In-brief: Close to five billion “fuzzing” tests conducted during 2016 reveal protocols used by industrial control systems, vehicles and Internet of Things devices to be weaker, on average, with many crashing hundreds of times and revealing vulnerabilities that could be used by malicious actors. (Editor’s note: added comment by Chris Clark. Aug 9 2017 – PFR)
A study of 4.8 billion automated security “fuzzing” tests has raised red flags around the security of industrial control system protocols that run much of the world’s critical infrastructure and machinery.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
Industrial control system (ICS) protocols were the most vulnerable to being compromised by the probes and tests conducted by customers of Synopsys between January and December, 2016. Testing of common Internet of Things and industrial protocols like MQTT revealed scores of exploitable vulnerabilities, prompting Synopsys to warn about the need for further testing. An industrial control system protocol registered as the most insecure (or “least mature”) protocol tested during the year; it failed just seconds after testing began, revealing a potentially exploitable security hole according to a statement by Synopsys, which conducted the study. Also, CAN BUS, a protocol that is common in vehicles, fared poorly over some 4 million tests, crashing more than 2,000 times.
Fuzzing is a kind of automated testing that bombards software applications or communications protocols with inputs of various types in order to try to trigger weaknesses or faults in the underlying application code or protocols. Faults – such as “crashes” – may expose vulnerabilities in the code that could be exploited by malicious actors. Synopsys’ Fuzz Testing product was the first to identify the Heartbleed vulnerability OpenSSL, which lurked for two years undetected. It was eventually found to impact a half million websites.
The fuzzing tests mentioned in the study were conducted on implementations of common communications protocols – more than 250 in all – by Synopsys customers during the course of a year, said Chris Clark, a principal security engineer for strategic initiatives at Synopsis. However, they don’t reveal any information about specific applications, he said.
According to Synopsys, industrial control system security protocols were the least mature of those tested by customers in 2016. That may reflect the relatively insular nature of the industrial control system market. “This vertical favors its own niche protocols, which may not have been well-tested over the years,” Synopsys said in its report. On average, the protocols tested by Synopsys failed after 1.4 hours of “fuzzing.” But four of the five least mature protocols were specific to the ICS sector. The “time to first failure” for those protocols ranged from a few seconds to a few minutes.
By comparison, the most mature protocol tested, TLS client, required 9 hours of testing before a “crash” was generated, while the Address Resolution Protocol (ARP) registered zero failures recorded against 272,044,482 test runs. Among the ICS protocols that Synopsys said showed the need for further testing and auditing were IEC-104, a SCADA (supervisory control and data acquisition) protocol that is used in electrical engineering and power system automation applications. Synopsys recorded 237 failures (“crashes”) in 2016 against 181,802,805 test runs with the time to first failure was a mere 6.6 seconds. The IEC-61850 protocol used by electrical substations registered four failures recorded in 2016 against 10,064,487 test runs, with the first fault recorded just 1.2 minutes after testing began. Synopsys also warned on ModBUS, a common and proprietary serial communications protocol that is used with programmable logic controllers (PLCs). There were 34 failures recorded against 79,173 test runs last year and the first failure was discovered after just 1.8 minutes of testing.
Common Internet of Things protocols fared little better. CoAP Server (or Constrained Application Protocol), which is commonly used as a kind of lightweight HTTP, registered 6,275 failures against 16,122,616 test runs with an average time to failure of 3 hours. Common Industrial Protocol (CIP), a unified communication architecture used in manufacturing registered 610 failures over 25,991,681 test runs. On average, it took 5.3 hours to discover a fault, Synopsys said. The CAN Bus protocol used in the automotive space also fared poorly. Synopsys found 2,251 failures against 4,472,041 test runs with an average runtime of 15 minutes in that protocol which allows micro controllers and devices to communicate without a host computer over in-vehicle controller area networks (CAN).
Clark said the problems discovered touch on both the implementation of protocols in specific applications and, in some cases, the design of the protocol itself. He said protocols like those used in industry or fields like medicine have had less scrutiny than open source or commonly used protocols, and fare worse in Synopsys testing. “How a protocol has been released into the wild and how much information was readily available on them will affect how well they do in (fuzzing) tests,” he said.
Citing the Heartbleed vulnerability in OpenSSL, Clark said more regular testing of applications and protocols is needed, especially in the wake of changes or additions. “Regardless of how much testing you’ve done, if there’s a change, you should be performing base testing.”