Though the Black Hat USA conference is not taking place until late July, there have been interesting previews of certain scheduled presentations. One of these is Go Nuclear: Breaking Radiation Monitoring Devices by Ruben Santamarta, principal security consultant at IOActive. While the presentation is not occurring until July 26, the core components of the presentation are being reported on, and these are quite unnerving.
In an article from Dark Reading’s Kelly Jackson Higgins, we are shown how the talk will cover the major flaws in radiation monitoring devices. These devices, utilized primarily in nuclear facilities and hospitals, are open to hacking because of a design flaw in the firmware as well as the RF protocols.
The result of these flaws is an ability for attackers to attack a nuclear plant or hospital from a maximum remote distance of 20 kilometers (roughly 12.5 miles). The attack would likely be most useful in an act of terrorism or nation-state aggression. The research indicates this, as Santamarta stated in an interview with Dark Reading:
“Potentially false readers can trick operators into performing actions that aren’t correct if they incorrectly are alerted that radiation exposure has occurred… An attacker could inject false readings into a nuclear power plant’s radiation monitoring device simulating a massive radiation leak … How is the operator going to react?”
While this is the most extreme example, it is more or less the worst-case scenarios that security professionals must deal with. In this day and age hacking extends to all components of technology, especially with the advent of the Internet of Things. While Santamarta will not detail the vendors affected by this flaw or give detailed risk-mitigation advice until his talk, there is enough to go on for temporary action.
What I mean by this is perhaps operators of radiation monitoring devices can double-check their readings before taking action, especially if they begin receiving a mass influx of alarming data. Anyone potentially affected by these vulnerabilities should pay close attention to InfoSec news sources following Black Hat USA. Until then, stay aware and don’t have knee-jerk reactions to massive data spikes.
Photo credit: Flickr / Bjoern Schwarz