Black Hat: Flaws in Radiation Monitors

Thursday, July 27, 2017 @ 04:07 PM gHale

There are unpatched vulnerabilities in different radiation monitoring devices.

That means an attacker could take advantage of the issues and wreak havoc and create a security danger.

Precise Beam Could Boost Nuclear Security
Grants to Develop Reliable, Resilient Grid
Nuclear Threat Detection gets Sharper
Plugging a Critical Infrastructure Hole

Radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities, according to a talk by Ruben Santamarta, principal security consultant at Seattle-based IOActive, Wednesday at Black Hat USA 2017 in Las Vegas, NV. He also wrote a paper on the subject.

Patching will be difficult since these are design flaws rather than software bugs; and the vendors’ early response to IOActive’s discoveries was, in each case, to decline to work on patches. Since then, Digi said it is collaborating with Mirion to patch the flaws.

The companies have not fixed the problems yet, so users need to be aware of the issues so they can prepare.

There are multiple kinds of radiation monitors used in many different environments, but IOActive concentrated its research on portal monitors, used at airports and seaports and area monitors, used at Nuclear Power Plants.

Little effort was required for the portal monitors. “The initial analysis revealed a complete lack of security in these devices, so further testing wasn’t necessary to identify significant vulnerabilities,” the report said.

In the Ludlum Model 53 personnel portal, IOActive found a backdoor password that granted the highest privilege. With this, attackers could bypass authentication and take control of the device.

In the Ludlum Model 4525 gate monitor, IOActive found a complete lack of security in the communication between the gate and the controller Windows device. It would then be possible to perform a man-in-the-middle attack that alters the readings when it detects radioactive material.

Adequately resourced attackers could fine-tune their malware, says IOActive, to deploy “an advanced payload that hides specific isotopes from detectors, while providing the expected readings for others.”

For its analysis of area monitors used at nuclear power plants, IOActive looked at the Mirion WRM2 protocol used in multiple devices. It found it could insert false information into the communications.

“We have seen how radiation is present in our everyday lives, although we do not usually notice it, which is a good thing overall,” Santamarta said in the paper. “But if we think about it, that is also a challenge for those whose daily job is to guarantee that facilities, procedures and processes where radioactivity is involved are safe, e.g., nuclear operators who are trained to make sure no one is harmed during the normal working conditions of (nuclear power plants) or law enforcement, which needs to prevent radioactive materials smuggling across borders.

Leave a Reply

You must be logged in to post a comment.