U.S.-based security services firm discovers cyber vulnerabilities in radiation monitoring devices

IOActive, Inc., a “research-driven, high-end information security services” firm headquartered in Seattle, Wash., announced on Wednesday that its research has found a number of cybersecurity vulnerabilities in widely deployed radiation monitoring devices (RMDs).

RMDs are used to monitor the radiation found in critical infrastructure, such as nuclear power plants, seaports, borders, and even hospitals, IOActive explained in a press release.

The research was outlined in a white paper titled Go Nuclear: Breaking Radiation Monitoring Devices by Ruben Santamarta, principal security consultant for IOActive. The release said that “if the vulnerabilities identified are exploited, an attacker could wreak havoc on these critical systems used for monitoring radiation levels, such as falsifying measurement readings to simulate a radiation leak, tricking authorities to give incorrect evacuation directions, or increasing the time an attack against a nuclear facility or an attack involving a radioactive material remains undetected by sending normal readings to deceive operators.”

Santamarta’s research focused on testing software and hardware, firmware reverse engineering and radiofrequency analysis. In doing so, he uncovered security vulnerabilities in radiation monitoring devices from multiple vendors.

“Failed evacuations, concealed persistent attacks and stealth man-in-the-middle attacks are just a few of the risks I flagged in my research,” Santamarta said in the release. “Being able to properly and accurately detect radiation levels is imperative in preventing harm to those at or near nuclear plants and other critical facilities, as well as for ensuring radioactive materials are not smuggled across borders.”

In one case, the white paper noted that a “backdoor password” was found on one device that uses a touchscreen to interact with applications, which run a Microsoft Windows operating system. The main application running by default – supervisor.exe – implements two different privilege levels that allow technicians to perform calibration and maintenance tasks; each of these levels is protected by a configurable password.

“However, by reverse engineering the binary where this logic is implemented, a backdoor password was found,” the white paper said. “This backdoor grants the highest privilege (“Level 2”) to the attacker. As a result, malicious personnel can bypass the RPM’s [radiation portal monitor] authentication and take control of the device, which could be used to disable it, thus preventing the RPM from triggering proper alarms.”

After the discoveries, IOActive “informed the impacted vendors of the findings through responsible disclosure. All vendors acknowledged receipt of the information and despite initial responses indicating the issues would not be addressed, more recent communications from some vendors have indicated work is being done to patch the critical vulnerabilities uncovered,” the release added.