Attacking The Plant Through WirelessHART

Описание: This is a great example of a S4 technical session. Jalal Bouhdada and Erwin Paternotte dig into the protocol and implementation of WirelessHART to identify security strengths and weaknesses as well as areas that deserve future research.

The main findings are:

1. the most important crypto key, the Join Key, is often left as the vendor default. This default is often in the documentation, and even if not will be available with a reasonable Internet search. Many if not most deployments are not changing the default Join Key.

Asset owners are getting a false sense of security and not properly managing risk. They hear that WirelessHART is secure, but the deployment team, and often the sales team, neglects to mention that some level of key management is required to achieve this security.

2) The firmware could be extracted via JTAG on all 5 vendor systems the researchers looked at. They were able to identify where the Join Key was in the firmware. While it was encrypted or encoded, unknown at the time, they could copy this into their own WirelessHART device and join the network.

Really great work by these researchers that we hope to see more from in the future.