ADC Attack Shows Why Inputs Should Be Validated in ICS
LONDON – BLACK HAT EUROPE – Malicious actors could cause physical damage by exploiting flaws in how analog-to-digital converters (ADCs) are used in industrial environments, researchers warned.
ADCs are electronic devices that convert analog signals, such as voltage or amperage, into digital signals. In industrial environments, ADCs can be used to produce a digital number from an analog signal coming from temperature, pressure or other types of sensors. For instance, ADCs can be part of a safety system that monitors the signal from a programmable logic controller (PLC) to a motor or a turbine. The safety system can trigger a shutdown and prevent any damage if the value of the signal is not within normal parameters.
IOActive researchers Alexander Bolshev and Gabriel Gonzalez analyzed ADCs in the context of industrial control systems (ICS) and found that they can be tricked into measuring normal values even if there is an immediate risk to a physical process.
According to the experts, an attacker who has access to a PLC — a task that can be achieved using the various vulnerabilities disclosed over the past years — could generate a signal with a frequency that is interpreted as being valid by the ADC, when in reality it can cause serious damage to the physical process.
In an experiment they conducted, Bolshev and Gonzalez showed how an attacker can send a signal to a motor and make it look normal to the safety system, but actually cause vibration that can damage the motor.
ADCs typically have an anti-aliasing filter that restricts the bandwidth of a signal, but these filters don’t prevent the attack method devised by the IOActive researchers.
The researchers tested the attack on several Sigma Delta ADCs, which are the most popular for industrial applications. They determined that ADCs such as AD7705 and AD7706 are easy to attack. The method also works against MCP3425 and ADS1015 devices, but the difficulty of conducting the attack has been described by the experts as “easy-medium,” respectively “medium-hard.” In the case of MAX11205 converters, Bolshev and Gonzalez concluded that the attacks are likely “impossible.”
The experts pointed out that the attack needs to be customized for each targeted ADC, and while it took them several weeks to figure out the right frequencies, Gonzalez told SecurityWeek in an interview that it’s likely much easier for a sophisticated threat actor.
In addition to attacks that rely on frequency modifications, the experts looked into methods that rely on changes in amplitude. However, they said frequency attacks are more efficient.
Gonzalez highlighted that, similar to securing web applications, user input should always be validated in the case of ICS as well. The expert believes these attacks can be prevented if proper anti-aliasing filters are used.
