Today the DHS ICS-CERT published a new control system security advisory for products from Fatek. They also published a control system security alert for a class of micro-electromechanical systems (MEMS) accelerometer sensors from a number of vendors.
This advisory describes a stack-based buffer overflow in Fatek PLCs. An anonymous researcher reported the vulnerability via the Zero Day Initiative (ZDI). Fatek has produced a new version that mitigates the vulnerability. There is no indication that the anonymous researcher has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to crash the affected device or allow remote code execution.
The Fatek release note for the new version of the Fatek Ethernet Module Configuration Tool used in these devices explain that there were two separate changes responding to apparently separate vulnerabilities. It is not clear from the release note if both are necessary to mitigate the vulnerability listed in the ICS-CERT advisory or if there is another vulnerability that was not reported by ICS-CERT.
MEMS Accelerometer Alert
This alert describes a publicly disclosed vibration based design flaw in a number of MEMs accelerometers from a variety of manufacturers. ICS-CERT does not identify the vulnerability reporter, but it appears to be based upon a paper that will be presented at the IEEE European Symposium on Security & Privacy, Paris, France, April 2017 by Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu.
According to ICS-CERT:
“According to public reporting, the design flaws may be exploitable by playing specific acoustic frequencies in close proximity to devices containing embedded capacitive MEMS accelerometer sensors. At a specific acoustic frequency it may be possible to induce a vibration within vulnerable accelerometers to alter the sensors’ output in a predictable way. The impact of exploitation would be dependent on the function and operation of host devices, but it is understood that during an attack it may be possible to render affected sensors inoperable. This could result in a denial of service for host devices. During a successful attack, the integrity of measured data by vulnerable sensors could also be compromised. In the worst case attack scenario, it may be possible for an attacker to control sensor output data in a predictable way to achieve some level of control over a host device that primarily operates on unvalidated sensor data.”
One device manufacturer, Robert Bosch GmbH, has already produced a vulnerability advisory for MEMs accelerometers that they produce. ICS-CERT is working with other vendors to identify a list of affected products that use the affected capacitive MEMS accelerometers and to determine each vendor’s mitigation plan.
The ICS-CERT failure to identify the source of the public disclosure in this particularly alert is extremely short sighted. I understand their desire to encourage coordinated disclosures, but I have never thought that failing to give credit where it is due served that purpose well. In this case this is an academic paper for a vulnerability that looks like it will take a great deal of effort to effectively exploit; particularly in an ICS environment. Failing to provide the details of the vulnerability (through a link to the original paper) is a disservice to the ICS community.
To make matters worse, from a coordinated disclosure point of view, the vulnerability potentially affects nearly all (apparently) MEMS accelerometer manufacturers. There would be no effective way to really coordinate the disclosure with all of the potential vendors. Further, I expect that many solutions are going to depend upon actions of other vendors that actually employ the accelerometers in their equipment.
Oh, and by-the-way, the original paper was publicly disclosed today in a NY Times article.
ICS-CERT really does need to get out a revision to this alert that gives specific credit, and a link to the paper, to the discoverers of this vulnerability.
Oh, in another cute by-the-way, this vulnerability already has a cute name – WALNUT.