Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Vulnerabilities Found in Nuke Plant Radiation Monitors

Critical Vulnerabilities Found in Radiation Monitors Used in Nuclear Power Plants, Seaports and Airports

Critical Vulnerabilities Found in Radiation Monitors Used in Nuclear Power Plants, Seaports and Airports

LAS VEGAS – BLACK HAT USA – Researchers have discovered multiple unpatched vulnerabilities in different radiation monitoring devices that could be leveraged by attackers to reduce personnel safety, delay detection of radiation leaks, or help international smuggling of radioactive material.

In a paper (PDF) delivered by Ruben Santamarta, principal security consultant at Seattle-based IOActive, at Black Hat Wednesday, it was disclosed that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities. 

Patching will be difficult since these are design flaws rather than software bugs; and the vendors’ early response to IOActive’s discoveries was, in each case, to decline to work on patches. Since then, Digi has told IOActive that it is collaborating with Mirion to patch the critical vulnerabilities. 

Vulnerabilities in different radiation monitoring devices Nevertheless, IOActive concludes, “we should acknowledge these issues are not currently patched, so increasing awareness of the possibility of such attacks will help to mitigate the risks.” It is likely that the same flaws will be present in other vendors’ radiation monitoring devices.

There are many kinds of radiation monitor used in many different environments. IOActive concentrated its research on portal monitors, used at airports and seaports; and area monitors, used at Nuclear Power Plants (NPPs). However, little effort was required for the portal monitors: “the initial analysis revealed a complete lack of security in these devices, so further testing wasn’t necessary to identify significant vulnerabilities,” notes the report.

In the Ludlum Model 53 personnel portal, IOActive found a backdoor password that granted the highest privilege. With this, malicious personnel could bypass authentication and take control of the device, preventing the triggering of proper alarms.

In the Ludlum Model 4525 gate monitor, IOActive discovered a complete lack of security in the communication between the gate and the controller Windows device. With these vulnerabilities, IOActive warns, “Malicious actors can perform a man-in-the-middle attack that alters the readings when the radioactive material they are interested in trafficking is detected. This would allow them to safely bypass these gate monitors while maintaining the compromised device in a working condition.”

In fact, adequately resourced attackers could fine-tune their malware, says IOActive, to deploy “an advanced payload that hides specific isotopes from detectors, while providing the expected readings for others.”

For its analysis of area monitors used at NPPs, IOActive concentrated on the Mirion WRM2 protocol used in numerous devices. It found that it could insert false information into the communications. There are two ‘worst-case’ scenarios.

In the first, under normal working conditions, attackers could simulate a radiation leak by inserting a dataset of falsified readings. Although this on its own is unlikely to cause a reactor shutdown (because of the need for human intervention), it could lead to an evacuation of the site. 

In the second, in a real accident situation, the course of the evacuation could be manipulated: “attackers may falsify these readings to trick authorities into giving the wrong directions for the evacuation, thus increasing the damage and/or potential casualties.”

“Failed evacuations, concealed persistent attacks and stealth man-in-the-middle attacks are just a few of the risks I flagged in my research,” said Santamarta. “Being able to properly and accurately detect radiation levels, is imperative in preventing harm to those at or near nuclear plants and other critical facilities, as well as for ensuring radioactive materials are not smuggled across borders.”
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.