You may remember an article I wrote recently about the risk to various radiation monitors from hackers. At the time, the information was based around the preview to the presentation “Go Nuclear: Breaking Radiation Monitoring Devices” by Ruben Santamarta. At the time, the vendors affected were being kept secret until the Black Hat conference. Now, following the presentation, we know the names of the vendors and, unfortunately, at the time of this article’s writing, they are not taking the threat as seriously as they should.
As reported by Kaspersky Lab’s Threatpost, the three vendors affected are “Ludlum, Mirion and Digi, manufacturers of radiation portal monitors, gate monitors, RF modules, management systems and other industrial gear used at border crossings, airports and nuclear power plants, among other locations.” Despite the significant issues that can be caused by the vulnerabilities, especially creating fake readings in the monitors, the vendors are not patching the vulnerabilities. This is problematic, as Santamarta stated prior to this rejection of his research the following:
Potentially false readers can trick operators into performing actions that aren’t correct if they incorrectly are alerted that radiation exposure has occurred ... An attacker could inject false readings into a nuclear power plant’s radiation monitoring device simulating a massive radiation leak … How is the operator going to react?
The decision seems to be rooted in blatant ignorance or perhaps managerial laziness. Ludlum refuses to patch due to the belief that the security in the locations in which their devices are deployed is sufficient. Mirion, in what seems like a cop-out via supposed technical issues, stated that a patch would “break interoperability with the WRM2 protocol it uses for communication.” The most brazen of the responses were from Digi, as they simply did not believe that the issues were truly a security issue.
It should be stated here that the full research was given to these companies long before the Black Hat presentation, so they weren’t making the decision based on just a slideshow presentation. This is probably the most frustrating component to working in cybersecurity, namely dealing with willfully stupid choices that endanger human lives in spite of concrete evidence meant to prevent that danger.
Ruben Santamarta voiced his concern regarding the vendors’ choices, stating:
I can say for an attacker, it’s easy to perform these attacks, but it’s not easy to acquire the knowledge to perform these attacks... To perform a dumb attack where you send malicious information and see what happens, these are simple to do [if you have studied a device.]
I’m going to be blunt. If there is some major incident involving radiation, and these faulty monitors were at the heart of the attack, I believe that those responsible for this official refusal to patch should be criminally prosecuted. We are dealing with nuclear power, which if the ghosts of Chernobyl and Fukushima teach us anything, the effects of a major radiation incident can be catastrophic. Nation-states and terrorists would love more than anything, if given the opportunity, to assault nuclear facilities. It will be a multidimensional attack, crippling both the energy production of a region, as well as threatening thousands of lives.
I can only hope there is a reconsideration of the patch-ignore orders. I’d hate to see a worst-case scenario incident resulting from this.
Photo credit: Pixabay