Researchers at CyberX say they have found a way to sneak sensitive data off of industrial control system networks using radio frequency communications. The attack could be used to compromise so-called “air gapped” networks that are not connected to the Internet.
The researchers presented their work at the Black Hat Europe conference in London on December 6. Researchers David Atch and George Lashenko demonstrated a method for reprogramming Siemens programmable logic controllers (PLCs) to generate “encoded radio signals” that could be received over ordinary AM radios. The signals could be used to steal (or “exfiltrate”) sensitive data from the networks, the researchers claim.
“This crafty technique could be used to exfiltrate corporate trade secrets such as proprietary formulas, military secrets such as nuclear blueprints, and reconnaissance data for use in future destructive attacks such as details about ICS network topologies and device configurations,” CyberX said in a blog post describing the research.
The researchers demonstrated their attacks using Siemens S7-1200 PLC, a commonly used piece of hardware in the industrial control space. But the attack likely works on PLCs from other vendors’ hardware, also.
The Siemens PLCs do not contain a radio transmitter. Instead, researchers at CyberX discovered that they could force the device to generate radio frequency signals by writing data to the device’s memory. Frequency changes when data is written to the device’s memory can be used to exfiltrate data bit by bit, with a certain frequency representing a “0” and a different frequency representing a “1.” No vulnerabilities in the Siemens software were needed to carry out the attack, CyberX said.
“Organizations often have a false sense of security if their networks are air-gapped, or isolated from the Internet,” said David Atch, VP of Research for CyberX. “This exploit demonstrates that even truly air-gapped networks are vulnerable to targeted attacks by determined adversaries.”