Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs

Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).

Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).

Attackers may be able to plant a piece of malware on an isolated network, including via compromised update mechanisms or infected USB drives, but using that malware to send valuable data outside the organization poses its own challenges.

In the past few years, Israeli researchers have found several methods that can be used to jump the air gap, including via infrared cameras, scanners, the LEDs on routers and hard drives, heat emissions, radio signals, and the noise made by hard drives and fans. One of their proof-of-concept (PoC) malware, named AirHopper, uses electromagnetic signals emitted by a computer’s graphics card to send data to a nearby receiver.

Researchers at CyberX, a company that specializes in protecting industrial control systems (ICS), have found a way to apply a similar data exfiltration method to systems in air-gapped industrial networks. The method was first disclosed in October at SecurityWeek’s ICS Cyber Security Conference by CyberX VP of Research David Atch.

CyberX shows how malware can jump the air gap via PLCs

The technique relies on PLCs and the RF signals they emit. Tests were conducted using the popular Siemens S7-1200 PLC, but experts believe the attack likely works on PLCs from other vendors as well.

The exfiltration method discovered by CyberX does not leverage any vulnerabilities or design flaws in PLCs. Experts also noted that it does not involve any RF functionality in the device itself. Rather, the RF signals emitted by the device are a byproduct of repeatedly writing to the PLC’s memory in a specific way.

Researchers analyzed the radio waves from these systems and found that the frequency changes when data is written to the device’s memory. If an attacker can manipulate this frequency, they can use it to exfiltrate data bit by bit – a certain frequency represents a “0” bit and a different frequency represents a “1” bit. The signal can be captured by a nearby antenna and decoded using software-defined radio.

Writing to the PLC memory in a specific cycle that causes a modulation in the frequency of the RF signal can be achieved by uploading a specially crafted ladder diagram to the device. Ladder diagrams are created with ladder logic, a programing language used to develop software for PLCs.

An attacker who has access to the targeted organization’s systems, specifically to its industrial controllers, can upload a malicious ladder diagram to a PLC and abuse it to exfiltrate sensitive data.

In the tests it conducted, CyberX managed to transmit data at a rate of 1 bit per second over a distance of roughly 1 meter (3 feet) with an off-the-shelf antenna. However, experts believe the distance can be increased using a higher quality antenna, and improvements made to signal processing algorithms can help increase the speed of the transmission.

The exfiltrated data can be captured using various methods, such as an antenna attached to a drone flying over the site, or by an adversary posing as cleaning staff and carrying an antenna in their pocket.

While the data exfiltration rate may seem very slow, experts believe the method can be useful for stealing small pieces of information typically collected in the reconnaissance phase of an attack launched by a sophisticated threat actor, including network topology, protocols and devices, intellectual property stored in HMIs and historians, and work schedules.

Researchers warned that these types of attacks are typically difficult to detect due to the fact that there aren’t any security solutions running on PLCs. Furthermore, once a device has been compromised, the malicious code persists for an extended period of time since they are rarely formatted.

“Organizations can prevent these types of attacks with continuous monitoring and behavioral anomaly detection,” Atch told SecurityWeek. “For example, this would immediately detect the cyber reconnaissance phase preceding data exfiltration — such as devices scanning the network and querying devices for configuration information — as well as unauthorized updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.