[dcg 25] Александр Большев - never trust your inputs or how to fool an adc
TRANSCRIPT
![Page 1: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/1.jpg)
NEVERTRUSTYOURINPUTS:CAUSING'CATASTROPHICPHYSICALCONSEQUENCES'
FROMTHESENSOR(ORHOWTOFOOLADC)
![Page 2: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/2.jpg)
;CAT/DEV/USER
2
Alexander@dark_k3yBolshev,Ph.D.SecurityConsultant@IOActiveAssistantProfessor@SPbETU “LETI”
Co-researcher:Marina @marmushaKrotofilSecurityResearcher@HoneywellSec
![Page 3: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/3.jpg)
3
AGENDA
q Problemstatementq Analog-to-DigitalConverters(ADC)q “Racing”withADCclockq Invalidamplituderangeofsignalq AttackvectorsinICSqMitigations
![Page 4: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/4.jpg)
Workstation
Workstation
Firewall
ModemOperatorConsole
Firewall
SQLServer
PLC
RTU
Maintenance
FileServer
Webserver
Corporate LAN
SCADAnetwork
Webservices
Active Directory
SensorVentil
Active Directory
EngineeringWorkstation
Process LAN
4
Physical application
INDUSTRIALCONTROLSYSTEMS
![Page 5: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/5.jpg)
5
PROCESSCONTROLINANUTSHELL
Actuators
Controlsystem
Physical process Sensors
Measureprocessstate
Computescontrolcommandsforactuators
Adjustthemselvestoinfluence
processbehavior
![Page 6: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/6.jpg)
6
IMPACTOFIMPROPERSIGNALPROCESSING
http://www.co
ntrolglobal.com
/blogs/unfettered/marina-krotofils-presentation-on-
how-to
-hack-a-chem
ical-plant-and-its-implica
tion-to-actual-issues-at-a-nuclear-plant/
q Twoidenticallybuiltnuclearplants.Onehadflowinducedvibrationissue.Andanotherdidnot.
q Thevibrationsindicationshoweditselfashf noise- Fieldengineerhasfilteredthesignaltogetridofannoyingnoise- Lossofviewintovibrationissue
Equipmentdamageatnuclearplant
![Page 7: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/7.jpg)
Workstation
Workstation
Firewall
ModemOperatorConsole
Firewall
SQLServer
PLC
RTU
Maintenance
FileServer
Webserver
Corporate LAN
SCADAnetwork
Webservices
Active Directory
SensorVentil
Active Directory
EngineeringWorkstation
Process LAN
7
Catastrophic consequences
REASONTOSECURECONTROLSYSTEMS
![Page 8: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/8.jpg)
8
PROCESSMONITORING
CONTROLSYSTEM PROCESSOPERATOR OPERATORCONSOLE(HMI)
![Page 9: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/9.jpg)
9
CONSIDERAFIELDARCHITECTURE
Analog control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ/SIS
HMI
0V (actuator is OFF)
MV – Manipulated Variable
qWhatifMV valueonactuatorwillbedifferentfromMV valueonlogger?
1.5V (actuator is ON)
![Page 10: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/10.jpg)
10
BUTIT’SANALOGCONTROLLINE!
Areyousure?
q It’simpossibletohavetwodifferentMVs onthesamelineatthesametime!
![Page 11: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/11.jpg)
DEMOSETUP
11
“HMI Panel”
“Control PLC”(arduino)
“Actuator”(motor)
“Safety PLC”(S7 1200)
![Page 12: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/12.jpg)
12
DEMO1
DEMOVIDEO-- Twodevices,twodifferentMVs--
![Page 13: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/13.jpg)
13
![Page 14: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/14.jpg)
INTROTOANALOG-TO-DIGITALCONVERTERS (ADC)
![Page 15: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/15.jpg)
15
WHATISADC?
q Convertsacontinuousanalogsignal(voltageoramperage)toadigitalnumberthatrepresentssignal'samplitude
t
x(t)
![Page 16: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/16.jpg)
16
ADCINANUTSHELL
Quantizing&
Encoding
…
• Frequency• Phase• Amplitude
Sampling & Holding (S/H) circuit
Resolution
MSBADC
Clock
uI(t)
VREF
uI’(t)fs Dn-1
D1D0
Conversion time
Input signal
![Page 17: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/17.jpg)
17
EXPLOITABLEADCDESIGNCONSTRAINS
q SamplingfrequencyshouldfollowNyquistrule( >2B)-Otherwisethesignalwillappearoffalse (alias) frequency
fs
![Page 18: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/18.jpg)
18
EXPLOITABLEADCDESIGNCONSTRAINS
q AmplitudeoftheinputsignalshouldnotexceedADC’sdynamicrange-Itisdeterminedbythereferencevoltage
Time5
10
V
0
![Page 19: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/19.jpg)
19
TYPESOFADC
TherearemanyADCtypes(>10).Themostcommonare:
q Successive-approximationADC(SAR)q Sigma-deltaADCq Pipeline
http
://el
ectro
nicd
esig
n.co
m/a
nalo
g/re
al-wo
rld-v
ersu
s-you
r-adc
http
://w
ww
.plan
etan
alog.c
om/a
utho
r.asp
?sec
tion_
id=3
193&
doc_
id=5
6162
7
![Page 20: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/20.jpg)
SUCCESSIVEAPPROXIMATIONREGISTER(SAR)ADC
![Page 21: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/21.jpg)
21
BLOCKDIAGRAM
http
s://e
n.w
ikip
edia
.org
/wik
i/Suc
cess
ive_
appr
oxim
atio
n_A
DC
- DAC =Digital-to-Analogconverter- EOC =EndofConversion- SAR =SuccessiveApproximation
Register- S/H =SampleandHoldcircuit- VIN =InputVoltage- VREF =ReferenceVoltage
SAR
DAC
S/H +-
Clock EOC
Comparator
VIN
VREF
DN-1 DN-2 D1 D0
![Page 22: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/22.jpg)
22
SAR:WEIGHINGPROBLEM
q SARalgorithmisbasedononeofthesolutionstoweighingproblembyNiccolò FontanaTartaglia,Italianmathematicianandengineerin1556
http
s://e
n.w
ikip
edia
.org
/wik
i/Nic
col%
C3%
B2_
Font
ana_
Tarta
glia
http://www.analog.com/media/en/training-seminars/tutorials/MT-021.pdf
q Theobjectiveistodeterminetheleastnumberofweightswhichwouldservetoweighanintegralnumberofpoundsfrom1lb to40lb usingabalancescale
![Page 23: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/23.jpg)
23
ADC:WEIGHINGPROCESS
VIN
VREF
¾VREF
½VREF
¼VREF
VDAC
BIT2=1 BIT0=1BIT1=0BIT3=0
Time
(MSB) (LSB)
![Page 24: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/24.jpg)
„Racing“with ADCCLOCK
-- SARADC--
![Page 25: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/25.jpg)
LETSSETUPEXPERIMENTExperimentalsetup:- Arduino Leonardo
(Atmega32U4withbuild-inADC,125kHzint clock)
- Si5351generator
Algorithm:1. Generatesquaresignalwith
specificfrequencyandphase,2. Read120ADCvaluesinrow
andaveragethem,3. Output toserialport (PC),4. Increasephaseandfrequency,5. GOTO1.
![Page 26: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/26.jpg)
26
RESULTWhat is this?!
![Page 27: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/27.jpg)
27
RACINGWITHADCCLOCK
![Page 28: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/28.jpg)
28
LETSREPEATOUREXPERIMENT
Frequency=around8.9kHz
![Page 29: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/29.jpg)
for(;;){ asm("cbi 0x0e, 6"); val = __fastAnalogRead(A0); //inline function asm("sbi 0x0e, 6"); sum += val; step++;
if(step > 120){ if(phase >= 170){ phase = 0; freq += 100; }else phase += 10;
si5351.set_freq(freq, 0ULL, SI5351_CLK0); si5351.set_phase(SI5351_CLK0, phase);
Serial.print(sum * 1.0/step); 29
LETSREPEATOUREXPERIMENTLet’sintroduce“counter”toourcodeforaveraging120ADCconversions:
Fast analog read
Average, frequency changing and out to serial portgoes here
We’re putting here an outgoingZero-peak signal to see whenADC do actual work
![Page 30: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/30.jpg)
30
TIMINGDIAGRAMEXPLAINSEVERYTHING
![Page 31: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/31.jpg)
31
FROMATMEGA34U4DATASHEET
Chapter24onADC,page302
125kHz/14~8928Hz(112μs)
We’vejustbreachedthroughsamplingrateprecisionoftheADC!
![Page 32: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/32.jpg)
32
NOTONLYBUILT-INADCSTestresultsforMCP3201MCU
fCLK =125kHZ
fCLK =8MHZ
14.3kHz
292.5kHz
![Page 33: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/33.jpg)
33
DEMO2
LIVEDEMO-- Proof--
![Page 34: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/34.jpg)
34
RACINGWITHADCCLOCK
-- Delta-SigmaADC--
![Page 35: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/35.jpg)
35
DELTASIGMAADC
q Delta-sigma(ΔΣ;orsigma-delta,ΣΔ)modulationisamethodforencodinganalogsignalsintodigitalsignalsasfoundinanADC.
q Typically,delta-sigmaADCsclocksfromhigh-frequency signal,buttheresultingsamplerateismuchslower thanforothertypesofADC
q Example:AD7706ADC,clockfrequency– 2MHz,outputsamplerate– 25-500samples persecond.
q Thisallowstoproducedresultswithbiggerresolutionandmuchreliability.
https://en.wikipedia.org/wiki/Delta-sigma_modulation
![Page 36: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/36.jpg)
36
MODUSOPERANDI http://www.analog.com/library/analogDialogue/archives/33-08/adc/index.htmlhttps://en.wikipedia.org/wiki/Delta-sigma_modulation
https://www.maximintegrated.com/en/app-notes/index.mvp/id/1870
![Page 37: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/37.jpg)
37
DEMO3
Stillexploitable?LIVEDEMO-- delta-sigma--
![Page 38: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/38.jpg)
38
![Page 39: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/39.jpg)
39
ATTACKEFFORTS:SIGMA-DELTAVS.SAR
q SARADCsaremucheasiertoexploit(dueitssimplenature),howeverincreasingSARclockfrequencycouldproducemoreproblemsforattacker
q Delta-sigmaADCsallowsonlyafewwaystocraftreliableattack,howevertheresultcouldoverwhelmyourneeds.
![Page 40: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/40.jpg)
40
-- ADCaccesstiming--
SOFTWARE-RELATEDPROBLEMS
![Page 41: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/41.jpg)
41
DEMO4
DEMOVIDEO-- Onesignal,twoADCs--
![Page 42: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/42.jpg)
42
FROMDEMO:TWODEVICES&TWODIFFOUTPUTSWait,butwhy?Timingdiagramscanexplain;-)
![Page 43: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/43.jpg)
43
EVERYTHINGISMUCHEASIERINTHEICSWORLD
q Inmanyreal-world ICS applicationsADCdoesn’tsampleinputsignalwithhighestpossiblefrequency- Typicalsamplingrateis1-100timespersecond
Maliciouslycraftedvoltage
![Page 44: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/44.jpg)
44
HURDLESOFTHEATTACKER
q Howtofigureouttherequiredphaseandfrequencytocraftneededmalicioussignal?
q SendsomepeaksignalsandmonitoroutputoftheADC(directly/indirectly)
q E.g.byhackingintoswitchyoucanmonitor/controlbothdataflowtocontrolPLCAND signalsfromSIS/SafetyLC/logger/DAQ/etc
![Page 45: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/45.jpg)
45
FIGURINGOUTSIGNALPARAMETERS
ControlPLC
Actuator
SafetyPLC/Logger/DAQ/SIS
HMICompromisedindustrialswitch
![Page 46: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/46.jpg)
46
-- ADCconversiontime--
SOFTWARE-RELATEDPROBLEMS
![Page 47: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/47.jpg)
47
ADCINCRITICALAPPLICATIONS
BecarefulwhenusingADCincriticalapplications
q IndustrialPLCsalsohaveanaloginputsandbuilt-inADCs
q Let’stestatoneofthemost popular PLCsS71200μ
![Page 48: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/48.jpg)
48
Let’schecktherealconversiontimeofS71200ADC
Arduino
Waveformgenerator S71200
Analogsignal
S7Protocol
S7inputamplitudeFrequency
I2C
ReadsvaluefromPLCeveryNtime
EXPERIMENTSETUP
![Page 49: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/49.jpg)
49Frequencyisfixed
N=8.3ms
N=9ms
N=7ms
N=4.5ms
N=2.5ms
![Page 50: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/50.jpg)
50
![Page 51: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/51.jpg)
51
Nothing,really.Youjustneedtoreaddatasheetmorethoroughly
Text in small letters
WHAT’SWRONG?
![Page 52: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/52.jpg)
52
INVALIDRANGEOFSIGNALS
![Page 53: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/53.jpg)
53
q Considera5-10VsignalwhichisconsumedbyADCwithranges0-15V
q Whatwillhappenifyousendsignallowerthan5Vorhigher10V? Time
5
10
V
From the real life code:
uint8_t val = readADC(0); // reading8-bitADCvaluewithranges0V-15Vval = val – 85; // Normalization->85==5Volts(255/3)
Anysignaloflessthem5V(val < 85)willcauseintegeroverflow inval
BREAKINGSOFTWAREDEFINEDRANGES(I)
![Page 54: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/54.jpg)
54
BREAKINGSOFTWAREDEFINEDRANGES(II)
WhatiftheattackersendssignaloutsideoftheADShardwaredefinedrange(>Vref)?
q ADCwilloutputmaxvalue(allbitsetto1)q ADCmightbedamaged(didnottestoutofcostfactorsJ)q Valuesonotherinputs couldbedistorted
![Page 55: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/55.jpg)
55
DEMOSETUP
USBUART
NegativePowersource
Atmega328p
OpticalIsolator
![Page 56: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/56.jpg)
56
DEMO5
DEMOVIDEO-- Negativeinputsignal--(breakinghardwarerange)
![Page 57: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/57.jpg)
57
ANOTHEREXAMPLEBreakingHWRANGESforNXPLPC11U24FinternalADC(3.3VRef)
ADC/Ref Volts A-3 A-2 A-1 A-0 A+1 A+2 A+3NXPLPC11U24F(3.3VRef)
0.48 0.0 0.48 1.58 3.33.39 0.0 3.3 1.59 3.34.1 0.087 3.3 1.729 3.34.65 0.17 3.3 1.974 3.35.1 0.44 3.3 2.212 3.35.9 0.0 2.035 1.561 3.36.1-9.8 ~ ~ ~ ~-0.48 0.0 0.0 1.58 3.3-1.1 0.0 0.0 1.64 3.20-1.5 0.025 0.0 1.71 3.07-1.7 0.0 0.0 2.5 2.9-2 ~ ~ ~ ~
![Page 58: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/58.jpg)
58
ATTACKVECTORSINICS
![Page 59: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/59.jpg)
59
Linecouplingcircuit(usuallyOpAmp/Transformer)
Totalsetupcost50$(1kHz)-- 400$(50MHz)
DIRECTACCESSATTACKTOOLKIT
![Page 60: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/60.jpg)
60
ATTACKINGFROMICSDEVICE
qCompromisingoneofthefieldcomponents(PLC,sensor,actuator,DAQ,logger,etc.)- MostMCUsinsidetransmitters/actuatorsarecapableofgenerating
arbitrarysignalsupto500-1000Hz- Somedevicesallowtogeneratesignalsof44kHzandabove
![Page 61: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/61.jpg)
61
ATTACKFROMTRANSMITTER
HARTtransmitterreferencedesign;-)DAC with s/r up to 100kHz(smooth sine wave at ~ 5kHz)
http
://w
ww
.tm-e
etim
es.c
om/e
n/ac
cura
te-in
dust
rial-t
empe
ratu
re-m
easu
rem
ents
-with
-loop
-pow
ered
-tra
nsm
itter
.htm
l?cm
p_id
=7&
new
s_id
=222
9188
50
![Page 62: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/62.jpg)
62
MITIGATIONS
![Page 63: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/63.jpg)
63
HARDWAREMITIGATIONS
![Page 64: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/64.jpg)
64
LPFFILTERSINREFERENCEDESIGN
q Low-passfilterrejectssignalswithafrequencyhigherthanitscutofffrequency
q BufferADCinputwithLPFq GooddesigndictatesADCfs >=LPFfc
![Page 65: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/65.jpg)
65
LPFFILTERSINREFERENCEDESIGN“WeincludedLPFinourdesign"
ADCwithfs >470Hz
LPFwithfc near15kHz
![Page 66: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/66.jpg)
66
SOLUTION
![Page 67: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/67.jpg)
67
FLIPSIDEOFUSINGLPF
qWhenaddingLPFintoanindividualdevice,makesurethatallrelateddeviceshavethesame cut-offfrequencies
”Securing”mayleadtomorevulnerabilities
q E.g.ifPLCinput isbufferedwithLPF𝒇𝒄 = 𝟏𝒌𝑯𝒛 andactuator equippedwithLPFwith𝒇𝒄 = 𝟓𝒌𝑯𝒛,theattacknotonlypossible,buttheprobabilityofsuccessincreases!
![Page 68: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/68.jpg)
68
NOTE:DIGITALLPFWON’TWORK!
DonotusedigitalLPFafter theADC!
q ADCwillbealreadycompromisedbyanill-intendedsignalandnodigitalfilterwillfixthematters
![Page 69: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/69.jpg)
69
USEADCWITHHIGHERBANDWIDTH/LOWERCONVERSIONTIME
q UsingADCwithhighersamplingfrequencycanmitigate“oversampling”attackastheattackerwillhavetogeneratesignalofmuchhigherfrequency
q Generating>1MHzsignalandinjectingitintoanaloglineismuchharderthaninjecting<1MHzsignal- H/fsignalssubjectedtogreaterattenuationandmoreaffected
bynoise
![Page 70: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/70.jpg)
70
SCALESIGNALAMPLITUDEBEFOREADC
q ToavoidabuseofADCranges,normalizesignalamplitudebeforefeedingthesignaltoADC- Simplestoption:voltagedivider+OpAmp,- Signalconditioningcircuitsoreven
dynamicrangecompression
SelectwhatissuitableforyourOTprocess
![Page 71: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/71.jpg)
71
SOFTWAREMITIGATIONS
![Page 72: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/72.jpg)
72
SAMPLINGFREQUENCYRANDOMIZATION
http://www.sixsigma4service.com/evaluation-considerations-fo
r-data-sampling.html
SAMPLINGFREQUENCYRANDOMIZATIONq Certain randomnessinsamplingfrequencywillmakeattacker’s
jobmuchharder-Manyofthediscussedattackswillbemuchmorechallengingtoexecute
q Smallvariationof𝒇) won’tdegradeconversionprocess.Onthecontrary,itwillproduceasignalsampleofbetterquality.
𝒇) = 𝑓 + rand(△)
Time
V
0
![Page 73: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/73.jpg)
73
APLYSECURECODINGTECHNIQUES
q ScrutinizeyourADCs/PLCdatasheetstofigureouteffectiveranges,conversiontime,frequencyandothercriticalparameters
q Evenifitissufficienttocontroltheprocesswithonevaluepersecond,samplethesignalwithhigherfrequencyandaverageconvertedvalues
qWhenreceivingvaluefromADC,treatitasanabsolutevalue(allbitsreceivedfromADCaresignificant)
![Page 74: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/74.jpg)
74
DON’TSLEEP!(WHILEONDUTYJ )
Avoidwriting/usingthefollowingcode(ifyoudon’tcompletelyunderstandyourprocessandaren’tcompletelysureaboutwhatyouaredoing)
Val = readADC();Output(Val);Sleep(Timeout);
![Page 75: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/75.jpg)
75
OTANDITHAVECOMMONPROBLEMS
NEVERTRUSTYOURINPUTS
![Page 76: [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://reader030.vdocuments.pub/reader030/viewer/2022022413/58a39da01a28abb1348b6473/html5/page/76.jpg)
@dark_k3y@marmusha