Comment from Bryan Singer
Time: April 11, 2007, 9:24 pm

I would say not.. I have seen VFD’s (variable frequency drives) and other components with bluetooth or wireless modules in them.. allowing reconfiguration from any mobile handheld device or bluetooth enabled device. At least on a wireless network on 802.11x, someone probably at least THOUGHT about security. Most bluetooth I have seen have a pitiful 4 digit passkey for them, most of the time set to something like “0000″ or “1234.”

Its a trivial exercise to defeat though, likely… most of these types of components won’t have robust security authentication or alarming schemes, so someone would just have to have a high gain antenna and patience to figure out the code to the bluetooth, and then figure out from Google what they were looking at (and how to defeat it)

Comment from Jake Brodsky
Time: April 12, 2007, 10:08 am

Speaking as an asset owner, the likelihood that someone has spent enough time reading the manuals in this level of detail is not very high. Unless the engineering firm which specified this gear said something to us (the customer) many would not even know the feature is there nor care enough to turn it off.

Is this yet another thing to throw on the pile of issues that 99.06 is going to face?

Comment from Landon Lewis
Time: April 12, 2007, 2:27 pm

Yes, bluetooth pin codes are farely easy to crack. I remember seeing some statistics of 4 char pins brute forced in under a second. I bet most of those devices are just sitting deployed in discoverable mode too. Hopefully past just connecting to the device there is some decent form of authentication?

Comment from Ron Southworth
Time: April 12, 2007, 10:39 pm

Hi gentlemen,

Some good challanges ahead on the road to the future with the implimentation of these wireless ready devices.

FYI There are control valves that have 802.11g and blue tooth configuration capabilities as well but thus far the capability is an option not a standard feature unless someone know of a change in manufacturers standards?.

VF Drives I have seen so far don’t come with this as a standard, Being in the third world technology backwater that is AU maybe we are not seeing the latest and greatest here yet but I doubt it based on the discussions with the various vendors around.

One saving grace is blue tooth has a limited range and most of the technology seems to suffer from the very noise that drive devices are very good at generating.

By the time you house the drive in an enclosure providing someone is not silly enough to extend the range the transceiver with an external antennae the likelyhood is probably low but the consiquence is high. The control valves are more interesting and probably a higher threat potential relative to the drive units. Valves can be placed at close proximity to public access and therefore the blue tooth and wireless war driving scenario may be more real.

Jake this sort of thing is why engineers get’s the big money to vet equipment specifications on purchase? along with everything else we do in a day?

I still think this can be mitigated well with good policies and proceedures and thorough testing and change management processes.

Makes you think of Star trek and the infamous do everyything TRICORDER - gotta get me one of them one day!

Have a great day

Comment from Jake Brodsky
Time: April 12, 2007, 10:58 pm

To be honest, Ron, I don’t know why so many consulting engineers get paid the big bucks. Occasionally, I encounter a few with gray hair who really know their stuff. Their designs do exactly what we agreed upon. More often than not, however, the results are underwhelming at best. My faith in the PE stamp has been betrayed frequently enough that I don’t take it for granted that the design is a valid or a safe one.

If an engineer is doing his (and occasionally her) due dilligence, one can expect a review of the features in each device. To my knowledge, none of our valve actuators have any wireless stuff in them. Even if they did, they’re usually underground, surrounded by concrete, steel, and rebar. Those attempting to perpetrate a wireless hack would practically need to be standing right next to the damned thing before they could establish a connection.

On the other hand, there are many new valves we’re seeing in places such as our filter buildings which have dozens of configuation options and they can be configured via an ethernet connection. All it would take is someone with a bit of laziness to snatch up all those connections because “there might be valve data we need” and then you have the potential for a security problem.

As Kurt Vonnegut said: “And so it goes…”

Comment from stephan beirer
Time: April 13, 2007, 4:50 am

just two comments on BT security in general:

- range is not a good saving grace, Ron: there are high gain anntenas with ranges over several hundred meters and which can penetrate through walls

- as mentioned by Landon already, if an attacker can sniff the pairing of two devices, PIN and link key can be cracked in a very short time. 4 digits take 0.03 secs, 9 digits about 20 minutes

more details on both topics can be found in this nice 23C3 talk:

http://events.ccc.de/congress/2006-mediawiki//images/f/fb/23c3_Bluetooh_revisited.pdf

have a nice day:

stephan

Comment from Ron Southworth
Time: April 13, 2007, 6:25 am

Hi Jake WRT the valves I was thinking more for process control applications more so than say the water industry distribution and catchment. What you say is so true on the valve pits. Speaking of pits… We have a few vaccum systems that look as if they will end up being specified (NOT BY ME) or replaced with wireless battery powered devices. No control but monitoring for pit overflows via a float switch. Given this is some multi million dollar swamp um golf course home sites the impact is more social. The demographic taking residence in the area is going to be technology rich so trying to get it all to work will be interesting. I am trying to find out more info on the equipment I suspect it is something like 802.11b no in built diagnostics the vendor is not being very co operative at the moment seems they know how security aware I am sounds farmiliar???.

Comment from Ron Southworth
Time: April 13, 2007, 10:26 am

Hi Stephen,

Would you think the un answered problems with change management & trusted insiders are far more a problem than the rise of the elite blue tooth hackers? Sorry my wicked and wacky sense of humor.

Rant warning…

For certain the technology at the data layer is flawed and brute force attacks are not too hard to acheive. No problem with that assessment for that entry point. Now the RF layer or PHY that is a different storey.

Penetrate thru walls ?

I’d like to see 2.4Ghz or infra red do that. Bounce around “reflective” surfaces, structures via windows or openings - plausable. You should watch more myth busters - some excellent programs explaining some good basics on RF!

Yes, there are means by which you can improve the rf layer or path fade margins, reducing losses via increasing gain - using antennaes -active in line amplification of signals, It is still a question of well established physics. If the numbers don’t add up it won’t work!

RF is just another form of energy energy transmission. Some properties somewhat different to electricity in some respects but rather similar in others. This knowledge seems to becoming more bad folklore than science and that is a shame.

Mr Faraday and his famous sheilding would have something to say about all of that. I wonder if you have seen how VFD drives are usually installed (inside big metal boxes) usually very good faraday shields when constructed. Pits, big cast Iron lids or metal lids real good sheilds. Dirt very big attenuator at that sort of frequency. ferro concrete likewise.

Denial of service or jamming of the signal a different storey, Not much good for hacking I would respectfully suggest.

I think it is valid to raise the concern about how when and where RF technology is used in CI. The application of the technology is the more relivant thing to bear in mind.
With bluetooth and 802.11 in the two examples discussed so far defence in depth - physical separation, isolation, attenuation is going to be the most effective mitigator.

What do you think about the use of wireless in some of the suggested safety systems applications?

Comment from stephan beirer
Time: April 13, 2007, 1:43 pm

Hi Ron,

no problem with you rant - but I think I have to defend my professional reputation now - as a physicist, not as a IT sec guy..;)

I totally agree - patch management and trusted insiders are a big problem. I would go further and add the lacking IT security knowledge of (most) vendors and integrators. but if there are already some pressing issues, why add some more big holes? For ease of access and to save some money?

regarding Faraday and Maxwell: ‘penetrate through walls’ was a bad oversimplification - I was in a hurry (now I have to spend all the saved time with this post..;) ) And I admit that I have never (knowingly) seen a VFD - but in the field I work now I have seen (critical) automation and control gear in quite ‘normal’ buildings and talked with people about adding BT and 802.11 functionality to this stuff. These buildings had at least some small windows. If the engineer with a normal device inside the building can initiate a BT connection, an “attacker” on the outside sitting somewhere near the windowl should be able to catch some of the diffracted waves with his amplifying gear..the original post was about pole-mounted devices.

If we talk about valves or other stuff installed in metal boxes surround by concrete walls and covered with dirt wireless is absolutely secure. But I doubt that the average vendor will add
“this gear has to be operated inside a perfect farraday cage” to the manual. And even if wireless is only used for monitoring: I bet after some time someone will ask “that wireless stuff worked so nice for monitoring - why don’t we use it for programming and parameterisation - that would save some money..”

Since you mentioned the “elite” term: finding the protocol weakness is elite (security research). implementing the algorithm might be notable. but the public available program can be used by every 13 year old kid living next to a pole-mounted, BT-enabled transformer. maybe he can not do much harm..but it’s my job to expect the worst.

since I’m not an engineer I can’t say much about safety applications - but extrapolating from the inteference of my Wi-Fi at home with the hotspots of all my neighbours and from the reliability of the BT connection of my phone I would not trust it too much.

ok, now I’ll have to hurry to catch some of the last summer sunbeams here in Berlin - the weekend is waiting. Hope we can continue that interesting discussion..have a nice weekend!

stephan

Comment from Ron Southworth
Time: April 15, 2007, 6:19 pm

Hi Stephan

I had no problem with the conclusion just the way you were validating it. Script Kiddies are part of the landscape for certain, of less a risk profile than the threats from within by a factor of 4. I don’t see a lot of open discussion on these risks or mitigation thereof and this is where we should be sitting down with vendors and our operational people raise awareness & move forward. Not all vndors or operators need this but a very high percentile do!.

I understand your concerns on pole top devices and them being hacked but of far greater concern to me is from a fundamental safety perspective, let alone someone deliberately interfereing with the intelligent power device.

There is tremendous pressure generally in the industry from upper management to utilise unstructured un licensed “wireless” systems because they are a significantly lower capital outlay system, hand in had with this pressure there is also a failure to disclose or properly identify or acknowledge the risks to the organisation for the decision. At least with a fixed wired system (copper of fiber) you have to physically compromise some point to then have someone “hack” into the devices. Structured cabling systems provide generally the type of availability necessary for best practice safety systems but they cost!

Hope you had a good weekend and glad to hear you are enjoying some warmer conditions