Researchers build undetectable rootkit for programmable logic controllers

The rootkit implements a new attack against a PLC's input/output interface

Researchers have devised a new malware attack against industrial programmable logic controllers (PLCs) that takes advantage of architectural shortcomings in microprocessors and bypasses current detection mechanisms.

The attack changes the configuration of the input/output pins that make up the interface used by PLCs to communicate with other devices such as sensors, valves, and motors. PLCs are specialized embedded computers used to control and monitor physical processes in factories, power stations, gas refineries, public utilities, and other industrial installations.

The attack, which will be presented at the Black Hat Europe security conference in London on Thursday, was developed by Ali Abbasi, a doctoral candidate in the distributed and embedded system security group at the University of Twente in the Netherlands, and Majid Hashemi, a research and development engineer at Quarkslab, a Paris-based cybersecurity company.

One version of the I/O attack is called pin configuration and involves the use of malicious code that switches an I/O pin's configuration from output to input, or the other way around, without the PLC's OS or programs knowing.

For example, let's take the case of a PLC that's connected to a valve and is able to open or close it by sending a signal to an I/O pin configured as output. The same PLC also receives pressure readings from a sensor through another pin that's configured as input. A program running on the PLC -- known as the PLC logic -- monitors readings from the sensor and automatically opens the valve to release pressure when needed.

Malicious code injected by an attacker into the PLC can reconfigure the output pin as input, preventing the PLC logic from writing to it and opening the valve. It can also reconfigure the input pin as output and write bogus data to it. The result will be that the PLC will report to monitoring software that it has opened the valve and that pressure is going down -- due to the false readings now supplied by the attacker -- when in fact it hasn't.

The fundamental issue is that there are no hardware interrupts for pin configuration in the systems on a chip (SoCs) used in embedded devices like PLCs, so the OS will get no error from the processor when trying to write to a pin reconfigured as input, according to Abbasi. This means the PLC logic, which runs inside a runtime environment, will not crash and will continue to act as if the operation succeeded because, in the OS virtual memory, everything will look good.

"That's the core problem here," Abbasi said. "It seems that no SoC vendors have taken pin configuration feedback into consideration, and that might not be important for other embedded systems, but for PLCs, whose main operation is with the I/O, this becomes super important and can cause problems."

Abbasi and Hashemi implemented their attack technique in a rootkit that functions as a loadable kernel module (LKM). This allows them to bypass existing host-based intrusion detection and control-flow integrity tools for embedded systems like Doppelganger and Autoscopy Jr.

"The novelty of our attack lies in the fact that to manipulate the physical process we do not modify the PLC logic instructions or firmware," the researchers said in their paper. "This can be achieved without leveraging traditional function hooking techniques and by placing the entire malicious code in dynamic memory."

The drawback of implementing the rootkit as an LKM -- essentially a driver -- is that deploying it requires root privileges. Because of this, the researchers also developed a version of the attack that uses existing features of the PLC runtime to reconfigure the pins, and this variant can be implemented by exploiting any memory corruption vulnerability that allows loading malicious code directly into dynamic memory.

Another attack technique targets a feature called pin multiplexing that allows the use of the same pins for different interfacing modes in addition to GPIO (general purpose input/output). The functionality of a pin can be re-assigned during runtime and again, there is no feedback to tell the OS something has happened.

"Let's say you're using a pin to connect to a motor and manage it via a pulse width modulation (PWM) controller inside the CPU," Abbasi said. "In the attack, what we do is multiplex that pin and change its functionality to something else, but the CPU doesn't tell the memory management unit (MMU), which translates virtual addresses into physical addresses, that the physical address that corresponds to that pin is no longer available. The MMU will continue to try to write to it, the CPU will ignore the request, but won't give back any error, and that's crazy because the PLC will still think that the motor is accessible."

According to Abbasi, we're not likely to see these kinds of I/O attacks in the wild soon, because there are currently easier ways to compromise PLCs. However, as vendors build the next generation of PLCs with better built-in security, it's important to keep in mind that firmware and logic manipulations are not the only attack options available to hackers.

Also, it's not only PLCs that are vulnerable to I/O attacks but all embedded devices for which I/O operations are critical, such as the electronic control units (ECUs) used in cars or the intelligent electronic devices (IEDs) used in the electric power industry.

In their paper, the researchers propose two research directions for new techniques that could be used to detect I/O attacks. They plan to use these as the basis for their future work.

Join the PC World newsletter!

Error: Please check your email address.


Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?