How We Reverse-Engineered Multiple Industrial Radio Remote-Control Systems

ok everybody we're gonna get started with Steven hill he's going to be going over and that went backwards we're gonna be talking with Steven Hilde here I'm gonna make him presenter and we'll get started go on webcam here for a minute for you guys hi I'm Steven hilt and this will be my talk about how we reversed engineered multiple industrial radio remote control systems this project originally started in 2018 was presented a couple times in 2019 and here we are in 2020 the year of the virtual conference and a bunch of other things that are going on in our lives so I'm gonna go away from the camera here for a little bit so you can focus on my slides

and not this I'll be back for later and answer some questions at the end if you have any so this project originally started in as I said in 2018 one of the things we were looking to do is find some targets in which we wanted to look at from a reverse engineering stance and get really deep into some wireless RF protocols and so one of the things that we noticed is that when we drove around to do this research and things like that we found something interesting that we kept seeing all over the place from coworkers that were on this project with me from you know things you could see from your apartment building - this is a shot I took in

Tokyo in December 2018 again this is when they were ramping up for something that was going to happen this year which would be the the Olympics so one of the things that I wanted to point out was one of the things that we saw is as you zoom in here as you see all these things off in the distance so we kept looking and looking and you see a lot of careens all over the place so one of the first things we wanted to look at was cranes now there's multiple types of cranes there's overhead cranes there's the cranes that we just showed you there's a bunch of different things and one thing that's in

common with all of them is the way they're controlled and this is a controller specifically for an overhead crane this is my coworker Marko it's actually attached to here and there's other types of something more simplified but pretty much the way any of them work is you push up the crane hoist up and then there's down north south east and west there's some other functions if depending on but that's the primary functions of all of these so we wanted to look at before we started diving into it where exactly are all these things are they used where these types of controllers used other than maybe just cranes as well so first thing we'll see is that much like the previous picture

industrial hoists they're used in mobile hoists so the trucks that move around and and pick things up as well concrete pumps are using these these are used in agriculture logistics forestry drilling operations I saw a YouTube video of a continuous miner that's being ran by pretty much the exact same controller I showed you that Marko was wearing they're used in industrial automation material mining pretty much what we're saying is almost every sector will eventually or has one of these so this was a very good target for us because it's not just super hyper focused on say something like you know just moving material say in a steel mill or anything like that so it's everything

from transportation and things like that are using these so then we wanted to look at say market share so where are the vendors located things like that and we found several large vendors based in the highlighted countries most of these vendors have been operating for decades so it's a very mature business with tens of millions of dollars in revenue so how do they work the transmitter communicates over wireless to the receiver the receiver then operates a relay which then runs a motor it's pretty simple so that signal is telling it to do a run a motor you can then hook these up to as I said anything else you want so by pressing buttons you can automate various

equipment and by triggering a switch turn on a motor and things like that one of the first things we we did was get our hardware that we were using we used both ettus B 2 tins blade RFS some DVD DVT dongles as well to start looking at these systems we started looking when we started looking the first steps that we saw and that we took was to see what we can do with any decoding of any of the messages as you can see here we looked at 430 3.7 megahertz took the packet then replayed it at the same 433 megahertz point seven megahertz so what happened so on the left side with the record we're literally

recording in Guinea radio at four hundred and thirty three point seven megahertz then we take what we recorded and replay it so I'm going to show you a little demo of what happened here so this is one of the vendors juco as you can see the basic operations of up-down left-right things like that and so in the background we're recording it now we'll put the controller down so we recorded it now let's go through the next step which is so now with the controller down and no one's touching it and in fact we even took the battery out of the controller as you can see on the ground and it's operating the crane from our recorded captures

one of the first things you see on is the relay on the back all of them lighting up this is the command that starts the radio much like the one I showed earlier with the crane here so then we're just replaying the command that includes the start up command so earlier there's a start up sequence before any of the buttons for safety work so you can actually replay the start starting sequence so everything turns on so what happened is when we replayed the message it worked so we wanted to see then what happens if we capture multiple messages to see if we could capture any differences within the packet so message one of up message two

of up message three message all the messages were the same so every time we recorded on JUCO the messages were all at the same every time we're hitting the UP button now one caveat on this in one thing we learned through a couple different vendors and I'll show another one later is there's different methods in which some of the vendors work on this case some of them it will be when the button is pushed it'll hold until the button is released so it's one signal that says up and then when you release it's more or less stop sending up some vendor some radios it's continuous message than the entire time the mess the button is pressed so one of

the things did see there was okay record and replay it works all our vendors that we tested this worked on it's super easy super cheap to use all you have to do is record a message and replay that message every one that we tested was vulnerable to this um to show you it's not just in a lab here's a real crane in which this is working on you should see we hit the stop button that was on the top of it so that in theory turns off the relays ins inside the receiver so then with our blade ahrefs we are sending a signal to start it up and start moving the the crane and you

can see here it's it's a overhead crane that's been and it's moving inside of a facility that picks heavy things up and move the interesting thing here of course is that chain swinging you're swinging around now what's the damage here not a whole lot until you get close to those cars and things like that you could do do things but just in general it's pretty pretty on unfortunate that it's that easy that you can just record and replay a message I don't know if anyone here has used urh but this is your H or the universal radio hacker so we took most of our of the items that we had we put them into urh and this is

where you can see things as well where we start looking into pre-recorded commands up north down east okay so now we know what command is north which ones up down east so once we recorded them and started separating them into that now we have arbitrary commands it doesn't have to be one that we record the whole sequence we've then broke it up and chunked it into what we knew each thing was so for our radios this worked for each and every other radio we came across we have to do the same capture for these replays to work so it's not necessarily something that we really want to do where we record it for every case what we want to eventually go to is

the ability to change because they have a some of the vendors there's a pairing ID that you have and so we wanted to kind of reverse how that pairing ID worked and other things like that so we could figure out if we could do ours are arbitrary command execution where it didn't matter which device we had we can always figure out how to to interface with it and operate it so we'll go back to our juco in this case and let's look at this vendor where we did a bunch of reversing so one of the first things we did was open up the case and the first thing you see is a bunch of realize when we looked

a little further you see that underneath the chip itself it's a CC 1120 chip with an antenna out RF analysis so pretty much what we have looking at the signal coming out on on the chip itself so we capture the signal now what so then we captured the signal and then we decided that we were gonna hook it up to a logic analyzer to try to clean up some of that noise so we specifically used a tool to emulate spy operations with a read and write registers so we created a tool that emulates the spy we actually did a talk pretty exclusively on this tool that we built we gave it a s 4 by 19 and

in Miami so if you want to see that talk there's a lot better information there hurt her on this research Jonathan Anderson does a way better job of explaining this tool than I ever could mostly because he wrote it it's so go watch that talk if you're really interested in I could put you in touch with Jonathan as well if you have any questions about it but we can see here is what's being accessed set and programmed out with the tool that we wrote from there we can right custom New Guinea radio blocks based on the information that we saw in the spine so here's a an example of us exercising those complex protocols these

complex protocols are based off the information that we decoded from the radios so you see things like the preamble syncwords address at all those things that we decoded out of it so then we ended up coming up with this complicated you know radio flow graph that would be that would be able to do everything we needed to do in JUCO

then we dug into the specs and then we found the frame of the CC 11:20 based on the specs here for the data field so we're going to try to reverse out what is actually in the data field so we started we knew the preamble syncwords trailers but what's in the data so there's a custom application protocol with security through obscurity baked and usually so we have a preamble sync or word and then the custom application so when we started looking at the data you see we have first thing as a sequential ID so after the preamble in syncwords that we have sequential ad we were able to get the system to send sorry we were able to get

the system to send with fixed sequential I deities to see what anything else had was uh anything else changed or didn't change so then the next thing we noticed is these interesting five bytes and it's a type of sorry those five bytes seemed interesting to us why did they seem interesting to us it was the ID number on the model itself or on on the sticker inside the case you so then we looked back at the board remember there was the ID and we kept hitting our head on the desk this actually happened at a team meeting when we were in our offices in Taipei one day to figure it out that if we just took

the pairing code which can be changed via a USB from what the pairing code which would be the ID and then we changed that pairing code to the new pairing code to nothing but zeros then we come out with the pairing code actually tends to be so what happened here was the long story short is we XOR the data with the pairing code of all zeros with our original data set and we found we would get the following which is our pairing code in little-endian so now we know what those five bytes have in the pairing code are the next is the command and you can see it's things like pretty basic information in there so now

we have command injection not just for our radios but with some basic lookups and we created a lookup table so we could pretty much sniff one packet lookup what you're pairing code is now I can communicate to you I'll regenerate the packets things like that and then send them out so this come up for any any juco radio that we we found so comes up the this is what the protocol looks like for up command so pretty much anything you want to do we can do of any commands including an e stop button command so the idea here is that we can take any command that you give us that I see as I can then change the command to whatever

the command I want it to be and when we send a bunch of Aesop's more or less your crane just stops working so what if we do that in a loop do we have a do we actually have a dose of a production or whatever so next one is a little video that we have of us actually doing that

so with the the systems running now and then you can see doesn't work my weights and it does work there now it's off so it's just every time you start it it stops we just continually run that script and it will always it's just constantly telling the JUCO radio that in that case to stop so now we have command injection so we have re-record and replays command injections a couple other things we want to work on which was the e stop abuse and then malicious repairing so malicious repairing is interesting so the idea here is that we could see if we could reprogram another controller instead of walking around with all our SDR equipment can you buy one of these

controllers then reprogram your controller to work with that system and so we looked at one of the our other radios but we were working with which was a saga radio in this case to see if we could do anything with the firmware anything like that as well so this is the USB programming tool that we got and we looked at the schematics and we found lots of issues once we started looking at this not only did saga have these ports for reprogramming the transmitter but most of them did not just saga so we're not talking just a saga thing we are able to find clear text passwords and transmission the firmware was unprotected and we also could Forge the

integrity checks which could lead to backdoors on these devices in short Melissa malicious repairing worked and we could put rogue refer more on these on some devices so with that we have now I'm sorry wrong we have our maliciously preparing reprogramming the malicious reprogramming and repairing are a little more on our expensive side in our cases just because it takes a little bit a little extra time and a little extra effort but is possible from all the devices that we tested so next we're going to look at possibly how can we do remote stealthy and persistent attacks so here we have a tool that we built custom wise called RF quack you can go to github.com slash Trend Micro / RF

quick and find all the information you want about it we've actually done a little bit more work on this this tool set since then but the idea here is we have a remote attacker through a 4G LTE connection then can transmit and communicate to you this in total the cost to build one of these is around $40 and here's a little video that we put together about how it operates

you

yeah and we made it flexible so you can actually use this not just for crane controllers but any any project you're working on one of the things that we were having issues with in some of the cases with some of the original tool sets that we're trying to use that just didn't work like we wanted him to and you know I reached out to Travis Goodspeed a couple times about some projects and also Atlas for some of his things as well that we just couldn't really get working we actually ended up patching the are the you know you got a couple tool sets to see if we could get them to work for us but that didn't seem

to work very much that's a really good sorry about that video artifact then we toss it okay flickering for you guys or no

yeah it seems to be a little slow videos don't do too well across good webinar I'll post all these slides to sketch these so you guys can watch the videos if you want long story short by example we were able to exploit vulnerabilities that we found remotely so now we can sniff everything we wanted to sniff we could even then transmit what we wanted to transmit on something that is relatively small so well I'll just go ahead and skip this slide because it's not doing so doing so hot so in other words we have a flexible tool that can do a lot lots of things that you want it to do is just some see you know

rewriting some code here and there for it so if you're interested in that check it out if you have any questions let me know about that tool set so earlier I mentioned Travis sure Travis probably actually might be on this call because I got a give him big shout out for one of the big successes of this project so and besides Knoxville 2018 Travis gave a really good talk on his good watch and so when I was doing this project I was sitting there thinking I was to myself is it possible for us to take a good watch reap and control one of the cranes that we had in essence I'm going to show you the video from me

in 2000 at s4 in 2019 here controlling the crane itself here so this is online and I'll post the slides as well so you should be able to see that if not as you can see here here's the good watch controlling our saga crane it's going up and down and things like that so we were able to control the crane from from the watch which is pretty pretty good achievement there because one of the things I was always joking around if we can do that yeah the RF quake is really good we can run it on a battery and you can drop it you don't have to be near but how many times are you stopping somebody coming into any of

your facilities for wearing a watch you doubt so if I I as a an attacker figure out how to you know monitor view and get all that information and then can program a watch and then come into your facility and do something you're never gonna question the guy with the watch that was my approach on it and so far that's pretty good that I've never got anything that says anybody is really questioning people with watches so from a disclosure stance we had only one vendor released a patch we're not going to go back and police them and check the patch but one out of seven is pretty sad one vendor we spoke with in person said that nobody would it would

ever be able to do these attacks another vendor approached us and thanked us for our paper because that they were also able to go to talk at din if you want it which is a working group that he's part of in order to amend existing safety standards specifically IEC 62 745 which is the standard for minimal requirements for functional safety for remote controls the amendment that he wanted to suggest is including requirements that state standard compliance devices should at least not be affected by simple replay attacks one vendor in particular you threatened legal action against us for having looked at their devices but now have decided with much discussions from zdi which Trend Micro zdi is part

of so we have to go through zdi for our disclosures with so with much discussion with the CDI they have decided to patch but we haven't seen public evidence of this patch overall the process was painful which took 30 days more than our usual 90-day disclosure window so we gave them extra time I'd say it went worse than typical ICS face vulnerability disclosure because in at least in ICS space we understand some of it they understand take it when we were talking to these people it's like 2006 when we were originally talking to some of the ICS vendors and we got a question from one vendor even which was Oh Valle 'nor ability what does that mean help us

understand it you found a vulnerability I we don't even know what a vulnerability is so that was fairly interesting right in our paper so going back to the vendor that said no one will be over to do this so it's kind of we I figured this was going to come from some of the vendors and so what I was able to do at one point in time was you know I'm down here in Chattanooga and there's a lot of industry around us so I was able to completely profile a company um online from my house get all the information I needed I actually ended up watching their crane safety training videos that they had posted to YouTube which showed

me exactly what you vendor they they had then I went to that vendor and looked up the model that they had and found that the operating range in which the frequencies that they were working from or I then went and sat in a public park near the facility that they were at with a directional antenna and was able to pull signal for them operating the crane I cover this a little in the paper itself as well as other presentations I've talked about that before but that was actually part of the evidence that we showed them when they said no one's going to be able to do these tax was here's me sniffing figuring out exactly

which protocol it was and yeah it took something like a vendor or an asset owner to put their information specifically on the Internet as in their training safety videos but we can glean a lot of information from a lot of other places as well but the point being is we can actually do this and I can we and as we've shown in other videos that I've shown you with the actual cranes operating this wasn't just lab environment stuff we were able to with permission control actual cranes hooked up to actual things and the only thing that's different between the one that I even showed with the watch versus big crane is what the motor that it's

hooked to is what these are all the same things that you can buy and do from there so from a vendor stance if you are a crane vendor you need to use open technologies standards such as Bluetooth we need to adopt rollin codes and encryption and protect the firmware and use it in user maintenance is in because a lot of these things that the users can't even maintain it you have to get it the vendor to come in and fix some of these issues because they don't really give tool sets to update something that's not even actually on a connected to the network so that's just something you know they have to come in with their

tool sets in and upgrade them from users we need to promote vendors to open adopting open technologies and we need to do better maintenance and update periods and periods of change of the secret pairing codes and pairing IDs as an example for JUCO you could change it the ID was just the hard set one that was there but you need to if you buy a new controller you needed to pair it with the receiver so they give you the USB tool to do this then will they sell it to you and their software suite they sell it to you but there is those options that happens in some cases for some of the radios you just you have to

so for saga you had to buy from saga new crystals that match the right frequency in the case of some vendors there was just dip switches on the receiver and transmitter so you just had to make the dip switches match to which frequency or on so in conclusion patterns of vulnerabilities there is no rolling codes one of my co-workers federico was still I remember when we found the first one that we could replay guys like my garage door has more security than these cranes or even your car you know they're the we've worked out some of the security issues basic ones that at least help for a little bit with a little bit of the

replays so there's weak or no encryption at all by week we meant that XOR that's about as much encryption as we saw and that's not really encryption that's encoding the lack of software and firmware protections and the companies need security programs and awareness for this field specifically well as I said we released a white paper on this you can go to that URL or ping me later about it can I'll probably add it to schedule D as well with my presentation so there's that at that point in time just if you have any other questions so we don't have any questions post it through GoToWebinar but I do want to point out that there was some jealousy

thrown your way and track two on discord they want to be able to play with big RC cars too yeah yeah yeah that that's pretty much what this was we can control anything and everything with one let me turn the camera back on yeah I'm sorry about the is not working as well as as as they could have so as I said I'll post those for anyone winning wanting to build a good watch that does one of these things you can there's been all actually several follow-on researchers that have taken over the course of a couple of the course of last year and up to today that they've looked at more vendors specific to their own regions and countries and I

have pretty much found the same things some of the bigger ones vendors already have used some security there's a couple vendors that have Bluetooth based cranes you know that that implies its own problems but at least they're on a standard protocol for most of what we saw is all the sub gigahertz things were roll-your-own Radio chips that they just kind of built on and and you know wrote their own protocols for control when we're looking at the vendors themselves a lot of smaller vendors are rebranding larger vendors equipment so while saga doesn't sound good the big because there in Taiwan they're rebranded throughout the US as three different other brands and we once you start tearing them apart you start

seeing that they're all some of them they're they're using a lot of the same equipment same same things and it's it's led on to some other research that we were looking at doing and as well as we're finding what other controllers use these same types of basic communications over RF to control other things as I said the the continuous miner was fun it looks really dangerous but you really also have to think about that things probably about a mile on the ground and the ability to control it's probably really really hard so that that's not really feasible to make a continuous miner in a cup in a coal mine go crazy I just have a question come

through discord Sam wants to know what are some of the more interesting failure modes like dropping a container so we can't actually be one of those I've had a question once where somebody asked me is has this ever happened and we don't know but one of the biggest failures that I know about from a crane stance would be there was a and it's public because I happened at a nuclear plant in Arkansas where they were doing some outage work and they ended up dropping the content reactor vessel lid back on the reactor which damaged it to where that plant had to be out for for a while there's a NRC report about the write-up about the cranes failure so yeah you

could if it is something that is got a ability to grab and drop you could drop it or you the problem is that a lot of these systems already have controls in case a motor breaks there's they they have brakes on them they're meant to stop and not fall but if we get into and you have other conditions or the perfect storm type of situation we could you could cause some big problems there's you mean even think about if you were a partner or sorry you had a you were building a building and somebody else was building a building next to you and you were arrival for whatever and you were able to make their crane

more or less stop that could cause a problem or you know other things in general just on supply chain the one we've seen these things literally all over the place including offshore oil rigs is just the tow trucks actually use the same technology to lift heavier rigs because you can't be standing there while you're tipping like a big semi back so that you'll notice that they're wirelessly off somewhere on some of the newer ones those are the exact same systems that we're discussing I actually have a video of a mobile oyster that we're operating at some point in time it's in that video that didn't play very well great and one more comment we have

Lisa who wanted you to know that that was a fantastic talk and thank you for giving it do want to let everybody know that after the conference there will be a survey sent out to all the attendees you could rate people's talks give comments we also have a discussion going on in discord a couple of CTFs going on and we're gonna take a short break thanks Steven yeah if you have any questions ping me on discord I'll get the presentation up to schedule a here in just a few minutes and you know I'm around all day so if you have any questions ping me again thanks to Travis for all the help