Researchers Discover Critical Security Flaws Found In Nuke Plant Radiation Monitors

wiredmikey writes from a report via Security Week: Researchers have discovered multiple unpatched vulnerabilities in radiation monitoring devices that could be leveraged by attackers to reduce personnel safety, delay detection of radiation leaks, or help international smuggling of radioactive material. Ruben Santamarta, a security consultant at Seattle-based IOActive, at the Black Hat conference on Wednesday, saying that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities. There are many kinds of radiation monitors used in many different environments. IOActive concentrated its research on portal monitors, used at airports and seaports; and area monitors, used at Nuclear Power Plants (NPPs). However, little effort was required for the portal monitors: "the initial analysis revealed a complete lack of security in these devices, so further testing wasn't necessary to identify significant vulnerabilities," Santamarta explained in his report (PDF). In the Ludlum Model 53 personnel portal, IOActive found a backdoor password, which could be used to bypass authentication and take control of the device, preventing the triggering of proper alarms.

Not at all suprising

[ScienceBard]

I work alongside a team that maintains and repairs these things, and they certainly aren't made for high levels of digital security. If you know the right place to stick a flash drive in a portal monitor sure you could do damage to it, I can attest it isn't fancy. But it doesn't have to be.

For one, a portal monitor is a last line of defense against radioactive contamination being tracked around. We aren't talking about huge levels of radiation, the contamination is managed by good safety practices (work plans, electronic dosimeters, maps of potential loose contamination, etc.). But there is a responsibility to ensure that a worker doesn't accidentally drag anything home with them to the general public, no matter how insignificant. Which is really what the monitors are for.

For two, there are usually multiples of these things in a row, inside a heavily fortified concrete area surrounded by unfriendly looking men with machine guns (at least at any nuclear facility, a school or small lab that has one would be different). Combine those two things, and an attempt to "hack" monitors would be about the most moronic waste of resources any government would ever spend. You couldn't do any real damage, you couldn't hurt anyone... at best you could get a radiation protection manager fired for allowing a small uncontrolled release of radioactivity, or a miscalculated dose rate to a worker.

I'm all for security, but there needs to be a little perspective. Standalone portal monitors that are airgaped don't need to be a digital fort knox. The level of effort is extreme to screw with them, and the payback would be insignificant. The truth is most specialized lab/nuclear equipment isn't extremely secure unless it serves an actual security function (a CDA, critical digital asset, which are almost always network isolated and have more robust security). Quite the opposite, most of it is very simple and made to be maintained almost indefinitely by moderately skilled technicians. Cost, usability, and maintainability is more important.

Re:Not at all suprising

[Orgasmatron]

I have a drill coming up soon for my local reception center. I'll forward this to my EMS coordinator and make sure she updates the station briefing to include that the portals are never to be left unattended and that unauthorized personnel are not to mess with them. Not that anyone was going to leave them alone or let strangers tamper with them before...

In the end, the most likely "patch" will be a locking cover.

It remains unclear to me how one would hack a portal monitor to detect and respond to the check source, but not to actual contamination. The opposite would be easier, but we'd notice by the time a second clean body showed up for decontamination.

The perimeter monitors are a much bigger problem. The men-with-guns are unlikely to allow physical tampering, and the men-in-tyvek will certainly notice that the detected radioactive cloud isn't real, but "no one will ever want to hack my industrial control communication" disease needs to die a horrible flaming death sooner rather than later. Digital sensors that do anything more than update a pretty graph need to be authenticated. In cases other than this one, they may need to be encrypted too. Analog sensors need 100% physical security from the power supply to the sensor to the receiver/monitor.