Critical network control systems such as SCADA (Supervisory Control And Data Acquisition), Building Management Systems (BMS) and PLCs (Programmable Logic Controllers) all use a proprietary wireless technology which could potentially be hacked using SDR equipment and a PC. The specialist data communicated by these systems could be intercepted, captured and replayed to suspend service and cause widespread disruption.
These systems will also be at greater risk in the future as smart meters are brought online, increasing the attack surface of the network. The lowering price point, advances in processing power and difficulties in detecting SDR attacks are also likely to increase its appeal.
SCADA industrial control systems are used to monitor and regulate utility services across multiple sites and distances and have been afforded some protection by the relative obscurity of the network in the past. However, with up to 53 million smart meters across 30 million homes and businesses being added between 2014-2019, the number of potential access points on to the network is set to increase dramatically.
The data relayed between these end devices can be intercepted, captured, jammed or replayed using SDR equipment, providing the hacker with network-wide access to field devices, control stations, generating stations and transmission facilities.
Smart meters, which use the Zigbee standard, are particularly vulnerable to signal capture. Chosen for its energy efficiency, Zigbee has been routinely compromised in the past. Keys are transmitted in the clear, transmissions are prone to interference, and in the event of a signal jam, frequency hopping capabilities are poor. Attempts have been made to secure Zigbee through authorisation and pre-configured security keys but both require additional system management.
The lowering price point and ease of use of SDR equipment make it the ideal tool with which to capture, intercept and manipulate Zigbee and other widely used wireless standards. It has overcome many of the obstacles associated with wireless hacking, such as frequency hopping or advanced modulation techniques, and eradicates the need for expensive equipment or an in-depth knowledge of wireless standards on the part of the hacker.
SDR works by capturing radio frequency signals using a high-speed ADC (Analogue to Digital Converter) enabling the direct digitisation of the radio frequency signal which can then be analysed by a DSP (Digital Signal Processor) before being converted into output data stream. The user can analyse slices of spectrum at their leisure, looking for carriers and modulated signals and go on to isolate the preamble and the payload, or message headers if searching for data streams, for instance.
There are a variety of SDRs on the market but the USRP (Universal Software Radio Peripheral) is the tool of choice as it allows both reception and transmission which, when coupled with open source software such as GNU Radio, allows the creation of advanced radio systems. This uses a USB 2.0 interface, an FPGA and high-speed ADCs and DACs, to generate a sampling and synthesis bandwidth a thousand times that of a PC sound card, extending the reach of the equipment and enabling wideband operation.
“Wireless assaults on critical infrastructure will grow exponentially over the next few years, in line with the rollout of smart grid networks, and SDR provides the hacker with an opportunity to jump onto parts of this network. To date, critical systems have relied upon their relative obscurity to protect them but that will have to change. The only way of protecting a wireless device from an SDR attack at present is to ensure that it has been designed, configured and deployed to resist over-the-air attacks. Very few vendors of such equipment will give this type of assurance so independent testing is currently the only option until the industry applies itself to developing a solution. Understanding exactly what radio systems have been deployed and ensuring adequate risk assessments have been conducted is an essential first step,” says Greg Jones, Director, Digital Assurance.
Update, 26 April 2013: Robert Cragie, Chair of the Security Task Group at the ZigBee Alliance comments: "“The press release should have made clear that it is ZigBee Home Automation (HA) profile used for controlling electrical devices around the home has been shown to be insecure. Digital Assurance has detected implementations of ZigBee HA performing over the air, clear text key exchanges on numerous projects. However, Zigbee Smart Energy (SE) profile, which is the standard being used in Smart Meters, does not exchange keys in the clear.”"