Software vulnerabilities in sensors used by many oil and gas companies to monitor industrial processes are leaving these businesses vulnerable to potential remote attacks using radio waves, according to a computer security research firm.
A Web-based compromise may result in monetary losses for an attack target, but the impact of a sensor attack on an energy company could result in loss of lives, warned Carlos Mario Panagos, a researcher for IOActive.
Security software adds threat detection, forensics
Panagos and fellow researcher Lucas Apa said that while the United States, Canada and other nations have been focusing in securing industrial control systems, many of these Internet-connected systems may not have gone through thorough security audits.
In a study of sensors manufactured by three major wireless automations systems makers, the they found that sensors typically communicate with a company’s network using radio transmitters on the 900MHz or 2.4Ghz bands. The sensors use the bands to report operation details on remote locations.
Many of the sensors tested contained weaknesses ranging from weak cryptography keys, software flaws and configuration errors.
In one instance, the researchers found that sensors shipped with identical cryptographic keys. This could lead to several companies using the device to sharing the same security keys.
The researchers also found that it was possible to modify monitor readings and disable sensors from up to 64 kilometers away.