Multiple vulnerabilities found in radiation monitoring gateways

Every now and then, a presentation at Black Hat throws up a security vulnerability that has been missed either because it exists in equipment researchers haven’t been paying attention to, or is simply inherently difficult to uncover.

A prime example this year was IOActive’s research on Radiation Portal Monitors (RPMs), gateways mainly used to check for the illegal trafficking of radioactive material at ports, border crossings, airports and in and out of nuclear facilities.

Little considered they might be but, as the IOActive researcher Ruben Santamarta explains, behind the scenes they matter a lot:

RPMs are a fundamental component of the policy that was implemented worldwide, especially after 9/11 in the US, to prevent the illicit trafficking of nuclear and radiological materials.

Although not able to test a portal in situ, he managed to track down publicly-available binaries for one of the sector’s equipment makers, Ludlum, which has sold 2,500 gateways in 20 countries.

After a spot of reverse engineering, Santamarta uncovered a slew of issues, including a backdoor password that could be used to disable the device’s alarms by someone with physical access.

More surprisingly, the gateways (which transmit their readings wireless or via a LAN) were found to be vulnerable to a Man-in-the-Middle (MiTM) attack that could be used to alter the readings taken from vehicles passing though the detectors. Neither of these attacks would necessarily be noticeable.

Granted, the second of these attacks would require the attacker to pass back plausible readings, which would need to be fine-tuned in advance of an attack. From the description given, this would currently be a costly and complex, although not impossible, under-taking.

Separately, vulnerabilities were found in the WRM2 protocol used in radiation monitors made by Mirion and Digi, widely deployed in nuclear power plants.

Again, being able to remotely hack radio communication would be difficult thanks to the physical shielding of in the plants themselves.

Perhaps the biggest discovery was simply the mixed initial responses of the vendors to the issues raised, responses which give the impression of an industry that isn’t used to outsiders peering in too closely. According to the paper:

  • Ludlum has acknowledged the report but believes the secure facilities where its devices are housed will prevent exploitation.
  • Mirion acknowledged the vulnerabilities and contacted customers but did not want to patch for fear of breaking WRM2 interoperability.
  • Digi acknowledged the report, but initially said it would not fix the problems as it doesn’t consider them security issues.
  • Digi and Mirion have since begun work to “patch critical vulnerabilities uncovered in the research”.

As IOActive’s Santamarta points out, it seems likely that other vendors in this space will be affected by similar flaws.

The report concludes:

These issues are not currently patched, so increasing awareness of the possibility of such attacks will help to mitigate the risks.

This is reminiscent of what happened when people started uncovering flaws in SCADA (Supervisory Control And Data Acquisition) equipment in the aftermath of the Stuxnet attack.

None of the flaws uncovered by IOActive’s research would be easy meat for hackers but the importance of radiation monitoring makes it a target worth protecting.

More independent research can only be a good thing.