Ruben Santamarta, a security researcher for IOActive, has found various vulnerabilities in nuclear radiation monitoring equipment from three vendors, who when contacted by the researcher, declined to fix the reported flaws, each for various reasons.
The vulnerabilities were found in multiple product models sold by Digi, Ludlum, and Mirion.
Vulnerabilities found in very critical equipment
The equipment that Santamarta looked at is radiation monitors, which are devices usually installed at nuclear facilities, sea ports, border crossings, and across cities, and are used to monitor radiation levels.
This type of equipment is quite critical as it provides an early alarm system for radiation spikes in nuclear power plants, but also the presence of dirty bombs in a city’s range.
While these are edge case scenarios, radiation monitors are generally used to detect when nuclear power plant employees try to smuggle radioactive material out of their compound, and when someone attempts to cross the border with radioactive equipment and/or materials.
Researcher found backdoor account, weak encryption
Santamarta says he tested various radiation monitor models, from massive car and human scanning portals to small sensor boxes that engineers pin on walls across a nuclear power plant’s building complex.
The vulnerabilities Santamarta found ranged from simple backdoor accounts to inadequate encryption strength, and from hard-coded encryption keys to the use of insecure protocols.
All in all, Santamarta said that an attacker could use the backdoor to take over devices, or take advantage of the other vulnerabilities to mount a Man-in-the-Middle attack, intercept and alter traffic between monitoring devices and their controller.
If successful, an attacker would be in the position to disable alarms or print out false readings. The only condition was that an attacker must be in proximity to the vulnerable devices, in order to connect to their network or alter radio signals.
Vendors declined to patch flaws. Two later changed their minds
Santamarta says he contacted all three vendors. Below are the responses he got from the manufacturers:
Ludlum acknowledged the report, but refused to address the issues. According to them, these devices are located in secure facilities, which is enough to prevent exploitation.
Mirion acknowledged the vulnerabilities, but will not patch them as
it would break WRM2 interoperability. Mirion contacted their customers to warn of this situation. They will work in the future to add additional security measures.
Users can find out more about Santamarta’s work with radiation monitoring devices by reading his research paper titled Go Nuclear: Breaking Radiation Monitoring Devices.
Today, after Santamarta’s presentation, ICS-CERT also issued an alert regarding radio-based telemetry-enabled Mirion devices based on Santamarta’s work.
Before Santamarta gave a presentation on these vulnerabilities at the Black Hat USA 2017 security conference, Digi and Mirion contacted the researcher to inform him they changed their minds and said they would be working together to patch the reported vulnerabilities. Despite this change of heart, the flaws are still unpatched, and will probably remain so for months if not years.