Flaws in Radiation Monitoring Devices, Vendors decline to fix them

Ruben Santamarta, the principal security consultant for IOActive, has found various Black Hat vulnerabilities in multiple product models of nuclear Radiation Monitoring Devices (RDMs) from three vendors, including Digi, Ludlum and Mirion, who when contacted by the researcher, declined to fix the reported flaws, each for various reasons.
According to research unveiled at Black Hat USA 2017 on Wednesday, these flaws present a potential mechanism for triggering false alarms and worse. Santamarta’s research, which is accompanied by a whitepaper, focused on testing software and hardware, firmware reverse engineering and radio frequency analysis.
Santamarta says he tested various radiation monitor models, from massive car and human scanning portals to small sensor boxes that engineers pin on walls across a nuclear power plant’s building complex.
RDMs are used to monitor the radiation found in critical infrastructure, such as nuclear power plants, sea ports, borders, and even hospitals. While these are edge case scenarios, radiation monitors are generally used to detect when nuclear power plant employees try to smuggle radioactive material out of their compound, and when someone attempts to cross the border with radioactive equipment and/or materials. 
However, like many Internet of Things devices, security shortcomings provide a means to subvert their operation. This type of equipment is quite critical as it provides an early alarm system for radiation spikes in nuclear power plants, but also the presence of dirty bombs in a city’s range.
Inspection of software that ships with the Model 53 Gamma Personnel Portal from Ludlum revealed a backdoor password. “As a result, malicious personnel can bypass the RPM’s authentication and take control of the device, which could be used to disable it, thus preventing the RPM from triggering proper alarms,” Santamarta warned.
Ludlum’s gate monitors – Model 4525 – for vehicle inspection, lack any security measure for data communication. Any attacker on the adjacent network can change the device’s network settings, which opens the door to multiple attacks. Worse yet, the device communicates via cleartext, so attackers would be able to falsify readings, disable alarms, or perform any other originally supported operation.
Attackers could falsify measurement readings to simulate a radiation leak, tricking authorities to give incorrect evacuation directions, or increasing the time an attack against a nuclear facility or an attack involving a radioactive material remains undetected by sending normal readings to deceive operators.
“Failed evacuations, concealed persistent attacks and stealth man-in-the-middle attacks are just a few of the risks I flagged in my research,” said Santamarta. “Being able to properly and accurately detect radiation levels, is imperative in preventing harm to those at or near nuclear plants and other critical facilities, as well as for ensuring radioactive materials are not smuggled across borders.”
Santamarta says he contacted all three vendors. Below are the responses he got from the manufacturers:
Digi acknowledged the report, but will not fix the issues as they do not consider them security issues.
Ludlum acknowledged the report, but refused to address the issues. According to them, these devices are located in secure facilities, which is enough to prevent exploitation.
Mirion acknowledged the vulnerabilities, but will not patch them as it would break WRM2 interoperability. Mirion contacted their customers to warn of this situation. They will work in the future to add additional security measures.

Leave a Reply