Hackers Crash Controller via Web Service

Event Year: 2002 Reliability: Confirmed
Country: United Kingdom
Industry Type: Electronic Manufacturing
Description:

There were 2 types of incidents ocurring at the same location in the same time frame:
(1)  Hackers opened connections with our device , sent messages of unknown nature, then stopped communicating without closing the connection.  This exposed a bug in the control product.  After timing out the connection, the connection was left open.  After repeated attacks, all connections were consumed leaving the ethernet port unavailable for legitimate users.
(2)  Hackers sent a WEB page to the device containing some java script and the text: ” Hello! Welcome to http://worm.com Hacked by Chinese”.  This exposed a bug in TCP/IP stack that caused invalid data access abort in the CPU.  This results in the controller going through a reset, which drives all outputs to their off state.

Impact:

Two engineers worked on this problem full time for 3-4 weeks each.  The hard part was being able to identify the cause so we could reproduce it at the vendor’s site.  Our internal firewalls greatly reduce the likelyhood of these attacks getting through.  The customer in this case is a development partner, so we worked with them to capture the activity with a network analyzer.  Once the cause(s) were identified, the fixes were easy.

Action Description: (1) Fixed the bug in the device code - it now properly closes timeout connections. (2) Contacted the TCP stack vendor who gave us a fix for his bug. In addition, we created a tool to cause problem #1. It rapidly makes connections but does not close them. With this tool, the old "buggy" code locks up the Ethernet port within seconds. The fixed code does not fail. Vendor strongly recommends that our customers work with their IT departments to isolate the controllers from these kinds of attacks.