Researchers build undetectable rootkit for programmable logic controllers

The rootkit implements a new attack against a PLC's input/output interface

Researchers have devised a new malware attack against industrial programmable logic controllers (PLCs) that takes advantage of architectural shortcomings in microprocessors and bypasses current detection mechanisms.

The attack changes the configuration of the input/output pins that make up the interface used by PLCs to communicate with other devices such as sensors, valves, and motors. PLCs are specialized embedded computers used to control and monitor physical processes in factories, power stations, gas refineries, public utilities, and other industrial installations.

The attack, which will be presented at the Black Hat Europe security conference in London on Thursday, was developed by Ali Abbasi, a doctoral candidate in the distributed and embedded system security group at the University of Twente in the Netherlands, and Majid Hashemi, a research and development engineer at Quarkslab, a Paris-based cybersecurity company.

One version of the I/O attack is called pin configuration and involves the use of malicious code that switches an I/O pin's configuration from output to input, or the other way around, without the PLC's OS or programs knowing.

For example, let's take the case of a PLC that's connected to a valve and is able to open or close it by sending a signal to an I/O pin configured as output. The same PLC also receives pressure readings from a sensor through another pin that's configured as input. A program running on the PLC -- known as the PLC logic -- monitors readings from the sensor and automatically opens the valve to release pressure when needed.

Malicious code injected by an attacker into the PLC can reconfigure the output pin as input, preventing the PLC logic from writing to it and opening the valve. It can also reconfigure the input pin as output and write bogus data to it. The result will be that the PLC will report to monitoring software that it has opened the valve and that pressure is going down -- due to the false readings now supplied by the attacker -- when in fact it hasn't.

The fundamental issue is that there are no hardware interrupts for pin configuration in the systems on a chip (SoCs) used in embedded devices like PLCs, so the OS will get no error from the processor when trying to write to a pin reconfigured as input, according to Abbasi. This means the PLC logic, which runs inside a runtime environment, will not crash and will continue to act as if the operation succeeded because, in the OS virtual memory, everything will look good.

"That's the core problem here," Abbasi said. "It seems that no SoC vendors have taken pin configuration feedback into consideration, and that might not be important for other embedded systems, but for PLCs, whose main operation is with the I/O, this becomes super important and can cause problems."

Abbasi and Hashemi implemented their attack technique in a rootkit that functions as a loadable kernel module (LKM). This allows them to bypass existing host-based intrusion detection and control-flow integrity tools for embedded systems like Doppelganger and Autoscopy Jr.

"The novelty of our attack lies in the fact that to manipulate the physical process we do not modify the PLC logic instructions or firmware," the researchers said in their paper. "This can be achieved without leveraging traditional function hooking techniques and by placing the entire malicious code in dynamic memory."

The drawback of implementing the rootkit as an LKM -- essentially a driver -- is that deploying it requires root privileges. Because of this, the researchers also developed a version of the attack that uses existing features of the PLC runtime to reconfigure the pins, and this variant can be implemented by exploiting any memory corruption vulnerability that allows loading malicious code directly into dynamic memory.

Another attack technique targets a feature called pin multiplexing that allows the use of the same pins for different interfacing modes in addition to GPIO (general purpose input/output). The functionality of a pin can be re-assigned during runtime and again, there is no feedback to tell the OS something has happened.

"Let's say you're using a pin to connect to a motor and manage it via a pulse width modulation (PWM) controller inside the CPU," Abbasi said. "In the attack, what we do is multiplex that pin and change its functionality to something else, but the CPU doesn't tell the memory management unit (MMU), which translates virtual addresses into physical addresses, that the physical address that corresponds to that pin is no longer available. The MMU will continue to try to write to it, the CPU will ignore the request, but won't give back any error, and that's crazy because the PLC will still think that the motor is accessible."

According to Abbasi, we're not likely to see these kinds of I/O attacks in the wild soon, because there are currently easier ways to compromise PLCs. However, as vendors build the next generation of PLCs with better built-in security, it's important to keep in mind that firmware and logic manipulations are not the only attack options available to hackers.

Also, it's not only PLCs that are vulnerable to I/O attacks but all embedded devices for which I/O operations are critical, such as the electronic control units (ECUs) used in cars or the intelligent electronic devices (IEDs) used in the electric power industry.

In their paper, the researchers propose two research directions for new techniques that could be used to detect I/O attacks. They plan to use these as the basis for their future work.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection


Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments





Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?