FortiGuard Labs Threat Research

Security Research News in Brief March 2017 Edition

By Axelle Apvrille | March 24, 2017

This blog post is a monthly review of some of last month's most interesting security research publications. Enjoy!

Garcia et al. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit, NDSS, February 2017

The researchers present a rootkit for PLCs (Programmable Logic Controllers.) The rootkit sits inside the PLC's firmware. It modifies commands before they are sent out to other modules by replacing them with malicious attacks. It also modifies sensor measurements it receives, transforming them into something which looks normal so that the human operator does not detect that something wrong is happening.

The rootkit, which is named Harvey, is implemented over an Allen Bradley PLC. The researchers managed to change the LED and HMI states of the PLC without changing the external input / output.

Using JTAG and firmware disassembly, the researchers managed to locate the two subroutines they needed for their rootkit: (a) the routine which reads the GPIO input values, and (b) the routine where data are output (to LED or HMI, for instance). They modified the routines, hooking in malicious implementations, and operated the compromised PLC in that state.

In practice - and the researchers do note this limitation - to "infect" a PLC, an attacker would need to update the PLC's firmware. It seems that in the case of the Allen Bradley PLC, the firmware update procedure is quite secure and they weren't able to exploit any flaw. So, an attacker would have to resort to uploading the infected firmware using JTAG pins, or creating a firmware with a SHA-1 collision, or factorizing the public key of the certificate used for firmware updates.

NOTE: Great paper, both for learning how PLCs are implemented in practice (there's little documentation on that) and also for the security research results! The attack is difficult to set up in practice, but it is not be unfeasible for a government-level attacker. The fact that the reports are modified as well (the PLCs output to the human interface what she expects to see) makes it difficult to spot, with probably devastating effects. Nice: the researchers reported the vulnerabilities to the vendor, and the vendor gave them clearance to publish their research.

Chemeris et al, Drone hijacking and other IoT device hacking, Nullcon, 2017

This talk is about hacking nRF24 chips. nRF24 chips are for the 2.4 Ghz ISM band. ISM stands for "Industrial, Scientific, and Medical" radio bands, thus reserved for the communication of such devices over radio frequencies. However, strangely, the band has been also used for short-range low power systems such as Microsoft keyboards, mice, and some drones (e.g. Syma). The talk explains how to sniff RF24 packets or send packets to them.

The talk seems to have been given several times before, for example at GrCon 2016. Apart for drone hacking, the talk has little to do with IoT.


NOTE: If you read French, this article is interesting: Alain Schneider, Peripheriques sans fil nRF24, SSTIC 2014


Papers of NDSS 2017. Check out this interesting academic conference. There are often excellent papers available. Click on the programme, and then on each individual paper to download it.

Fortinet at Research Conferences

  • Raul Alvarez, "Dissecting a Metamorphic File-Infecting Ransomware", Insomni'hack, March 24, 2017, Geneva, Switzerland.
  • Axelle Apvrille, "Android Malware Reverse Engineering", Insomni'hack, March 23, 2017, Geneva, Switzerland.

-- the Crypto Girl