Researchers at security firm IOActive recently announced the details of a security issue in a common industrial communication software used in solutions from companies such as Schneider Electric and Rockwell Automation. A weak encryption algorithm in ProSoft Technology’s RadioLinx ControlScape application could enable attackers using a brute-force attack to access and remotely manipulate systems controlling industrial and energy processes, SC Magazine reported.
ProSoft’s product combines advanced frequency hopping and digital signal processing technology with high-sensitivity receivers to provide radio frequency communication with field-based controllers in high-interference environments, IOActive researchers Lucas Apa and Carlos Penagos noted in their report. It’s used in a variety of applications across the energy sector, with customers at oil and gas companies, as well as water and electric utilities. The RadioLinx ControlScape application is used to configure and install radios. When it creates a new radio network, the software generates a random passphrase using the standard C runtime libraries srand and rand and sets the encryption level to 128-bit AES.
“Because it uses the local time as seed, an attacker could predict the default values built into the software,” Apa and Penagos wrote. “This makes the system vulnerable to expedited brute-force passphrase/password attacks and other cryptographic-based attacks.”
Addressing the flaw
Attackers remotely accessing systems through the vulnerability could enable attacks such as overheating liquids or over-pressurizing chemicals at a nuclear power plant, SC Magazine reported. Such flaws have been the subject of ongoing concern as a cybersecurity risk in recent months, with many experts noting that ICS software security lags far behind that of general IT applications. Vendors have been encouraged to reduce the prevalence of flaws by using a secure development lifecycle that incorporates tools such as static analysis software.
The ProSoft vulnerability, which was designated as CVE-2013-2803 by the Industrial Control Systems Cyber Emergency Response Team and given a severity rating of 9.3 out of 10 last month, has a firmware patch. However, one of the unique challenges is that the patch cannot be applied over the air, meaning that the operator has to power off the device and connect it to a PC, Apa told SC Magazine. Given the challenge of patching, the incident can serve as an important reminder of the importance of building security into products during development.