Pin Control Attack is a class of attack against embedded SoC's where attacker targets I/O configuration of the embedded systems and physically terminate its connection with the software or Operating System (OS) without software/OS notices about it or receive any failure regarding I/O failures. The attack is caused by lack of hardware interrupt for Pin Configuration and Pin Multiplexing configurations. The most significant target for Pin Control Attack is a Programmable Logic Controller. The application of Pin Control Attack on PLCs is significant because Input/Output is the main mechanism through which Programmable Logic Controllers (PLCs) interact with and control the outside world. PLCs I/O like other embedded devices are controlled by a pin based approach. Pin Control Attack is an attack in which the attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated with them. The family of the attack was first unveiled at Black Hat Europe 2016. The Pin Control Attack uses I/O peripheral configuration settings of the PLC SoC to physically terminate the I/O module communication interface from the PLC. By targeting the PLC I/O configuration instead of PLC runtime or changing the logic program the attackers can avoid typical detection mechanisms exist in embedded systems.
Contents
Background
Classic attacks against PLCs rely on modifying the device's firmware, its configuration parameters, or the execution flow of running processes. These typical attacks trigger interrupts in the PLC's normal mode of operation, which the security software such as IDS picks up and alerts the human operator. Pin Control Attack targets the PLC's dynamic memory, where the device stores its I/O configuration.
Attack Vectors
The researchers suggested at least two variant of the attack named as Pin Configuration Attack and Pin Multiplexing Attack. While these two attack vectors acting differently, their concept is similar and both physically terminate the I/O from software access without software noticing about it due to lack of hardware interrupts for I/O Multiplexing and I/O Configuration.
Pin Multiplexing Attack
Embedded SoCs usually employ hundreds of pins connected to the electrical circuit. Some of these pins have a single defined purpose. For example, some only provide electricity or a clock signal. Since different equipment vendors with di- verse I/O requirements will use these SoCs, the SoC manufacturer produces its SoCs to use a certain physical pin for multiple mutually exclusive functionalities, depending on the application. The concept of redefining the functionality of the pin is called Pin Multiplexing and is one of the necessary specifications of the SoC design. Regarding the interaction of the Pin Multiplexing with OS, it is recommended by SoC vendors to only multiplex the pins during the startup since there is no interrupt for multiplexing. However, the user still can multiplex a pin at runtime and there is no limitation on that.
The current design of Pin Multiplexing in hardware level raises security questions. For example, assume that an application uses a particular peripheral controller connected to a pin with a particular multiplexing setup. At one point another application (second application) changes the multiplexing setup of the pin used by the first application. Once the pin is multiplexed, the physical connection to the first peripheral controller gets disconnected. However, since there is no interrupt at the hardware level, the OS will assume that the first peripheral controller is still available. Thus, the OS will continue to carry out the write and read operations requested by the application without any error.
The concept of changing the functionality of a pin connected to the I/O at the runtime is called Pin Multiplexing Attack.
Pin Configuration Attack
A PLC can receive and transmit various types of electrical and electronic signals. The input, which typically comes from sensors, and the output, which can be used to control motors, valves or relays, are linked to input and output pins on an integrated circuit known as a system on chip (SoC). The SoC’s pin controller can configure the modes of a pin (i.e. they are set to serve as input or output). The experts discovered that an attacker who has compromised the PLC can tamper with the input and output without being detected and without alerting the operators monitoring the process through a human-machine interface (HMI).
Stealthiness
Both Pin Configuration and Pin Multiplexing don’t trigger any alert or hardware interrupt. Therefore, during an active attack, the PLC runtime will interact with a virtual I/O memory while the attacker physically terminated the connection of the I/O with virtual memory. The state where I/O values in the software memory do not reflect the physical I/O memory is being called as I/O memory illusion.