Researchers build undetectable rootkit for programmable logic controllers

The rootkit implements a new attack against a PLC's input/output interface

io attack plc rootkit pin configuration
Credit: Ali Abbasi and Majid Hashemi

Researchers have devised a new malware attack against industrial programmable logic controllers (PLCs) that takes advantage of architectural shortcomings in microprocessors and bypasses current detection mechanisms.

The attack changes the configuration of the input/output pins that make up the interface used by PLCs to communicate with other devices such as sensors, valves, and motors. PLCs are specialized embedded computers used to control and monitor physical processes in factories, power stations, gas refineries, public utilities, and other industrial installations.

The attack, which will be presented at the Black Hat Europe security conference in London on Thursday, was developed by Ali Abbasi, a doctoral candidate in the distributed and embedded system security group at the University of Twente in the Netherlands, and Majid Hashemi, a research and development engineer at Quarkslab, a Paris-based cybersecurity company.

One version of the I/O attack is called pin configuration and involves the use of malicious code that switches an I/O pin's configuration from output to input, or the other way around, without the PLC's OS or programs knowing.

For example, let's take the case of a PLC that's connected to a valve and is able to open or close it by sending a signal to an I/O pin configured as output. The same PLC also receives pressure readings from a sensor through another pin that's configured as input. A program running on the PLC -- known as the PLC logic -- monitors readings from the sensor and automatically opens the valve to release pressure when needed.

Malicious code injected by an attacker into the PLC can reconfigure the output pin as input, preventing the PLC logic from writing to it and opening the valve. It can also reconfigure the input pin as output and write bogus data to it. The result will be that the PLC will report to monitoring software that it has opened the valve and that pressure is going down -- due to the false readings now supplied by the attacker -- when in fact it hasn't.

The fundamental issue is that there are no hardware interrupts for pin configuration in the systems on a chip (SoCs) used in embedded devices like PLCs, so the OS will get no error from the processor when trying to write to a pin reconfigured as input, according to Abbasi. This means the PLC logic, which runs inside a runtime environment, will not crash and will continue to act as if the operation succeeded because, in the OS virtual memory, everything will look good.

"That's the core problem here," Abbasi said. "It seems that no SoC vendors have taken pin configuration feedback into consideration, and that might not be important for other embedded systems, but for PLCs, whose main operation is with the I/O, this becomes super important and can cause problems."

Abbasi and Hashemi implemented their attack technique in a rootkit that functions as a loadable kernel module (LKM). This allows them to bypass existing host-based intrusion detection and control-flow integrity tools for embedded systems like Doppelganger and Autoscopy Jr.

"The novelty of our attack lies in the fact that to manipulate the physical process we do not modify the PLC logic instructions or firmware," the researchers said in their paper. "This can be achieved without leveraging traditional function hooking techniques and by placing the entire malicious code in dynamic memory."

The drawback of implementing the rootkit as an LKM -- essentially a driver -- is that deploying it requires root privileges. Because of this, the researchers also developed a version of the attack that uses existing features of the PLC runtime to reconfigure the pins, and this variant can be implemented by exploiting any memory corruption vulnerability that allows loading malicious code directly into dynamic memory.

Another attack technique targets a feature called pin multiplexing that allows the use of the same pins for different interfacing modes in addition to GPIO (general purpose input/output). The functionality of a pin can be re-assigned during runtime and again, there is no feedback to tell the OS something has happened.

"Let's say you're using a pin to connect to a motor and manage it via a pulse width modulation (PWM) controller inside the CPU," Abbasi said. "In the attack, what we do is multiplex that pin and change its functionality to something else, but the CPU doesn't tell the memory management unit (MMU), which translates virtual addresses into physical addresses, that the physical address that corresponds to that pin is no longer available. The MMU will continue to try to write to it, the CPU will ignore the request, but won't give back any error, and that's crazy because the PLC will still think that the motor is accessible."

According to Abbasi, we're not likely to see these kinds of I/O attacks in the wild soon, because there are currently easier ways to compromise PLCs. However, as vendors build the next generation of PLCs with better built-in security, it's important to keep in mind that firmware and logic manipulations are not the only attack options available to hackers.

Also, it's not only PLCs that are vulnerable to I/O attacks but all embedded devices for which I/O operations are critical, such as the electronic control units (ECUs) used in cars or the intelligent electronic devices (IEDs) used in the electric power industry.

In their paper, the researchers propose two research directions for new techniques that could be used to detect I/O attacks. They plan to use these as the basis for their future work.

CIO wants to know… Does Microsoft's Women in STEM ad veer too close to blaming the victim? Read the story, then join the conversation
New! Download the CIO March/April Digital Magazine