ARN

Protocol gateway flaws reveal a weak point in industrial control system environments

Research presented at Black Hat conference highlights a new threat via protocol translation attacks and reveals nine flaws found in protocol gateways

Security researchers warn about widespread vulnerabilities in protocol gateways, small devices that connect industrial machinery and sensors to TCP/IP networks that are used to automate and control them.

New research published by Trend Micro and presented at the Black Hat USA virtual security conference highlights a new threat via protocol translation attacks and reveals nine flaws found in protocol gateways from different vendors.

The identified vulnerabilities can enable various attack scenarios, from issuing stealth commands that could sabotage the operational process to gaining unauthorised access, decrypting configuration databases, exposing sensitive information and crashing critical equipment.

What are protocol gateways?

Industrial installations are made up of various machines, motors, sensors and controllers that are linked together.

These components can have very long shelf-lives, and many were designed at a time when operational technology (OT) networks were fully separated from IT networks and communicate over serial cables, using proprietary or specialised protocols like Modbus, which dates back to 1979.

In modern days, with the advance of Industry 4.0, OT and IT networks are interlinked for remote management, automation and control purposes. Engineering workstations, human-machine interfaces (HMIs) that are used to monitor and control industrial processes are generally IT assets and talk over TCP/IP.

In order to link OT assets such as programmable logic controllers (PLCs) to Ethernet, Wi-Fi and mobile networks, the industry uses devices known as protocol gateways or protocol translators that receive encapsulated packets over one protocol and translate them to a different protocol or between different physical layers of the same protocol, for example Modbus TCP (Ethernet) to Modbus RTU (serial).

"If protocol gateways fail, then the communication between the control systems and machinery would stop," the Trend Micro researchers said in their report. "Operators would lose visibility over the system, making them unable to tell if machines or generators are running properly. Translation failure can also prevent the operator from issuing commands to troubleshoot problems."

For their research, the Trend Micro researchers focused on gateways that translate between different versions of Modbus, because Modbus is one of the most widely used protocols on OT networks.

Protocol gateways that translate between completely different protocols were left as a target for future research. The devices investigated were Nexcom NIO50, Schneider Link 150, Digi One IA, Red Lion DA10D and Moxa MGate 5105-MB-EIP.

Lost in translation

"We dug deeper into the implementation of the protocol translation process and researched the conditions in which the gateways may introduce errors that have an impact on the device they communicate with, such as a PLC connected to the serial interface," the researchers said in their paper.

"This is the equivalent of testing if a language translator can correctly translate sentences with mismatched tenses, subject-verb agreement errors, and misplaced or missing punctuation. A reliable translator will either correct the sentence if the context is obvious enough or refuse to translate if the message is unclear in its present form."

In order to test how the protocol gateways handled malformed packets, the researchers used a fuzzer that sent 5,078 invalid Modbus TCP packets and 1,659 invalid Modbus RTU packets. The Modbus TCP and Modbus RTU protocols specify different packet lengths, so under normal conditions a gateway should drop malformed packets.

During their tests the researchers observed that the NIO50 was not correctly filtering Modbus TCP packets with incorrect length and was instead forwarding them as Modbus RTU. This gave them the idea to check if it would be possible to craft a Modbus TCP packet that would be invalid according to the specification but would become valid if it was then blindly forwarded by the gateway as a Modbus RTU packet.

Indeed, they found various ways in which they could craft a Modbus TCP packet with read commands that would look innocuous to any ICS firewall standing between the gateway and the sender, but when reaching the NIO50 gateway it would get forwarded as Modbus RTU and have a completely different meaning to a PLC behind it. The test setup involved a PLC controlling a motor, a thermometer and a tachometer.

"With a single command, the attacker can deactivate the critical sensors for monitoring the motor’s performance and safety (temperature and tachometer), while keeping the motor running," the researchers said.

"If unnoticed by field engineers and operators, the motor could already be exceeding the safe operating conditions, however, it won’t be visible or trigger any alarms because the sensors (thermometer and tachometer) have been disabled."

The NIO50 is a real-time gateway where packets are translated on-the-fly as they come in. However, some gateways work asynchronously and save packets of the same type or with the same destination in order to be sent together for performance reasons.

These are also known as data stations and use an I/O mapping table configurable by the user. The Red Lion DA10D and Moxa MGate 5105-MB-EIP fall under this category.

"I/O mapping tables can be a crucial source of information during the attack development and tuning phase and may provide the key piece of information an attacker is looking for to bring the facility down," the researchers said. "In addition, any unauthorised modification to the I/O mapping table will tamper with the operation of the HMI, PLCs, and devices connected to the data station."

Data stations usually have mechanisms in place to protect this information, but the Trend Micro researchers found several weaknesses that would allow them to access or decrypt the database.

Specifically, the Moxa MGate device had a vulnerability that allowed information disclosure through proprietary commands, a credential reuse flaw through proprietary commands and a post-authentication root shell issue that would give attackers persistent and significant control over the device. The Red Lion device had an arbitrary memory leakage issue and a Modbus denial-of-service condition.

In fact, the researchers found that all real-time gateway products that were tested were vulnerable to denial-of-service when faced with a flood of packets at 0.5 second intervals. The devices remained powered on but suffered a resource exhaustion that impacted the translation process.

Separately, the Red Lion DA10D station was vulnerable to a forced reboot via specially crafted Modbus TCP packets. The researchers also found authentication and other weaknesses in the cloud-based control interfaces of the NIO50 and DA10D products.

The flaws identified during the research were reported to the affected vendors. Some were fixed, but some remain open or won't be fixed because the product has reached end-of-life. This is the case for all flaws affecting the NIO50 gateway, for example.

"We have done this research in order to raise awareness,"  Marco Balduzzi, senior research scientist at Trend Micro, said during his Black Hat presentation. "It's obvious that these devices should not be exposed to the internet, but they are often exposed to the control network and if any machine on the control network is compromised, then these gateways can be attacked.

"And the problem with that is that it's very difficult to debug such attacks, because these devices often don't have logs and don't physically show any problems. The device basically makes a mistake in the translation and brings that mistake down to the PLC and it's really hard to debug such things."