And that could spell catastrophe considering that the software is deployed worldwide across several industries including oil and gas, water and wastewater, and electric utilities.
IOActive researchers Lucas Apa and Carlos Penago discovered the vulnerability in the software, which is used to create microwave networks that allow different wireless automation systems and devices to talk to each other, especially Rockwell Automation and Schneider Electric solutions. It also monitors the performance of the end devices. They said in an advisory that by gaining access to the system, an attacker could communicate with the network any given device is connected to with devastating consequences.
For example, "if an attacker is able to communicate with devices on the wireless network of a nuclear power plant, [they] could manipulate the data sent from these devices to industrial processes and cause dangerous consequences by overheating liquids or over pressurising chemicals, which in turn would result in catastrophic failure,” said Penago in an announcement.
The problem lies in the fact that RadioLinx generates a random passphrase and sets encryption levels to the 128-bit Advanced Encryption Standard (AES) when it creates a new radio network between two systems or devices. As the software uses the local time as the seed to generate passphrases, an attacker could predict the default values built into the software.
“Wireless radios used in industrial control systems use software, like that from ProSoft Technology, to create and manage a new network,” said Apa. “When a new network is created the software calculates a passphrase using a pseudorandom number generator. The problem is that it uses the local time as the seed. This makes this algorithm predictable and weak, and vulnerable.”
Thankfully, ProSoft Technology has produced a new firmware patch to mitigate this vulnerability. The firm now is getting the word out to the organizations that use the software. To that end, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also published an advisory providing details of the vulnerability.
“The impact to individual organizations depends on many factors that are unique to each organization,” it said. “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture and product implementation.”
It added that while an attacker with a moderate skill would be able to exploit this vulnerability, there are no known public exploits specifically targeting the issue so far.
In addition to the patch, ProSoft has made the additional recommendation of changing the default ‘seed’ passphrase, which will greatly increase the entropy of passphrase generation process.