The need for sophisticated radiation monitoring devices (RMDs) and instruments (RMIs) to measure and detect the presence of dangerous materials is at the heart of safety monitoring for nuclear power plants, tracking uranium, as well as ensuring nuclear warheads and components remain in the secure facilities where they belong. But IOActive has discovered flaws that would allow a persevering attacker to compromise these critical devices.
One subset of RMDs/RMIs are radiation portal monitors (RPMs), which are gateways used to monitor for the illegal trafficking of radioactive material at points of entry: Ports, border crossings, airports and the like.
In reverse-engineering the publicly available binaries for RPMs from Ludlum, which has sold 2,500 gateways in 20 countries, IOActive found a backdoor password that grants the highest privilege to any attacker with physical access to the device.
“As a result, malicious personnel can bypass the RPM's authentication and take control of the device, which could be used to disable it, thus preventing the RPM from triggering proper alarms,” the firm said in a white paper.
In addition, malicious actors could compromise the wireless network or LAN that controls the RPM, in order to perform a man-in-the-middle attack. In this way, they could alter the readings when the radioactive material they are interested in trafficking is detected.
“This would allow them to safely bypass these gate monitors while maintaining the compromised device in a working condition,” IOActive explained.
But that’s not all: On the nuclear power plant front, RMIs are used to observe the radioactivity of liquids, rooms, facility processes, releases, spent nuclear fuel, nuclear waste and the environment, as well as to provide information about fuel failures and radioactive substance leaks. IOActive found vulnerabilities in the Mirion WRM2 System, which wirelessly links RMIs equipped with WRM2 transmitters and can display their statuses and measurements on a computer comfortably outside the area where the radiation measurement is taking place. Mirion's WRM2 standard is built on top of Digi's XBee S3B OEM modules. In addition to Mirion, other vendors also commercialize WRM2-compatible products, including the Laurus DRM2 area monitor.
In this case, attackers can forge or sniff WRM2 transmissions, eventually gathering enough information to falsify these same. From there, they can perform a number of attacks: In the case of an evacuation of personnel or population within the NPP-designated zones, attackers may falsify these readings to trick authorities into giving the wrong directions for the evacuation, thus increasing the damage and/or potential casualties.
Or, they may look to increase the time an attack against a nuclear facility or an attack involving a radioactive material remains undetected, by sending normal readings to trick operators into thinking measurements are perfectly fine.
It’s clear that the stakes are high, but it’s also important to keep in mind that ionizing isotopes are used across multiple sectors: Agriculture, medicine, research, biochemistry and manufacturing; while some industrial processes, such as oil and gas drilling and metal mining, may bring natural radionuclides to the surface from underground formations. RMDs and RMIs are necessary to ensure safe environments in these verticals as well. Attacks can thus be far-ranging.
IOActive disclosed the flaws to the affected vendors and received a variety of responses:
- Ludlum acknowledged the report, but refused to address the issues. “According to them, these devices are located in secure facilities, which is enough to prevent exploitation,” the firm said.
- Mirion acknowledged the vulnerabilities, but will not patch them as it would break WRM2 interoperability. Mirion contacted their customers to warn of this situation and said they will work in the future to add additional security measures.
- Digi acknowledged the report, and said there was ongoing collaborative work between Digi and Mirion to patch some of the critical vulnerabilities uncovered in the research.