Black Hat 2009: Security Gaps in Embedded Systems and the Smart Grid, but not RFID
Contributed by Joanne C. Kelleher
A co-worker sent me an article called Buggy ’smart meters’ open door to power-grid botnet: Grid-burrowing worm only the beginning (Thanks, Henry).
“For an embedded platform, they’re kind of scary,” said Mike Davis, a senior security consultant for IOActive about the buggy software running on meters for the Smart Grid. “It’s really not designed from the ground up for security. Just imagine if somebody is outside your house and has the unique identifier that’s printed on your meter.” The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.
Davis is speaking about his hacks into Smart Meters at the Black Hat USA 2009 conference, being held at Caesars Palace, Las Vegas, NV on July 25-30. In looking at the list of speaker briefings there are several talks about the security, or lack thereof, around embedded systems including the smart grid and Advanced Metering Infrastructure (AMI), and smart parking meters. These talks include:
Recoverable Advanced Metering Infrastructure
Mike Davis
Smart Grid. Smart Meters. AMI. Certainly no one has escaped the buzz surrounding this potentially ground-breaking technology. However, equally generating buzz is the heightened threat of attack these technologies provide. Mike Davis and a team of IOActive researchers were able to identify multiple programming errors on a series of Smart Meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues. The team was able to “weaponize” these attack vectors, and create an in-flash rootkit, which allowed them to assume full system control of all exposed Smart Meter capabilities, including remote power on, power off, usage reporting, and communication configurations.
In this presentation, Davis will discuss the broad, yet almost ubiquitous exploits and basic design flaws in today’s Smart Meter and Advanced Metering Infrastructure (AMI) technology. Typical attacker techniques such as buffer overflows, persistent and non-persistent root kits, and even self-propagating malicious software will be illustrated. Davis will even demonstrate a proof-of-concept worm attack and the general reverse engineering techniques used to achieve code execution. To show all is not hopeless, he will also cover the incident response impacts of possible worm attack scenario. Finally, building upon the analysis of the worm-able attack surface as well his hardware and software penetration testing research, Davis will suggest inherent design fixes that AMI vendors can implement to greatly mitigate these broad exploits.Hacking the Smart Grid
Tony Flick
The city of Miami and several commercial partners plan to rollout a “smart grid” citywide electrical infrastructure by the year 2011. This rollout proceeds on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing Smart Grid standards. In this Turbo Talk, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves.Embedded Management Interfaces: Emerging Massive Insecurity
Hristo Bojinov, Dan Boneh, Elie Bursztein
Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.“Smart” Parking Meter Implementations, Globalism, and You
Joe Grand, Jacob Appelbaum, Chris Tarnovsky
Throughout the United States, cities are deploying “smart” electronic fare collection infrastructures that have been commonplace in European countries for many years. In 2003, San Francisco launched a $35 million pilot program to replace approximately 23,000 mechanical parking meters with electronic units that boasted tamper resistance, payment via smart card, auditing capabilities, and an estimated $30 million annually in fare collection revenue. Other major cities, including Atlanta, Boston, Chicago, Los Angeles, New York, Philadelphia, Portland, and San Diego, have made similar moves.
In this session, we will present our evaluation of electronic parking meters, including smart card protocol analysis and emulation, silicon die analysis, and firmware reverse engineering, all of which aided in successful breaches.
See all of the speaker briefings for the Black Hat Conference at http://blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html. It was interesting to see that as of 6/22/09, there were zero briefings scheduled about the security issues around RFID. In comparison, Black Hat USA 2008’s RFID topics included Mifare, toll systems and implantable wireless medical devices, but none about the Smart Grid or Smart Meters.
