When it creates a new radio network, the software generates a random passphrase and sets encryption levels to 128-bit Advanced Encryption Standard (AES). Because it uses the local time as the seed to generate passphrases, IOActive suggests that an attacker could predict the default values in the software.
“Wireless radios used in industrial control systems use software like that from ProSoft Technology to create and manage a new network,” explains IOActive researcher, Lucas Apa. “When a new network is created the software calculates a passphrase using a pseudo-random number generator. The problem is that it uses the local time as the seed. This makes this algorithm predictable and weak, and vulnerable to expedited brute-force passphrase and other cryptographic-based attacks.”
“By being able to guess the passphrase, an attacker could communicate with the network the device is connected to, with devastating consequences,” adds another IOActive researcher, Carlos Penagos. “For example, if an attacker is able to communicate with devices on the wireless network of a nuclear power plant, he could manipulate the data sent from these devices to industrial processes and cause dangerous consequences by overheating liquids or over pressurising chemicals, which, in turn, would result in catastrophic failure.”
The US Government’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published an advisory giving details of the vulnerability. ProSoft Technology has produced a firmware patch to mitigate the vulnerability, and IOActive has issued its own advisory outlining the affected products, the impact of the vulnerability, and the solution.