SlideShare a Scribd company logo

Tools for Practical Attacks on Analog-to-Digital Conversion

Download as PPTX, PDF
A
Alexander Bolshev

This document discusses practical attacks on analog-to-digital converters (ADCs). It begins with an anecdote about compromising a programmable logic controller (PLC) and bypassing monitoring systems. It then covers different types of ADCs and their vulnerabilities. Examples are provided of proof-of-concept attacks injecting arbitrary waveform signals and altering the digital representation of analog signals. Various hardware is demonstrated for evaluating ADCs, including signal generators, function generators, and data acquisition systems. Mitigation techniques are proposed, such as implementing appropriate anti-aliasing filters and randomizing sampling frequencies.

Engineering
1 of 75
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Tools for Practical Attacks on Analog-to-Digital Conversion Alexander ‘dark_k3y’ Bolshev With a help from: Marina Krotofil Gabriel Gonzalez Andrey Dolgikh
; CAT /DEV/USER Alexander ‘dark_k3y’ Bolshev Ph.D., security consultant @ IOActive Madrid HW Lab Distributed systems researcher “the more complex & strange is the system -> the better”
Important Disclaimer The whole presentation is mostly discussed on the first lections of ‘Control theory’ and ‘Digital Signal Processing’ university courses, so in fact it won’t be about something new.
Quick intro to ICS + ADC problems
Dialog with (some) ICS engineer during pentest Me: You have …vulns……vulns……vulns… and as a result I could compromise your PLC! Engineer: You will achieve nothing with it, because my monitoring system will stop you when the analog signal that is generated by this PLC will be out of 10% range. After it, backup PLC will be launched in a very short time Me: Okay... (went away crying) (some time passed) Me: But I will be back!
From Michael Ossmann:
Correct interpretation of data is important, because embedded and industrial control systems uses analog inputs to create the picture of controlled system’s state. ICS field level Actuators Control system Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior Physical Process ADCDAC
Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI Attacker
Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON) Attacker
Proof-of-Concept demo from the past “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v1_motor_arduino_vs_plcadc.m4v video
How is it possible at all? MV is represented by analog signal! Because we’re talking not about altering the analog signal, but about altering its digital representation (conversion).
Analog-to-Digital converter [2]
• A device that converts a continuous physical quantity (usually voltage) to a digital number that represents the quantity's amplitude.[3] • An ADC is defined by its bandwidth (the range of frequencies it can measure) and its signal to noise ratio (how accurately it can measure a signal relative to the noise it introduces). • Bandwidth of an ADC is characterized primarily by its sampling rate, and to a lesser extent by how it handles errors such as aliasing. What is ADC? ADC Input Signal Reference Digital Representation
Types of ADCs There are many types of ADCs, the most common are three: • Successive-approximation ADC (SAR) • Sigma-delta ADC • Pipeline (usually based on flash)
Aliasing • Sampling frequency should follow Nyquist rule ( fs > 2f ) • Otherwise the signal will appear of false (alias) frequency
Anti-aliasing filters: “input validation” in ADC world • Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g. ADC) to attenuate the power of signal in high frequency ranges for approximate or complete satisfying the sampling theorem (fs > 2f) • As a representative of low-pass filters (LPF) family, AAF could be characterized by cut-off frequency (fc) and stop-band frequency (fsb) [4]
Attacks against ADCs • Frequency and phase: • Arbitrary Waveform signal, i.e. signal with waveform that could be somehow misinterpreted by ADC. (see ep.1) • High-Frequency function signal, i.e. generating sine wave with kHz or MHz frequency that could somehow be misinterpreted by ADC. • OverSampling attack against SAR (see ep.1) • Special-frequency attack against ΔΣ (see ep. 2) • Amplitude (out-of-voltage-range signal) (see ep.1)
Attacks: AWG against “ADC()” call
But how…? “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200)
…Easy! 3.3V 100 ms … while (1) { pinOutput(tip120PIN, 200); delay(395); for(i = 0; i < 20; i++){ pinOutput(tip120PIN, 0); delay(2); pinOutput(tip120PIN, 200); delay(2); } pinOutput(tip120PIN, 200); delay(495); } 2,5ms
Siemens S7 1200 analog I/O ADC
Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
AWG signal against “lazy-call” ADC Val = readADC(); Sleep(Timeout); /* or doSmth(Timeout) */ Output(Val);
But this is just Arduino, not real controller! Ok, let’s try without Arduino…
Ok, let’s try something more real… SIMATIC S7-1200, ANALOG OUTPUT SB 1232, 1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA (11 BIT RES) Problem: no public information on real SPS for these module… 
Ok, what’s inside? Logic buffer EEPROM OpAmp XTR300
XTR300?
Let’s test for max stable SPS…
Proof-of-Concept demo with real stuff “HMI Panel” “Control PLC” (S7 1200) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v2_motor_plc_vs_plcadc.m4v video
Signal generation SCL code https://support.industry.siemens.com/cs/document/67295964/how-in-step-7-v5-x-do-you-program-signal-generation-(rectangle-sawtooth-triangle-sinus)-using-the-cyclic-interrupts-?dti=0&lc=en-WW
Pure frequency/phase attacks
ΔΣ Modulation • Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding analog signals into digital signals as found in an ADC. [7] • In Δ-modulation the change in the signal (its delta) is encoded, rather than the absolute value. The result is a stream of pulses. In ΔΣ-modulation, the accuracy of the modulation is improved by passing the digital output through a 1-bit DAC and adding (sigma) the resulting analog signal to the input signal, thereby reducing the error introduced by the Δ-modulation. [7]
Delta-sigma ADC • ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog and digital: • analog part generates a very high-frequency bitstream; • digital part creates the real number output by filtering it with digital filter and decimating it to the output samples per second value. ΔΣ Modulator Digital Low-Pass filter Decimation Filter Analog input 1-bit stream N-bit stream Output data 0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 … Digital partAnalog part
Modulation process [6]
Delta-Sigma ADCs [6] [6]
Demo: The mystery of the ΔΣ AD7706 ADC… See v3_mystery_sdadc1.mp4 video
Tools for Practical Attacks on Analog-to-Digital Conversion
Possible explanation from the datasheet? • Expecting to have some noise there than, but possibly not the clear sin signal • It explains just partly, and we need some good hypothesis for all these things. In our case fCLKIN = 2.00MHz, so fs = 31250
LP & Decimation (sinc3) filter D = N = 64 for AD7706
USB UART Atmega328 AD7706 & Vref Signal generator Demo: The second mystery of the ΔΣ AD7706 ADC… See v4_mystery_various_signals.mov video
Hypothesis and frustrations • Digital filter corner frequency/noise? • No, sinus too clear for it • sinc3 filter implemented in MCU and has integer overflow? • ”Artificial gain” (No PGA), but just multiplication on digital output? • That’s wrong according to chip decap image.
• Dynamic compression? • Overflow in logic circuit? • Pole-zero cancelation in filter? Still mystery
31.25kHz looks too much for a successful attack DAC with s/r up to 100kHz
Implementation Renesas R5F100bG RL78/G13 27352 bytes firmware size => 4 – 36+kB for payload
Ok, I got it, but what else I could use for attack? Line coupling circuit (usually OpAmp/Transformer) Signal/Function Generator Two most common industrial analog line loops: • Voltage (0-10V, 0-24(28)V, 0-48V • Current (0-20mA) Aka ADC research kit for Joseph FitzPatrick 
Voltage Signal/Function Generator: -> Si5351 + any MCU via I2C Coupling circuit: Buffer RtR OpAmp + H-V OpAmp Gain = 1 + (R2/R1) TI OPA551/OPA552 Fairchild LM358N Buffering requirement depends on signal source
Current (0-20mA) -> Cypress PSoC http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262 CY8CKIT-049-42XX ~<10EUR MAX15006 Any suitable and cheap transistor for such current
Other ΔΣ ADCs: ADS1015
Cypress PSoC5 built-in ADC* What’s this? What’s that? [5] *default configuration
Ok, let’s look at real device with behavior like ΔΣ ADC: Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O + Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
Very weird results for real industrial PLC: 1 -> 24Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
25Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
Tools for Practical Attacks on Analog-to-Digital Conversion
*Без обид Андрей, просто действительно забавно! *
Flex I/O vs. PowerFlex Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
Do we have at least one “normal” ΔΣ ADC?! Yes, e.g. MAX11205 • Sinc4 filter with no visible mistakes + postfiltering(?) • Looks very reliable Postfiltering?
Attacks summary: what you can and what you cannot
Summary ADC First ”attackable” f Required AAF fc Required AAF fsb Complexity SAR ADC S/H frequency (S/H frequency)/2 - easy/medium -- MCP3201 14.3kHz 7.1kHz - easy S7 1200 PLC 121Hz 60Hz 120Hz easy AB 1794-IE4XOE2* 24.9Hz 10Hz 20Hz very easy AD7705/AD7706 31250/38400 Hz - 30kHz easy ADS1015 ~86kHz 10-20kHz 50kHz medium/hard MAX11205 n/a any reasonable any reasonable ~impossible PSoC5 LP** ~1kHz 1kHz 2kHz easy * research data by Andrey Dolgikh ** incorrectly configured (default configuration) PSoC module
What could you do?
Mitigations • As hardware developers/vendors: • Implement correct AA-filters in accordance to REAL characteristics of your ADC (read latest/hidden datasheets, test you ADC manually) • Remember: digital filters won’t help • As software developers (incl. firmware and PLC program development): • Introduce sampling frequency randomization in software that works with ADC • Avoid “sleepy” code • As engineer: • Implement same AA-filters all over your analog network in accordance with your OT process
Vendors Sceptic’s replica: • We already have correct AA-filters everywhere! Are you sure?
Reference design of industrial sensor “We included AA LPF in our design" ADC with fs ~ 2kSPS LPF with fc near 79 kHz
Reference design of industrial transmitter “We included AA LPF in our design" ADC with fs ~ 470sps LPF with fc near 79 kHz
But we have … AA filters... Everywhere...
2Vendor: also remember: digital filter won’t help • The signal is already ”compromised” by ”ADC features”, so any digital filtering after ADC won’t help you. • If you want full control, install ΔΣ modulator and implement digital part of ΔΣ-ADC manually in FPGA Analog signal Digital representation 1-bit stream
Developer: introduce sampling frequency randomization • Certain randomness in sampling frequency will make attacker’s job much harder • Many of the discussed attacks will be much more challenging to execute • Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On the contrary, it will produce a signal sample of better quality. 𝒇 𝑠 = 𝑓 + rand(△) Time V 0 http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
Developer: Avoid sleepy code Avoid writing/using the following code (if you don’t completely understand your process): Val = readADC(); Output(Val); Sleep(Timeout);
• When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies • E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases! Engineer: Use SAME AA-filters across all analog line Control PLC 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 𝒇 𝒄 = 𝟓𝒌𝑯𝒛 Monitoring PLC
Thanksgiving service • Marina Krotofil for being a co-researcher in ep. 1 and many bright ideas • Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for information on Allen Bradley PLC behavior vs. different frequencies. • Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for help and support • Fedor Savelyev for ideas and help with DSP (digital signal processing) analysis • Dmitry Nedospasov for many useful advices
Conclusions
Any questions? http://ioactive.com/ @ioactive @dark_k3y
1. https://en.wikipedia.org/wiki/Control_theory , Picture by Orzetto - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=5000019 2. Picture from: http://maxembedded.com/2011/06/the-adc-of-the-avr/ 3. Wikipedia: https://en.wikipedia.org/wiki/Analog-to-digital_converter 4. Picture from http://studentweb.niu.edu/7/~Z063757/lowpass2.bmp 5. Picture from: http://www.hdwallpaperpc.com/show-wallpaper/surprised_kitten_animal_cats_kitty_little_cat_136064.html References

More Related Content

DOCX
Cisco ip phone key expansion module setup
IT Tech
 
PDF
Architecture Description Languages
Henry Muccini
 
PDF
ExperienceNow - Découvrez comment Soitec modernise son IT et gagne en agilité...
Devoteam
 
PDF
Evolution and Future of TV
Vishal Sharma
 
PDF
Never Trust Your Inputs or how to fool an ADC
Alexander Bolshev
 
PDF
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
PDF
presentation_sas2016_V3
Marina Krotofil
 
PDF
Never Trust Your Inputs
Alexander Bolshev
 
Cisco ip phone key expansion module setup
IT Tech
 
Architecture Description Languages
Henry Muccini
 
ExperienceNow - Découvrez comment Soitec modernise son IT et gagne en agilité...
Devoteam
 
Evolution and Future of TV
Vishal Sharma
 
Never Trust Your Inputs or how to fool an ADC
Alexander Bolshev
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
presentation_sas2016_V3
Marina Krotofil
 
Never Trust Your Inputs
Alexander Bolshev
 

Similar to Tools for Practical Attacks on Analog-to-Digital Conversion (20)

PPT
Analog to digital converters, adc
Saumya Ranjan Behura
 
PDF
Data Conversion: Hard Problems Made Easy - VE2013
Analog Devices, Inc.
 
PDF
Cd00004444 understanding-and-minimising-adc-conversion-errors-stmicroelectronics
vu CAO
 
PPTX
Adc &amp;dac ppt
kluniversity, A.P.
 
PDF
3BITFLASHADC
Ankit Shivhare
 
PDF
A High Speed Successive Approximation Pipelined ADC.pdf
Kathryn Patel
 
PDF
A High Speed Successive Approximation Pipelined ADC
Pushpak Dagade
 
PPT
encoding techniques abt digital data where
Rasheed673196
 
PPT
Analog-Digital-Converter in ARM Controllers
GRAJESH27
 
PPT
Analog-Digital-Converter.ppt
ssuserf2cc17
 
PPT
Analog-Digital-Converter for nyquiest model.ppt
BEVARAVASUDEVAAP1813
 
PPT
Analog-Digital-Converter.ppt
AbhishekKumarRanjan9
 
PPT
Analog-Digital-Converter.ppt
anilvasudev19
 
PDF
AVR_Course_Day6 external hardware interrupts and analogue to digital converter
Mohamed Ali
 
PPTX
Partitioning Data Acquisition Systems (Design Conference 2013)
Analog Devices, Inc.
 
PPTX
Analog to Digital converter in ARM
Aarav Soni
 
PPTX
Analog to Digital Conversion
Syed Umair
 
PDF
A to D Convertors
sangeetkhule
 
PDF
Ab cs of_adcs
hacker1500
 
PPTX
Ad and da convertor
Sandeep Kamath
 
Analog to digital converters, adc
Saumya Ranjan Behura
 
Data Conversion: Hard Problems Made Easy - VE2013
Analog Devices, Inc.
 
Cd00004444 understanding-and-minimising-adc-conversion-errors-stmicroelectronics
vu CAO
 
Adc &amp;dac ppt
kluniversity, A.P.
 
3BITFLASHADC
Ankit Shivhare
 
A High Speed Successive Approximation Pipelined ADC.pdf
Kathryn Patel
 
A High Speed Successive Approximation Pipelined ADC
Pushpak Dagade
 
encoding techniques abt digital data where
Rasheed673196
 
Analog-Digital-Converter in ARM Controllers
GRAJESH27
 
Analog-Digital-Converter.ppt
ssuserf2cc17
 
Analog-Digital-Converter for nyquiest model.ppt
BEVARAVASUDEVAAP1813
 
Analog-Digital-Converter.ppt
AbhishekKumarRanjan9
 
Analog-Digital-Converter.ppt
anilvasudev19
 
AVR_Course_Day6 external hardware interrupts and analogue to digital converter
Mohamed Ali
 
Partitioning Data Acquisition Systems (Design Conference 2013)
Analog Devices, Inc.
 
Analog to Digital converter in ARM
Aarav Soni
 
Analog to Digital Conversion
Syed Umair
 
A to D Convertors
sangeetkhule
 
Ab cs of_adcs
hacker1500
 
Ad and da convertor
Sandeep Kamath
 
Ad

Recently uploaded (20)

PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
Welding lecture in detail for understanding
sahilpoonia10
 
Project quality management in manufacturing
BarMusaTetik
 
Construction Project Organization Group 2.pptx
vj5agdales
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPT on Performance Review to get promotions
prashant593122
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
Ad

Tools for Practical Attacks on Analog-to-Digital Conversion

  • 1. Tools for Practical Attacks on Analog-to-Digital Conversion Alexander ‘dark_k3y’ Bolshev With a help from: Marina Krotofil Gabriel Gonzalez Andrey Dolgikh
  • 2. ; CAT /DEV/USER Alexander ‘dark_k3y’ Bolshev Ph.D., security consultant @ IOActive Madrid HW Lab Distributed systems researcher “the more complex & strange is the system -> the better”
  • 3. Important Disclaimer The whole presentation is mostly discussed on the first lections of ‘Control theory’ and ‘Digital Signal Processing’ university courses, so in fact it won’t be about something new.
  • 4. Quick intro to ICS + ADC problems
  • 5. Dialog with (some) ICS engineer during pentest Me: You have …vulns……vulns……vulns… and as a result I could compromise your PLC! Engineer: You will achieve nothing with it, because my monitoring system will stop you when the analog signal that is generated by this PLC will be out of 10% range. After it, backup PLC will be launched in a very short time Me: Okay... (went away crying) (some time passed) Me: But I will be back!
  • 7. Correct interpretation of data is important, because embedded and industrial control systems uses analog inputs to create the picture of controlled system’s state. ICS field level Actuators Control system Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior Physical Process ADCDAC
  • 8. Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI Attacker
  • 9. Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON) Attacker
  • 10. Proof-of-Concept demo from the past “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v1_motor_arduino_vs_plcadc.m4v video
  • 11. How is it possible at all? MV is represented by analog signal! Because we’re talking not about altering the analog signal, but about altering its digital representation (conversion).
  • 13. • A device that converts a continuous physical quantity (usually voltage) to a digital number that represents the quantity's amplitude.[3] • An ADC is defined by its bandwidth (the range of frequencies it can measure) and its signal to noise ratio (how accurately it can measure a signal relative to the noise it introduces). • Bandwidth of an ADC is characterized primarily by its sampling rate, and to a lesser extent by how it handles errors such as aliasing. What is ADC? ADC Input Signal Reference Digital Representation
  • 14. Types of ADCs There are many types of ADCs, the most common are three: • Successive-approximation ADC (SAR) • Sigma-delta ADC • Pipeline (usually based on flash)
  • 15. Aliasing • Sampling frequency should follow Nyquist rule ( fs > 2f ) • Otherwise the signal will appear of false (alias) frequency
  • 16. Anti-aliasing filters: “input validation” in ADC world • Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g. ADC) to attenuate the power of signal in high frequency ranges for approximate or complete satisfying the sampling theorem (fs > 2f) • As a representative of low-pass filters (LPF) family, AAF could be characterized by cut-off frequency (fc) and stop-band frequency (fsb) [4]
  • 17. Attacks against ADCs • Frequency and phase: • Arbitrary Waveform signal, i.e. signal with waveform that could be somehow misinterpreted by ADC. (see ep.1) • High-Frequency function signal, i.e. generating sine wave with kHz or MHz frequency that could somehow be misinterpreted by ADC. • OverSampling attack against SAR (see ep.1) • Special-frequency attack against ΔΣ (see ep. 2) • Amplitude (out-of-voltage-range signal) (see ep.1)
  • 19. But how…? “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200)
  • 20. …Easy! 3.3V 100 ms … while (1) { pinOutput(tip120PIN, 200); delay(395); for(i = 0; i < 20; i++){ pinOutput(tip120PIN, 0); delay(2); pinOutput(tip120PIN, 200); delay(2); } pinOutput(tip120PIN, 200); delay(495); } 2,5ms
  • 21. Siemens S7 1200 analog I/O ADC
  • 22. Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  • 23. Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  • 24. AWG signal against “lazy-call” ADC Val = readADC(); Sleep(Timeout); /* or doSmth(Timeout) */ Output(Val);
  • 25. But this is just Arduino, not real controller! Ok, let’s try without Arduino…
  • 26. Ok, let’s try something more real… SIMATIC S7-1200, ANALOG OUTPUT SB 1232, 1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA (11 BIT RES) Problem: no public information on real SPS for these module… 
  • 27. Ok, what’s inside? Logic buffer EEPROM OpAmp XTR300
  • 29. Let’s test for max stable SPS…
  • 30. Proof-of-Concept demo with real stuff “HMI Panel” “Control PLC” (S7 1200) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v2_motor_plc_vs_plcadc.m4v video
  • 31. Signal generation SCL code https://support.industry.siemens.com/cs/document/67295964/how-in-step-7-v5-x-do-you-program-signal-generation-(rectangle-sawtooth-triangle-sinus)-using-the-cyclic-interrupts-?dti=0&lc=en-WW
  • 33. ΔΣ Modulation • Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding analog signals into digital signals as found in an ADC. [7] • In Δ-modulation the change in the signal (its delta) is encoded, rather than the absolute value. The result is a stream of pulses. In ΔΣ-modulation, the accuracy of the modulation is improved by passing the digital output through a 1-bit DAC and adding (sigma) the resulting analog signal to the input signal, thereby reducing the error introduced by the Δ-modulation. [7]
  • 34. Delta-sigma ADC • ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog and digital: • analog part generates a very high-frequency bitstream; • digital part creates the real number output by filtering it with digital filter and decimating it to the output samples per second value. ΔΣ Modulator Digital Low-Pass filter Decimation Filter Analog input 1-bit stream N-bit stream Output data 0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 … Digital partAnalog part
  • 37. Demo: The mystery of the ΔΣ AD7706 ADC… See v3_mystery_sdadc1.mp4 video
  • 39. Possible explanation from the datasheet? • Expecting to have some noise there than, but possibly not the clear sin signal • It explains just partly, and we need some good hypothesis for all these things. In our case fCLKIN = 2.00MHz, so fs = 31250
  • 40. LP & Decimation (sinc3) filter D = N = 64 for AD7706
  • 41. USB UART Atmega328 AD7706 & Vref Signal generator Demo: The second mystery of the ΔΣ AD7706 ADC… See v4_mystery_various_signals.mov video
  • 42. Hypothesis and frustrations • Digital filter corner frequency/noise? • No, sinus too clear for it • sinc3 filter implemented in MCU and has integer overflow? • ”Artificial gain” (No PGA), but just multiplication on digital output? • That’s wrong according to chip decap image.
  • 43. • Dynamic compression? • Overflow in logic circuit? • Pole-zero cancelation in filter? Still mystery
  • 44. 31.25kHz looks too much for a successful attack DAC with s/r up to 100kHz
  • 45. Implementation Renesas R5F100bG RL78/G13 27352 bytes firmware size => 4 – 36+kB for payload
  • 46. Ok, I got it, but what else I could use for attack? Line coupling circuit (usually OpAmp/Transformer) Signal/Function Generator Two most common industrial analog line loops: • Voltage (0-10V, 0-24(28)V, 0-48V • Current (0-20mA) Aka ADC research kit for Joseph FitzPatrick 
  • 47. Voltage Signal/Function Generator: -> Si5351 + any MCU via I2C Coupling circuit: Buffer RtR OpAmp + H-V OpAmp Gain = 1 + (R2/R1) TI OPA551/OPA552 Fairchild LM358N Buffering requirement depends on signal source
  • 48. Current (0-20mA) -> Cypress PSoC http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262 CY8CKIT-049-42XX ~<10EUR MAX15006 Any suitable and cheap transistor for such current
  • 49. Other ΔΣ ADCs: ADS1015
  • 50. Cypress PSoC5 built-in ADC* What’s this? What’s that? [5] *default configuration
  • 51. Ok, let’s look at real device with behavior like ΔΣ ADC: Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O + Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 52. Very weird results for real industrial PLC: 1 -> 24Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 53. 25Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 54. And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 55. And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 57. *Без обид Андрей, просто действительно забавно! *
  • 58. Flex I/O vs. PowerFlex Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 59. Do we have at least one “normal” ΔΣ ADC?! Yes, e.g. MAX11205 • Sinc4 filter with no visible mistakes + postfiltering(?) • Looks very reliable Postfiltering?
  • 60. Attacks summary: what you can and what you cannot
  • 61. Summary ADC First ”attackable” f Required AAF fc Required AAF fsb Complexity SAR ADC S/H frequency (S/H frequency)/2 - easy/medium -- MCP3201 14.3kHz 7.1kHz - easy S7 1200 PLC 121Hz 60Hz 120Hz easy AB 1794-IE4XOE2* 24.9Hz 10Hz 20Hz very easy AD7705/AD7706 31250/38400 Hz - 30kHz easy ADS1015 ~86kHz 10-20kHz 50kHz medium/hard MAX11205 n/a any reasonable any reasonable ~impossible PSoC5 LP** ~1kHz 1kHz 2kHz easy * research data by Andrey Dolgikh ** incorrectly configured (default configuration) PSoC module
  • 63. Mitigations • As hardware developers/vendors: • Implement correct AA-filters in accordance to REAL characteristics of your ADC (read latest/hidden datasheets, test you ADC manually) • Remember: digital filters won’t help • As software developers (incl. firmware and PLC program development): • Introduce sampling frequency randomization in software that works with ADC • Avoid “sleepy” code • As engineer: • Implement same AA-filters all over your analog network in accordance with your OT process
  • 64. Vendors Sceptic’s replica: • We already have correct AA-filters everywhere! Are you sure?
  • 65. Reference design of industrial sensor “We included AA LPF in our design" ADC with fs ~ 2kSPS LPF with fc near 79 kHz
  • 66. Reference design of industrial transmitter “We included AA LPF in our design" ADC with fs ~ 470sps LPF with fc near 79 kHz
  • 67. But we have … AA filters... Everywhere...
  • 68. 2Vendor: also remember: digital filter won’t help • The signal is already ”compromised” by ”ADC features”, so any digital filtering after ADC won’t help you. • If you want full control, install ΔΣ modulator and implement digital part of ΔΣ-ADC manually in FPGA Analog signal Digital representation 1-bit stream
  • 69. Developer: introduce sampling frequency randomization • Certain randomness in sampling frequency will make attacker’s job much harder • Many of the discussed attacks will be much more challenging to execute • Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On the contrary, it will produce a signal sample of better quality. 𝒇 𝑠 = 𝑓 + rand(△) Time V 0 http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
  • 70. Developer: Avoid sleepy code Avoid writing/using the following code (if you don’t completely understand your process): Val = readADC(); Output(Val); Sleep(Timeout);
  • 71. • When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies • E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases! Engineer: Use SAME AA-filters across all analog line Control PLC 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 𝒇 𝒄 = 𝟓𝒌𝑯𝒛 Monitoring PLC
  • 72. Thanksgiving service • Marina Krotofil for being a co-researcher in ep. 1 and many bright ideas • Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for information on Allen Bradley PLC behavior vs. different frequencies. • Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for help and support • Fedor Savelyev for ideas and help with DSP (digital signal processing) analysis • Dmitry Nedospasov for many useful advices
  • 75. 1. https://en.wikipedia.org/wiki/Control_theory , Picture by Orzetto - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=5000019 2. Picture from: http://maxembedded.com/2011/06/the-adc-of-the-avr/ 3. Wikipedia: https://en.wikipedia.org/wiki/Analog-to-digital_converter 4. Picture from http://studentweb.niu.edu/7/~Z063757/lowpass2.bmp 5. Picture from: http://www.hdwallpaperpc.com/show-wallpaper/surprised_kitten_animal_cats_kitty_little_cat_136064.html References