Reverse-Engineering Wireless SCADA Systems

ShmooCon XII - 2016

Presented by: Karl Koscher
Date: Sunday January 17, 2016
Time: 12:00 - 12:50
Location: Build It!

Over the past few years, interest in ICS/SCADA systems security has grown immensely. However, most of this interest has been focused on IP-connected SCADA networks, largely ignoring numerous deployments relying on other technologies such as wireless serial links. In this talk, I’ll introduce a new GNU Radio module which lets you sniff SCADA networks that use a popular RF modem for their communications. I’ll also describe the process of reverse-engineering the proprietary RF protocol used. Finally, I’ll talk about the higher-layer protocols used in SCADA networks, including ModBus and DNP3, demonstrate how we are able to monitor the (unencrypted and unauthenticated) sensing and control systems used by a large electricity distribution network, and discuss some of its implications.

Karl Koscher

Karl is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems. Since earning his ham license in 2014 (and later upgrading to Amateur Extra), he has become interested in many aspects of wireless communications.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats