At Black Hat this week, two researchers from IOActive, Lucas Apa and Carlos Penagos, presented a paper and slide presentation entitled, "Compromising Industrial Facilities from Forty Miles Away."
I've read the paper and seen the slides, although I didn't hear the actual presentation at Black Hat. I have some comments.
They discuss 802.15.4 devices, but focused on two proprietary protocols and one that may be a product that is obsolete and no long manufactured. One of the proprietary protocols (they called it Vendor 1) has a very small footprint in process automation, and even in factory automation it isn't large. Vendor 3 is also a proprietary protocol device family, built on the 802.15.4 platform.
Apa and Penagos concentrated on Zigbee, which has extremely well known security problems, but they mentioned IEC62591WirelessHART and ISA100.11a as though they share the same problems. In fact, the reason the ISA100 committee and the team that built WirelessHART didn't use Zigbee was these same vulnerabilities and instabilities in that protocol.
Zigbee has a very small footprint in manufacturing, being confined to building automation and some Smart Grid applications.
I have gone to all of the vendors mentioned and asked for statements. Should I get any, I wll reveal who the vendors are. If you see the slides, you can pretty easily see who the three vendors are, even though the devices are barely disguised.
I have a problem with presenting poorly researched papers like this, and hyping them the way these presenters did. It isn't stated anywhere in the paper what the 40 miles away figure means, and their discussion did not clearly separate the differences between the protocols they discussed, or dissed.
There's a word for cyber researchers like this: irresponsible.
It would be excellent to have them contact me and discuss this, but I bet they won't.
