About Us



IOActive Labs

IOActive Labs IOBOT! Click to learn more.

IOActive's IOAsis
Compromising Industrial Facilities From 40 Miles Away

Thursday, August 1, 2013

Time 3:30pm

Location: Black Hat

Session Title: Compromising Industrial Facilities From 40 Miles Away

Speakers: Carlos Penagos, Senior Security Consultant, IOActive & Lucas Apa, Senior Security Consultant, IOActive

Details: The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities in industries such as energy production, oil, gas, water, utilities, refining, and petrochemical distribution and processing. Effective wireless sensor networks have enabled these companies to reduce implementation, maintenance, and equipment costs and enhance personal safety by enabling new topologies for remote monitoring and administration in hazardous locations.

However, the manner in which sensor networks handle and control cryptographic keys is very different from the way in which they are handled in traditional business networks. Sensor networks involve large numbers of sensor nodes with limited hardware capabilities, so the distribution and revocation of keys is not a trivial task.

In this presentation, we review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. We also demonstrate some attacks that exploit key distribution vulnerabilities, which we recently discovered in every wireless device developed over the past few years by three leading industrial wireless automation solution providers. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies.

An untrusted user or group within a 40-mile range could read from and inject data into these devices using radio frequency (RF) transceivers. A remotely and wirelessly exploitable memory corruption bug could disable all the sensor nodes and forever shut down an entire facility. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made can be modified. This can lead to unexpected, harmful, and dangerous consequences.


Carlos Penagos is a senior security researcher and consultant for IOActive, has worked around the world doing consulting and security trainings. His main expertise are exploitation, reverse engineering, bug hunting and cryptography. Carlos holds a Bachelor's degree in Computer Science and has been awarded with science merit honours for his graduation thesis. In his free time he has disclosed several vulnerability advisories to US-CERT, ICS-CERT and CN-CERT for the world's most used SCADA/HMI. He also likes coding theory, number theory and ECC.

Lucas Apa is a security researcher and consultant at IOActive. His main interests are vulnerability exploitation techniques, embedded reverse engineering, kernel vulnerability research and cryptography. Focused on offensive security he publicly discovered critical vulnerabilities in Windows, Siemens access controls and Apache projects. His work has been presented at world-renowned conferences including Black Hat Europe, Ekoparty and SecTor. He provides comprehensive security services working with the majority of Global 500 companies including power and utility, game, hardware, financial, media, retail, aerospace, healthcare, high-tech, social networking, and software development organizations. Lucas is also currently finishing a degree in Computer Engineering.

Return to IOAsis Home