)toadigitalnumberthatrepresentssignal'samplitude

t

x(t)

18

ADCINANUTSHELL

Quantizing&

Encoding

…

• Frequency• Phase• Amplitude

Sampling & Holding (S/H) circuit

Resolution

MSBADC

Clock

uI(t)

VREF

uI’(t)fs Dn-1

D1D0

Conversion time

Input signal

19

TYPESOFADC

TherearemanyADCtypes(>10).Themostcommonare:

q Successive-approximationADC(SAR)q Sigma-deltaADCq Pipeline

http

://el

ectro

nicd

esig

n.co

m/a

nalo

g/re

al-wo

rld-v

ersu

s-you

r-adc

http

://w

ww

.plan

etan

alog.c

om/a

utho

r.asp

?sec

tion_

id=3

193&

doc_

id=5

6162

7

20

EXPLOITABLEADCDESIGNCONSTRAINS

q SamplingfrequencyshouldfollowNyquistrule( >2)-Otherwisethesignalwillappearoffalse (alias) frequency

fs f

21

EXPLOITABLEADCDESIGNCONSTRAINS

q AmplitudeoftheinputsignalshouldnotexceedADC’sdynamicrange-Itisdeterminedbythereferencevoltage

Time5

10

V

0

„RACING“WITHADCCLOCK

-- SARADC--

23

BLOCKDIAGRAM

http

s://e

n.w

ikip

edia

.org

/wik

i/Suc

cess

ive_

appr

oxim

atio

n_A

DC

- DAC =Digital-to-Analogconverter- EOC =EndofConversion- SAR =SuccessiveApproximation

Register- S/H =SampleandHoldcircuit- VIN =InputVoltage- VREF =ReferenceVoltage

SAR

DAC

S/H +-

Clock EOC

Comparator

VIN

VREF

DN-1 DN-2 D1 D0

24

SAR:WEIGHINGPROBLEM

q SARalgorithmisbasedononeofthesolutionstoweighingproblembyNiccolò FontanaTartaglia,Italianmathematicianandengineerin1556

http

s://e

n.w

ikip

edia

.org

/wik

i/Nic

col%

C3%

B2_

Font

ana_

Tarta

glia

http://www.analog.com/media/en/training-seminars/tutorials/MT-021.pdf

q Theobjectiveistodeterminetheleastnumberofweightswhichwouldservetoweighanintegralnumberofpoundsfrom1lb to40lb usingabalancescale

25

ADC:WEIGHINGPROCESS

VIN

VREF

¾VREF

½VREF

¼VREF

VDAC

BIT2=1 BIT0=1BIT1=0BIT3=0

Time

(MSB) (LSB)

LETSSETUPEXPERIMENTExperimentalsetup:- Arduino Leonardo

(Atmega32U4withbuild-inADC,125kHzint clock)

- Si5351generator

Algorithm:1. Generatesquaresignalwith

specificfrequencyandphase,2. Read120ADCvaluesinrow

andaveragethem,3. Output toserialport (PC),4. Increasephaseandfrequency,5. GOTO1.

27

RESULTWhat is this?!

28

RACINGWITHADCCLOCK

29

LETSREPEATOUREXPERIMENT

Frequency=around8.9kHz

for(;;){ asm("cbi 0x0e, 6"); val = __fastAnalogRead(A0); //inline function asm("sbi 0x0e, 6"); sum += val; step++;

if(step > 120){ if(phase >= 170){ phase = 0; freq += 100; }else phase += 10;

si5351.set_freq(freq, 0ULL, SI5351_CLK0); si5351.set_phase(SI5351_CLK0, phase);

Serial.print(sum * 1.0/step); 30

LETSREPEATOUREXPERIMENTLet’sintroduce“counter”toourcodeforaveraging120ADCconversions:

Fast analog read

Average, frequency changing and out to serial portgoes here

We’re putting here an outgoingZero-peak signal to see whenADC do actual work

31

TIMINGDIAGRAMEXPLAINSEVERYTHING

32

FROMATMEGA32U4DATASHEET

Chapter24onADC,page302

125kHz/14~8928Hz(112μs)

We’vejustbreachedthroughsamplingrateprecisionoftheADC!

33

NOTONLYBUILT-INADCSTestresultsforMCP3201ADC

fCLK =125kHZ

fCLK =8MHZ

14.3kHz

292.5kHz

34

“RACING“WITHADCCLOCK

-- Delta-SigmaADC--

35

DELTASIGMAADC

q Delta-sigma(ΔΣ;orsigma-delta,ΣΔ)modulationisamethodforencodinganalogsignalsintodigitalsignalsasfoundinanADC.

q Typically,delta-sigmaADCsclocksfromhigh-frequency signal,buttheresultingsamplerateismuchslower thanforothertypesofADC

q Example:AD7706ADC,clockfrequency– 2MHz,outputsamplerate– 25-500samples persecond.

q Thisallowstoproduceresultswithbiggerresolutionandmuchreliability.

https://en.wikipedia.org/wiki/Delta-sigma_modulation

36

MODUSOPERANDI http://www.analog.com/library/analogDialogue/archives/33-08/adc/index.htmlhttps://en.wikipedia.org/wiki/Delta-sigma_modulation

https://www.maximintegrated.com/en/app-notes/index.mvp/id/1870

37

DEMO3

Stillexploitable?LIVEDEMO-- delta-sigma--

38

39

ATTACKEFFORTS:SIGMA-DELTAVS.SAR

q SARADCsaremucheasiertoexploit(dueitssimplenature),howeverincreasingSARclockfrequencycouldproducemoreproblemsforattacker

q Delta-sigmaADCsallowsonlyafewwaystocraftreliableattack,howevertheresultcouldoverwhelmyourneeds.

40

-- ADCaccesstiming--

SOFTWARE-RELATEDPROBLEMS

41

DEMO3

DEMOVIDEO-- Onesignal,twoADCs--

42

FROMDEMO:TWODEVICES&TWODIFFOUTPUTSWait,butwhy?Timingdiagramscanexplain;-)

43

EVERYTHINGISMUCHEASIERINTHEICSWORLD

q Inmanyreal-world ICS applicationsADCdoesn’tsampleinputsignalwithhighestpossiblefrequency- Typicalsamplingrateis1-100timespersecond

Maliciouspartofsignal

44

HURDLESOFTHEATTACKER

q Howtofigureouttherequiredphaseandfrequencytocraftneededmalicioussignal?

q SendsomepeaksignalsandmonitoroutputoftheADC(directly/indirectly)

q E.g.byhackingintoswitchyoucanmonitor/controlbothdataflowtocontrolPLCAND digitaldataoutputfromMonitoringPLC/logger/DAQ/SafetyPLC/etc

45

FIGURINGOUTSIGNALPARAMETERS

ControlPLC

Actuator

HMICompromisedindustrialswitch

Monitoring PLC/ Logger/DAQ/Safety PLC

46

-- ADCconversiontime--

SOFTWARE-RELATEDPROBLEMS

47

ADCINCRITICALAPPLICATIONS

BecarefulwhenusingADCincriticalapplications

q IndustrialPLCsalsohaveanaloginputsandbuilt-inADCs

q Let’stestatoneofthemost popular PLCsS71200

48

Let’schecktherealconversiontimeofS71200ADC

Arduino

Waveformgenerator S71200

Analogsignal

S7Protocol

S7inputamplitudeFrequency

I2C

ReadsvaluefromPLCeveryNtime

EXPERIMENTSETUP

49Frequencyisfixed

N=8.3ms

N=9ms

N=7ms

N=4.5ms

N=2.5ms

50

51

Nothing,really.Youjustneedtoreaddatasheetmorethoroughly

Text in small letters

WHAT’SWRONG?

52

INVALIDRANGEOFSIGNALS

53

q Considera5-10VsignalwhichisconsumedbyADCwithranges0-15V

q Whatwillhappenifyousendsignallowerthan5Vorhigher10V? Time

5

10

V

From the real life code:

uint8_t val = readADC(0); // reading8-bitADCvaluewithranges0V-15Vval = val – 85; // Normalization->85==5Volts(255/3)

Anysignaloflessthem5V(val < 85)willcauseintegeroverflow inval

BREAKINGSOFTWAREDEFINEDRANGES

54

BREAKINGHARDWAREDEFINEDRANGES

WhatiftheattackersendssignaloutsideoftheADChardwaredefinedrange(>Vref)?

q ADCwilloutputmaxvalue(allbitsetto1)q ADCmightbedamagedq Valuesonotherinputs couldbedistorted

55

DEMOSETUP

USBUART

NegativeVoltagesource

Atmega328p

OpticalIsolator

56

DEMO4

DEMOVIDEO-- Negativeinputsignal--(breakinghardwarerange)

57

58

ANOTHEREXAMPLEBreakingHWRANGESforNXPLPC11U24FinternalADC(3.3VRef)

ADC/Ref Volts A-3 A-2 A-1 A-0 A+1 A+2 A+3NXPLPC11U24F(3.3VRef)

0.48 0.0 0.48 1.58 3.33.39 0.0 3.3 1.59 3.34.1 0.087 3.3 1.729 3.34.65 0.17 3.3 1.974 3.35.1 0.44 3.3 2.212 3.35.9 0.0 2.035 1.561 3.36.1-9.8 ~ ~ ~ ~-0.48 0.0 0.0 1.58 3.3-1.1 0.0 0.0 1.64 3.20-1.5 0.025 0.0 1.71 3.07-1.7 0.0 0.0 2.5 2.9-2 ~ ~ ~ ~

59

ATTACKVECTORSINICS

60

Linecouplingcircuit(usuallyOpAmp/Transformer)

Totalsetupcost50$(1kHz)-- 400$(50MHz)

DIRECTACCESSATTACKTOOLKIT(RARECASE)

61

ATTACKINGFROMICSDEVICE

qCompromisingoneofthefieldcomponents(PLC,sensor,actuator,DAQ,logger,etc.)- MostMCUsinsidetransmitters/actuatorsarecapableofgenerating

arbitrarysignalsupto500-1000Hz- Somedevicesallowtogeneratesignalsof44kHzandabove

62

ATTACKFROMTRANSMITTER

HARTtransmitterreferencedesign;-)DAC with s/r up to 100kHz(smooth sine wave at ~ 5kHz)

http

://w

ww

.tm-e

etim

es.c

om/e

n/ac

cura

te-in

dust

rial-t

empe

ratu

re-m

easu

rem

ents

-with

-loop

-pow

ered

-tra

nsm

itter

.htm

l?cm

p_id

=7&

new

s_id

=222

9188

50

63

MITIGATIONS

64

HARDWAREMITIGATIONS

65

LPFFILTERS(ANTIALIASING)INREFERENCEDESIGN

q Low-passfilterattenuatesignalswithafrequencyhigherthanitscutofffrequency

q BufferADCinputwithLPFq GooddesigndictatesADCfs >LPFfc

66

LPFFILTERSINREFERENCEDESIGN“WeincludedLPFinourdesign"

ADCwithfs ~470Hz

LPFwithfc near15kHz

67

SOLUTION

68

FLIPSIDEOFUSINGLPF

qWhenaddingLPFintoanindividualdevice,makesurethatallrelateddeviceshavethesame cut-offfrequencies

”Securing”mayleadtomorevulnerabilities

q E.g.ifPLCinput isbufferedwithLPF𝒇𝒄 = 𝟏𝒌𝑯𝒛 andactuator equippedwithLPFwith𝒇𝒄 = 𝟓𝒌𝑯𝒛,theattacknotonlypossible,buttheprobabilityofsuccessincreases!

69

NOTE:DIGITALLPFWON’TWORK!

DonotusedigitalLPFafter theADC!

q ADCwillbealreadycompromisedbyamaliciousintendedsignalandnodigitalfilterwillfixthematters

70

USEADCWITHHIGHERBANDWIDTH/LOWERCONVERSIONTIME(OROTHERTYPEOFADC)q UsingADCwithhighersamplingfrequency(mostlyforSARs)

canmitigate“racingwithADC”attackastheattackerwillhavetogeneratesignalofmuchhigherfrequency

q Orjustusedelta-sigmaADCs

q Generating~1MHz signalorinjectingitintoanaloglineismuchharderthangeneratingorinjecting~1kHz signal- H/fsignalssubjectedtogreaterattenuationandmoreaffected

bynoise

71

SCALESIGNALAMPLITUDEBEFOREADC

q ToavoidabuseofADCvoltageranges,normalizesignalamplitudebeforefeedingthesignaltoADC- Simplestoption:voltagedivider+OpAmp,- Signalconditioningcircuitsoreven

dynamicrangecompression

SelectwhatissuitableforyourOTprocess

72

SOFTWAREMITIGATIONS

73

SAMPLINGFREQUENCYRANDOMIZATION

http://www.sixsigma4service.com/evaluation-considerations-fo

r-data-sampling.html

SAMPLINGFREQUENCYRANDOMIZATIONq Certain randomnessinsamplingfrequencywillmakeattacker’s

jobmuchharder-Manyofthediscussedattackswillbemuchmorechallengingtoexecute

q Smallvariationof𝒇) won’tdegradesignalunderstandingprocess.Onthecontrary,itwillproduceasignalsampleofbetterquality.

𝒇) = 𝑓 + rand(△)

Time

V

0

74

APLYSECURECODINGTECHNIQUES

q ScrutinizeyourADCs/PLCdatasheetstofigureouteffectiveranges,conversiontime,frequencyandothercriticalparameters

q Evenifitissufficienttocontroltheprocesswithonevaluepersecond,samplethesignalwithhigherfrequencyandaverageconvertedvalues

qWhenreceivingvaluefromADC,treatitasanabsolutevalue(allbitsreceivedfromADCaresignificant)

75

DON’TSLEEP!(WHILEONDUTYJ )

Avoidwriting/usingthefollowingcode(ifyoudon’tcompletelyunderstandyourprocess)

Val = readADC();Output(Val);Sleep(Timeout);

76

BLACKHATSOUNDBYTESq Aliasingattacksandattacksusingvoltagerangesarestill

possibleagainstmodernADCcomponentsinsideICSdevices.(thanks,Cap!)

qMostoftheseproblemscouldbeeasilysolvedwithantialiasingfilters(LPF),however,thesefiltersshouldhavesamecut-offfrequencies.

q EvengoodLPFandgoodADCwillnotsaveyou,ifyoursoftwareworkswithADCincorrectly.

77

OTANDITHAVECOMMONPROBLEMS

NEVERTRUSTYOURINPUTS

@dark_k3y@marmusha