Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Vulnerabilities Found in Nuke Plant Radiation Monitors

Critical Vulnerabilities Found in Radiation Monitors Used in Nuclear Power Plants, Seaports and Airports

Critical Vulnerabilities Found in Radiation Monitors Used in Nuclear Power Plants, Seaports and Airports

LAS VEGAS – BLACK HAT USA – Researchers have discovered multiple unpatched vulnerabilities in different radiation monitoring devices that could be leveraged by attackers to reduce personnel safety, delay detection of radiation leaks, or help international smuggling of radioactive material.

In a paper (PDF) delivered by Ruben Santamarta, principal security consultant at Seattle-based IOActive, at Black Hat Wednesday, it was disclosed that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities. 

Patching will be difficult since these are design flaws rather than software bugs; and the vendors’ early response to IOActive’s discoveries was, in each case, to decline to work on patches. Since then, Digi has told IOActive that it is collaborating with Mirion to patch the critical vulnerabilities. 

Vulnerabilities in different radiation monitoring devices Nevertheless, IOActive concludes, “we should acknowledge these issues are not currently patched, so increasing awareness of the possibility of such attacks will help to mitigate the risks.” It is likely that the same flaws will be present in other vendors’ radiation monitoring devices.

There are many kinds of radiation monitor used in many different environments. IOActive concentrated its research on portal monitors, used at airports and seaports; and area monitors, used at Nuclear Power Plants (NPPs). However, little effort was required for the portal monitors: “the initial analysis revealed a complete lack of security in these devices, so further testing wasn’t necessary to identify significant vulnerabilities,” notes the report.

In the Ludlum Model 53 personnel portal, IOActive found a backdoor password that granted the highest privilege. With this, malicious personnel could bypass authentication and take control of the device, preventing the triggering of proper alarms.

In the Ludlum Model 4525 gate monitor, IOActive discovered a complete lack of security in the communication between the gate and the controller Windows device. With these vulnerabilities, IOActive warns, “Malicious actors can perform a man-in-the-middle attack that alters the readings when the radioactive material they are interested in trafficking is detected. This would allow them to safely bypass these gate monitors while maintaining the compromised device in a working condition.”

In fact, adequately resourced attackers could fine-tune their malware, says IOActive, to deploy “an advanced payload that hides specific isotopes from detectors, while providing the expected readings for others.”

For its analysis of area monitors used at NPPs, IOActive concentrated on the Mirion WRM2 protocol used in numerous devices. It found that it could insert false information into the communications. There are two ‘worst-case’ scenarios.

In the first, under normal working conditions, attackers could simulate a radiation leak by inserting a dataset of falsified readings. Although this on its own is unlikely to cause a reactor shutdown (because of the need for human intervention), it could lead to an evacuation of the site. 

In the second, in a real accident situation, the course of the evacuation could be manipulated: “attackers may falsify these readings to trick authorities into giving the wrong directions for the evacuation, thus increasing the damage and/or potential casualties.”

“Failed evacuations, concealed persistent attacks and stealth man-in-the-middle attacks are just a few of the risks I flagged in my research,” said Santamarta. “Being able to properly and accurately detect radiation levels, is imperative in preventing harm to those at or near nuclear plants and other critical facilities, as well as for ensuring radioactive materials are not smuggled across borders.”

Written By

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.