



**IOActive**  
Hardware | Software | Wetware  
SECURITY SERVICES



**Honeywell**

**NEVER TRUST YOUR INPUTS:  
CAUSING 'CATASTROPHIC PHYSICAL CONSEQUENCES'  
FROM THE SENSOR (OR HOW TO FOOL ADC)**

**Alexander Bolshev & Marina Krotofil**

# ; CAT /DEV/USER

Alexander [@dark\\_k3y](#) Bolshev, Ph.D.  
Security Researcher @ IOActive  
Assistant Professor @ SPbETU “LETI”

**IOActive**  
Hardware | Software | Wetware  
SECURITY SERVICES



Marina [@marmusha](#) Krotofil  
Security Researcher @HoneywellSec

**Honeywell**

# AGENDA

- Problem statement
- Analog-to-Digital Converters (ADC)
- “Racing” with ADC clock
- Invalid amplitude range of signal
- Attack vectors in ICS
- Mitigations

# INDUSTRIAL CONTROL SYSTEMS



Physical application

# PROCESS CONTROL IN A NUTSHELL



# IMPACT OF IMPROPER SIGNAL PROCESSING

## Equipment damage at nuclear plant



- Two identically built nuclear plants. One had flow induced vibration issue. And another did not.
- **The vibrations indication showed itself as hf noise**
  - ❑ Field engineer has filtered the signal to get rid of annoying noise
  - ❑ Loss of view into vibration issue

# REASON TO SECURE CONTROL SYSTEMS



Catastrophic  
consequences

# PROCESS MONITORING



# DATA PROCESSING & USE IN ICS (SINGLE SENSOR)



Courtesy B. Green, University of Lancaster

# CONSIDER A FIELD ARCHITECTURE

- What if MV value on actuator will be different from MV value on logger?



# BUT IT'S ANALOG CONTROL LINE!

- It's impossible to have two different MVs on the same line at the same time!

Are you sure?

# DEMO SETUP

“HMI Panel”



“Safety PLC”  
(S7 1200)

“Actuator”  
(motor)

“Control PLC”  
(arduino)

# DEMO 1

## DEMO VIDEO

-- Two devices, two different MVs --





# INTRO TO ANALOG-TO-DIGITAL CONVERTERS (ADC)

# WHAT IS ADC?

- Converts a continuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude



# ADC IN A NUTSHELL

Input signal



- Frequency
- Phase
- Amplitude



# EXPLOITABLE ADC DESIGN CONSTRAINTS

- Sampling frequency should follow Nyquist rule ( $f_s > 2B$ )
  - ❖ Otherwise the signal will appear of false (alias) frequency



# EXPLOITABLE ADC DESIGN CONSTRAINTS

- ☐ Amplitude of the input signal should not exceed ADC's dynamic range
  - ❖ It is determined by the reference voltage



# TYPES OF ADC

There are many ADC types (>10). The most common are:

- Successive-approximation ADC (SAR)
- Sigma-delta ADC
- Pipeline





# SUCCESSIVE APPROXIMATION REGISTER (SAR) ADC

# BLOCK DIAGRAM



- ❖ **DAC** = Digital-to-Analog converter
- ❖ **EOC** = End of Conversion
- ❖ **SAR** = Successive Approximation Register
- ❖ **S/H** = Sample and Hold circuit
- ❖  **$V_{IN}$**  = Input Voltage
- ❖  **$V_{REF}$**  = Reference Voltage

# SAR: WEIGHING PROBLEM

- SAR algorithm is based on one of the solutions to weighing problem by **Niccolò Fontana Tartaglia**, Italian mathematician and engineer in 1556



- The objective is to determine the least number of weights which would serve to weigh an integral number of pounds from 1 lb to 40 lb using a balance scale

# ADC: WEIGHING PROCESS





# „Racing“ with ADC CLOCK

-- SAR ADC --

# LET'S SETUP EXPERIMENT



## Experimental setup:

- ❖ Arduino Leonardo  
(Atmega32U4 with build-in  
ADC, 125kHz int clock)
- ❖ Si5351 generator

## Algorithm:

1. Generate square signal with specific frequency and phase,
2. Read 120 ADC values in row and average them,
3. Output to serial port (PC),
4. Increase phase and frequency,
5. GOTO 1.



# RESULT

What is this?!



# RACING WITH ADC CLOCK



# LETS REPEAT OUR EXPERIMENT

Frequency = around 8.9kHz



# LETS REPEAT OUR EXPERIMENT

Let's introduce “*counter*” to our code for averaging 120 ADC conversions:

```
for(;;){  
    asm("cbi 0x0e, 6");  
    val = __fastAnalogRead(A0); //inline function  
    asm("sbi 0x0e, 6");  
    sum += val;  
    step++;  
  
    if(step > 120){  
        if(phase >= 170){  
            phase = 0;  
            freq += 100;  
        }else  
            phase += 10;  
  
        si5351.set_freq(freq, 0ULL, SI5351_CLK0);  
        si5351.set_phase(SI5351_CLK0, phase);  
  
        Serial.print(sum * 1.0/step);  
    }  
}
```

We're putting here an outgoing Zero-peak signal to see when ADC do actual work

Fast analog read

Average, frequency changing and out to serial port goes here

# DEMO 2

LIVE DEMO

-- Explanation --

# TIMING DIAGRAM EXPLAINS EVERYTHING



# FROM ATMEGA 34U4 DATASHEET

Chapter 24 on ADC , page 302

| Condition                                            | First Conversion | Normal Conversion,<br>Single Ended | Auto Triggered<br>Conversion |
|------------------------------------------------------|------------------|------------------------------------|------------------------------|
| Sample and Hold<br>(Cycles from Start of Convention) | 14.5             | 1.5                                | 2                            |
| Conversion Time<br>(Cycles)                          | 25               | 13                                 | 13.5                         |

$125\text{kHz} / 14 \sim 8928\text{Hz} (112\mu\text{s})$

We've just breached through sampling rate precision of the ADC!

# NOT ONLY BUILT-IN ADCS

Test results for MCP3201 MCU





## SOFTWARE-RELATED PROBLEMS

-- ADC access timing --

# DEMO 3

## DEMO VIDEO

-- One signal, two ADCs --

# FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS

Wait, but why? Timing diagrams can explain ;-)



# EVERYTHING IS MUCH EASIER IN THE ICS WORLD

- In many real-world ICS applications ADC doesn't sample input signal with highest possible frequency
  - Typical sampling rate is 1-100 times per second



# HURDLES OF THE ATTACKER

- How to figure out the required phase and frequency to craft needed malicious signal?
- Send some peak signals and monitor output of the ADC (directly/indirectly)
- E.g. by hacking into switch you can monitor/control both data flow to control PLC AND signals from SIS/Safety LC/logger/DAQ/etc



# FIGURING OUT SIGNAL PARAMETERS





## SOFTWARE-RELATED PROBLEMS

-- ADC conversion time --

# ADC IN CRITICAL APPLICATIONS

Be careful when using ADC in critical applications

- Industrial PLCs also have analog inputs and built-in ADCs
- Let's test at one of the most popular PLCs S7 1200 μ



| Analog value creation                                   |        |
|---------------------------------------------------------|--------|
| Integrations and conversion time/resolution per channel |        |
| Resolution with overrange (bit including sign), max.    | 10 bit |
| Integration time, parameterizable                       | Yes    |
| Conversion time (per channel)                           | 625 µs |

# EXPERIMENT SETUP

Let's check the real conversion time of S7 1200 ADC



$N=9\text{ms}$



$N=8.3\text{ms}$



$N=7\text{ms}$



$N=4.5\text{ms}$



$N=2.5\text{ms}$



Frequency is fixed

Our ADC Conversion  
time is just 625uS

I could see non-repeating  
values  
only every 8.3mS

**BUT...**



# WHAT'S WRONG?

**Nothing, really.** You just need to read datasheet more thoroughly



## Conversion time:

The conversion time is the sum of the time required by the A/D converter (analog-to-digital converter) to record the measured value (basic conversion time), as well as time taken (diagnostics, open-circuit monitoring) to process the measured value in the module (processing time).

## Cycle time:

The cycle time, which is also called the sampling time, is the time between two conversions on the same channel.



Text in small letters



# INVALID RANGE OF SIGNALS

# BREAKING SOFTWARE DEFINED RANGES (I)

- Consider a 5-10V signal which is consumed by ADC with ranges 0-15 V
- What will happen if you send signal lower than 5V or higher 10V?



From the real life code:

```
uint8_t val = readADC(0); // reading 8-bit ADC value with ranges 0V -15 V  
val = val - 85; // Normalization -> 85 == 5 Volts (255/3)
```

Any signal of less them 5 V (`val < 85`) will cause integer overflow in `val`

# BREAKING SOFTWARE DEFINED RANGES (II)

What if the attacker sends signal outside of the ADS hardware defined range ( $>V_{ref}$ )?

- ADC will output max value (all bit set to 1)
- ADC might be damaged (did not test out of cost factors ☺)
- Values on other inputs could be distorted

# DEMO SETUP

Negative Power source



USB  
UART

Atmega328p

Optical  
Isolator

# DEMO 4

## DEMO VIDEO

-- Negative input signal --  
**(breaking hardware range)**

# ANOTHER EXAMPLE

Breaking HW RANGES for NXP LPC 11U24F internal ADC (3.3VRef)

| ADC/Ref                        | Volts   | A <sub>-3</sub> | A <sub>-2</sub> | A <sub>-1</sub> | A <sub>-0</sub> | A <sub>+1</sub> | A <sub>+2</sub> | A <sub>+3</sub> |
|--------------------------------|---------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|
| NXP LPC<br>11U24F<br>(3.3VRef) | 0.48    |                 |                 | 0.0             | 0.48            | 1.58            | 3.3             |                 |
|                                | 3.39    |                 |                 | 0.0             | 3.3             | 1.59            | 3.3             |                 |
|                                | 4.1     |                 |                 | 0.087           | 3.3             | 1.729           | 3.3             |                 |
|                                | 4.65    |                 |                 | 0.17            | 3.3             | 1.974           | 3.3             |                 |
|                                | 5.1     |                 |                 | 0.44            | 3.3             | 2.212           | 3.3             |                 |
|                                | 5.9     |                 |                 | 0.0             | 2.035           | 1.561           | 3.3             |                 |
|                                | 6.1-9.8 |                 |                 | ~               | ~               | ~               | ~               |                 |
|                                | -0.48   |                 |                 | 0.0             | 0.0             | 1.58            | 3.3             |                 |
|                                | -1.1    |                 |                 | 0.0             | 0.0             | 1.64            | 3.20            |                 |
|                                | -1.5    |                 |                 | 0.025           | 0.0             | 1.71            | 3.07            |                 |
|                                | -1.7    |                 |                 | 0.0             | 0.0             | 2.5             | 2.9             |                 |
|                                | -2      |                 |                 | ~               | ~               | ~               | ~               |                 |



# ATTACK VECTORS IN ICS

# DIRECT ACCESS ATTACK TOOL KIT



Total setup cost  
50\$ (1kHz) -- 400\$ (50MHz)

Line coupling circuit  
(usually OpAmp/Transformer)



# ATTACKING FROM ICS DEVICE

- Compromising one of the field components (PLC, sensor, actuator, DAQ, logger, etc.)
  - ❖ Most MCUs inside transmitters/actuators are capable of generating arbitrary signals up to 500-1000Hz
  - ❖ Some devices allow to generate signals of 44kHz and above



# ATTACK FROM TRANSMITTER

## HART transmitter reference design ;-)

Novato Reference Design  
MAXREFDES16#





# MITIGATIONS

# HARDWARE MITIGATIONS



I'm looking for the least possible amount  
of responsibility.

# LPF FILTERS IN REFERENCE DESIGN

- ❑ Low-pass filter rejects signals with a frequency higher than its cutoff frequency
- ❑ Buffer ADC input with LPF
- ❑ Good design dictates  $\text{ADC } f_s \geq \text{LPF } f_c$



# LPF FILTERS IN REFERENCE DESIGN

"We included LPF in our design"

LPF with  $f_c$  near 15 kHz



ADC with  $f_s > 470\text{Hz}$

# SOLUTION



# ACHIEVING ADC ZEN



www.mandor.sk  
Czech Mandor

# FLIP SIDE OF USING LPF

“Securing” may lead to more vulnerabilities

- ❑ When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies
- ❑ E.g. if PLC input is buffered with LPF  $f_c = 1\text{kHz}$  and actuator equipped with LPF with  $f_c = 5\text{kHz}$ , the attack not only possible, but the probability of success increases!



# NOTE: DIGITAL LPF WON'T WORK!

**Do not use digital LPF after the ADC!**

- ADC will be already compromised by an ill-intended signal and no digital filter will fix the matters



# USE ADC WITH HIGHER BANDWIDTH/LOWER CONVERSION TIME

- Using ADC with higher sampling frequency can mitigate “oversampling” attack as the attacker will have to generate signal of much higher frequency
- Generating  $>1\text{MHz}$  signal and injecting it into analog line is much harder than injecting  $< 1\text{MHz}$  signal
  - ✖ H/f signals subjected to greater attenuation and more affected by noise

# SCALE SIGNAL AMPLITUDE BEFORE ADC

- To avoid abuse of ADC ranges, normalize signal amplitude before feeding the signal to ADC
  - ❖ Simplest option: voltage divider + OpAmp,
  - ❖ Signal conditioning circuits or even dynamic range compression

Select what is suitable for your OT process



# SOFTWARE MITIGATIONS



# SAMPLING FREQUENCY RANDOMIZATION

- ❑ Certain randomness in sampling frequency will make attacker's job much harder
  - ❑ Many of the discussed attacks will be much more challenging to execute
- ❑ Small variation of  $f_s$  won't degrade conversion process. On the contrary, it will produce a signal sample of better quality.



# APPLY SECURE CODING TECHNIQUES

- ❑ Scrutinize your ADCs/PLC datasheets to figure out effective ranges, conversion time, frequency and other critical parameters
- ❑ Even if it is sufficient to control the process with one value per second, sample the signal with higher frequency and average converted values
- ❑ When receiving value from ADC, treat it as an absolute value (all bits received from ADC are significant)

# DON'T SLEEP! (WHILE ON DUTY ☺ )

Avoid writing/using the following code (if you don't completely understand your process and aren't completely sure about what you are doing)

```
Val = readADC();  
Output(Val);  
Sleep(TIMEOUT);
```



OT AND IT HAVE COMMON PROBLEMS

NEVER TRUST YOUR INPUTS





**IOActive**  
Hardware | Software | Wetware  
SECURITY SERVICES



**Honeywell**

**Any Q?**

@dark\_k3y  
@marmusha



# „OVERSAMPLING“ OF ADC CLOCK

-- Delta-Sigma ADC --

# DELTA SIGMA ADC

# MODUS OPERANDI

# LETS SETUP ANOTHER EXPERIMENT

# RESULT

# EXPLANATION

# ATTACK EFFORTS: SIGMA-DELTA VS. SAR