Drives and Controls Magazine
Vulnerability is found in wireless automation software
Published:  29 October, 2013

The US information security specialist IOActive says it has discovered a vulnerability in ProSoft Technology’s RadioLinx ControlScape application. The software is used to configure and install radios in frequency-hopping networks and to monitor the performance of the devices, mainly in Rockwell Automation and Schneider Electric systems used in industries such as water and wastewater, oil and gas, and electric utilities.

When it creates a new radio network, the software generates a random passphrase and sets encryption levels to 128-bit Advanced Encryption Standard (AES). Because it uses the local time as the seed to generate passphrases, IOActive suggests that an attacker could predict the default values in the software.

“Wireless radios used in industrial control systems use software like that from ProSoft Technology to create and manage a new network,” explains IOActive researcher, Lucas Apa. “When a new network is created the software calculates a passphrase using a pseudo-random number generator. The problem is that it uses the local time as the seed. This makes this algorithm predictable and weak, and vulnerable to expedited brute-force passphrase and other cryptographic-based attacks.”

“By being able to guess the passphrase, an attacker could communicate with the network the device is connected to, with devastating consequences,” adds another IOActive researcher, Carlos Penagos. “For example, if an attacker is able to communicate with devices on the wireless network of a nuclear power plant, he could manipulate the data sent from these devices to industrial processes and cause dangerous consequences by overheating liquids or over pressurising chemicals, which, in turn, would result in catastrophic failure.”

The US Government’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published an advisory giving details of the vulnerability. ProSoft Technology has produced a firmware patch to mitigate the vulnerability, and IOActive has issued its own advisory outlining the affected products, the impact of the vulnerability, and the solution.