How long does it take to solve a vulnerability in OT which is “instantly solved” in IT?

It is well known that OT (Operational Technology) and IT (Information Technology) have different paces when dealing with new technologies. Indeed, several reports and case-studies expose the main reasons of this friction in IT/OT convergence. However, it is always welcome getting detailed information on how these different approaches have implications for daily operations. Here is what the #kickstarters19 Cyber company enigmedia has to say about this:

We have studied how a critical vulnerability is managed by IT manufacturers and how the solution is adopted by final users by comparison to the same “roadmap” in OT landscape. The results show that, on the one hand, most IT manufacturers solve bugs before they are publicly announced while, on the other hand, they are not notified to OT-vendors’ CERTs yet.

As an example, we have taken one of the lectures given in the last Lightweight Cryptography Day, held in Bar-Ilan University in April 2019. The lecture was about fixed-coordinate invalid curve attack, a new variant of the Invalid Curve Attack in which the authors exploit the ability to forge low order ECDH (Elliptic Curve Diffie-Hellman) public keys, a widely used key-exchange protocol.

Bluetooth, in its 4.X version, adopts ECDH for the key-agreement. ECDH is a well-known and secure algorithm and cryptographic protocol. However, this attack takes advantage of a failure in its implementation.

Gerard Vidal, CSO enigmedia, pitching to the Kickstart audience
(photo by Andrea Brunner, Ringier)

By exploiting this vulnerability, an attacker can take full control of the communication between two devices connected by Bluetooth (BT). This flaw appears on most of the chipsets with any of the Bluetooth protocols implemented on them, independent of the firmware version. Nowadays, BT is widely used in IT and OT systems, such as wearables, cars, home automation, medical devices and industrial sensors and bridges. Usually, BT has a range from 10m (33 ft) to 100m (330 ft).

The Attack

The ECDH public key is composed of two values or coordinates (x,y) that represent points in an elliptic curve. Due to its mathematical properties, (x,0) is always invariant. This attack requires a message interception during the pairing in order to make the y-coordinate equal to zero. Doing this, it is possible to obtain the secret key attacking the key exchange with a success rate of 25%. This rate goes up to 50% when attacking also the key-derivation phase.

It is out of the scope of this post to explain the details of how ECDH works and we refer to the original paper for details, but the main idea behind the attack is taking advantage of an invariant solution. 

To put it in a nutshell, there may be a “default” key that works most of the time. Using a “PIN analogy”: trying the password 0000 works 1 of 2 times. The solution is not complicated from a mathematical point of view. Following the same analogy, it is enough to check that 0000 was not the password used during the key-agreement.

Press released in August 2018

This vulnerability (CVE-2018-5383 ) affecting BT 4.X was notified to Bluetooth SIG and main OS manufacturers like Google, Apple, Broadcom, Intel, and others. They have developed and released patches to correct it. For instance, Apple fixed this bug within High Sierra released in July 2018.

However, this vulnerability is much more difficult to correct in OT landscape  (i.e. factories, utilities, smart cities), because OT network managers are reluctant to update their systems in order to avoid any downtime at production. The risk is real. There are more than 100 Million Bluetooth industrial sensors installed in smart factories and nearly 1 Billion sensors in homes and cities that could be vulnerable.

The #kickstarters19 Cybersecurity batch 2019 with their Vertical Lead Fabian Wabbel.
(photo by Thomas Meier, Ringier)

In order to have an order of magnitude of this issue, recently Trend-Micro highlighted that 65% of manufacturers run outdated operating systems. So, how are different OS and manufacturers dealing with this vulnerability? Let’s go into details.

Linux Debian distribution has an unstable update from August 1st 2018 and SUSE distro patch appeared in mid-February 2019.

Siemens uses Windows OS in several of their portfolio PC Boxes and does not provide any patch from its CERT. Siemens also delivers its own OS for Simatic IOT20X0 gateways, and no patch is available to correct this vulnerability.

Windows, which is one of the largest OS in industrial systems, still does not support BT 4.X, which is even worse because older versions of BT are weaker and their vulnerabilities are well-known. One of the first attacks to Bluetooth which still affects to BT 3.X appeared in a paper published in 2013 by Mike Ryan, pointing out that BTLE “Legacy Pairing” is vulnerable to an eavesdropping attack. Legacy Pairing is protected by a 6-digit decimal mutual temporary key. The attack recovers the session key by exhaustively searching through all million possible temporary keys. The author also released CrackLE, open-source software that recovers the session key from captured Legacy Pairing traffic. Currently, there is also a pentesting tool available for Kali Linux distribution that allows easily replicate the attack.

GE, Omron, Emerson and others, do also provide products with BlueTooth connectivity, but they do not provide any patch for this issue.

How can we fix this flaw?

Avoiding this attack requires to update the software installed within the gateway or industrial device (i.e. PLCs) where Bluetooth sensors are connected to. If gateways/PLC manufacturers do not offer a firmware update, then it is recommended to deploy new sensors gateways that correct this vulnerability. Very critical processes depend on this.  We encourage manufacturers and users to do it, as it is a highly remarkable vulnerability.

by Gerard Vidal, CSO enigmedia


Looking for more cybersecurity expert insights? Check out these blog posts written and published by the #kickstarters19 cybersecurity companies:

Cybersecurity: a job for the machines!
by Shadi Razak, CTO CyNation

Privacy as a priority — are corporates getting it?
by Sanja Bjelica, Communications Manager Statice

Gartner Analyst: Every Enterprise Should Use Deception Technology
by Daniel Brody, Product Marketing Director Illusive Networks

How Industrial IoT Could Trigger the Next Cyber Catastrophe
by Shalom Bubil & Amir Kessler, KOVRR