I recently wanted to understand why a product, which was certified following multiple different standards was so easy to pwn. Thus, I got to read a few standards..yay… Here a few random thoughts.
IEC 62443 and Security Level
IEC 62443 states five different security levels
Security Level 0: No special requirement or protection required. Security Level 1: Protection against unintentional or accidental misuse. Security Level 2: Protection against intentional misuse by simple means with few resources, general skills and low motivation. Security Level 3: Protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation. Security Level 4: Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge and high motivation.
(quoted from Wikipedia)
Interestingly, as I was told, SL3 and SL4 are not intended to be applied to a single component, but only to complete systems. Thus, doing things correctly a single part, even a functional add-on, should only be designed to achieve protection against a script kiddie (SL2). Which, well, is awesome for attackers.
When having a discussion on the topic the “few resources” are ok, there are lot of hacks you can do with 100€..200€. Even the general skills (using YouTube ought to be a general skill) are easily justified. BUT, what is low motivation? While “following a publicly available set of instructions” is general skill, where does low motivation end? Do I have more than “low motivation” when I give it a second try after failing once? Is it still low motivation, when I need to use my general skill “reading” for utilizing a book? Do I need to roll a D20 to check whether I have low, medium or high motivation?
When rating real world attacks and tools and tutorials, one will very quickly need something between the script kiddie and the professional attacker. I.e. attackers who are able to modify and adjust existing tools, might not be able to develop the attack method themselves. Or, the other approach, are these “professional attackers” part of SL4 and as such in the same category as nations states? One approach I found used Common Criteria as a practical method to rate the SLs, sadly they maxed out at >14points for SL3 and simply said SL4 was out off scope :-(
Being up to Date for Estimations
One industrial standard I read had a decision tree to help one work out whether error detecting codes (i.e. CRC) or actual cryptographic signatures were necessary. The first branch offered the options “only authorized access” and “unauthorized access cannot be ruled out”. I guess for most security-oriented readers the chosen option will usually be the second one, with just a few well defined exceptions for the first one.
Now from an engineering perspective, when one has just spent a few months on developing a circuit to run a proprietary RF protocol with some fancy modulation, well it might feel as if “only authorized access” is the correct choice. You need a custom circuit, need to be able to demodulate the transmission, need to know the actual structure of the messages…
The standard I read is from 2011 which is around a year before Michael Ossmann and GreatScottGadgets released their HackRF jawbreaker and somehow triggered a revolution in RF hacking by releasing an affordable Software Defined Radio platform. (Not to forget the RTL-SDR sticks which had already made the RX part generally available). Since then hacks, tools and platforms have become more and more available and easy to use.
So while in 2011 a USRP costing roughly above $2000 could not be called “generally available”, the $300 HackRF just made a significant difference (at least to a lot of people I know). Still, in 2021, RF is surrounded by a cloud of magical mist and very often just being treated “as secure” or “just to complicated to be practically attacked”. Especially as there are now a few shops selling cheap HackRF copies for around $100.
Addresses & Security and RF
There are a few standards that enforce the use of unique address and limited or defined address spaces, interestingly, in the ones I’m just reading the address parameters are treated as security features. But how do addresses actually help in the real world?
- If I don’t know the target’s address I can’t talk to the target. -> Easy and makes sense
- If I don’t know/can’t spoof the source’s address the target will ignore my message. -> Easy and makes sense 2.1. Or if I can spoof the source address the response won’t reach me -> Makes sense, might be an issue (i.e. working with TCP/IP)
So we need the source address and the target address and as such need access to the communication between both devices (initial data collection), which for wired, air-gapped systems will be quite a challenge! For RF systems on the other hand messages are physically broadcasted with certain limits in range and direction. But if you’re in the right place at the right time, well, the message will just be thrown at you. So, if you can receive the message and you can understand it (demodulate it) you’ll have access to all necessary information. Let’s also say, when you can receive and demodulate, you can also modulate and transmit (or just replay ;-) ). In this situation the use of addresses makes no difference whatsoever. The attacker either has access to all necessary information or to none of it. Obviously, if the message where encrypted, things would get harder, but would it then be the addresses that made the difference or the encryption? Or the combination?