The notion of a hacker-induced nuclear meltdown is the stuff of cyberpunk nightmares. And, let’s be clear, there’s no sign digital saboteurs are anywhere close to unleashing a nuclear apocalypse. But one hacker who has prodded at radioactive hazard protections for years says he’s found serious vulnerabilities in those safety systems. These aren’t bugs that would cause a radioactive disaster–but they could make it harder to prevent them.
At the Black Hat security conference Wednesday, security researcher Ruben Santamarta laid out a series of potentially hackable security flaws in the software and hardware systems designed to protect against radioactive contamination in two distinct forms. One of his targets is a common model of radioactivity sensor at nuclear power facilities. Another is a set of devices sold as “gate” monitoring system, which check vehicles and humans for radioactivity as they leave nuclear facilities, or to screen cargo that passes through borders and ports.
Thankfully, none of Santamarta’s attacks present a practical path to a hacker-induced meltdown. And nuclear facilities do have other means of detecting radiation than the ones he targeted. But his findings nonetheless highlight serious weaknesses in the equipment that helps protect against radioactive leaks, or even terrorist attacks, around the world.
In his worst-case scenario, Santamarta describes how the vulnerabilities he’s found could confuse nuclear engineers, or prevent them from responding to an ongoing radioactive leak. “You can send arbitrary information, malicious information that emulates a radiation leak that’s not actually happening, or send regular readings so an accident goes undetected,” says Santamarta, a researcher and consultant at the security firm IOActive, who has previously exposed digital vulnerabilities in satellite and airplane systems.
With his other set of findings focused on gate-monitoring systems, Santamarta warns that hackers or malicious insiders might be able to hack those monitoring tools, disabling them to allow dangerous nuclear materials to bypass checkpoints. “You could smuggle whatever radioactive material you want,” he says.
Santamarta says that reading articles about the 1979 radioactive accident at Three Mile Island earlier this year piqued his interest in the security of radioactivity detection equipment. That near-disaster was caused in part by faulty readings from nuclear containment equipment that gave operators a false sense of confidence. “I wanted to know if there’s a chance for hackers to replicate that scenario in some way,” Santamarta says.
Over the next months, he began acquiring and testing equipment from the radioactivity sensor firm Mirion, whose radio-enabled sensors are installed in nuclear power plants and carried by workers to detect potential leaks. Santamarta found that anyone who possessed one of those sensors—he bought his for around $200 each on eBay—could use it to send false data back to the box, known as the transceiver, that accepts data from those detectors. Other than requiring that the data ame from a Mirion device, the system’s communications had no encryption or authentication. And even without using the Mirion sensors he’d bought, Santamarta says he was able to crack and rewrite the firmware of their underlying radio modules, sold to Mirion by a firm known Digi, to impersonate the Mirion sensors instead.
With those rogue sensors and an antenna, Santamarta says he could send spoofed data to a nuclear plant’s Mirion transceivers from as far away as 30 miles, a range that Digi independently confirmed to WIRED was possible. Santamarta’s attack wouldn’t merely add false data into the plant’s monitoring systems, but potentially block real signals, too. Using a software-defined radio to detect the patterns of communication from the plant’s legit sensors, Santamarta says a hacker could inject carefully timed communications that would corrupt those signals, preventing the plant’s transceivers from reading them.
“Attackers may look to increase the time an attack against a nuclear facility or an attack involving a radioactive material remains undetected, by sending normal readings to trick operators into thinking measurements are perfectly fine,” reads a paper that Santamarta released along with his Black Hat talk.
Spoofing and Smuggling
In another, separate set of attacks, Santamarta focused on products sold by the radioactive-monitoring-equipment firm Ludlum, security gates designed to detect traces of radiation carried by vehicles or pedestrians. While he couldn’t obtain those actual gates, he instead downloaded and analyzed the devices’ firmware. He found that the pedestrian gates had a “backdoor” that would allow unauthorized users to reprogram it with a hardcoded password, though only if they could physically access the gate’s control panel.
More troublingly, he discovered that the vehicle gates he examined seemed to communicate with the server that collected data from them without any encryption or authentication. If an attacker could hack into that server’s network, he or she could easily spoof data from the gate, or act as a man-in-the-middle, preventing the real data from reaching operators. That could, for instance, allow smugglers to import rogue nuclear material past border security checks, or nuclear facility insiders to smuggle the material out.
Neither Ludlum nor Mirion responded immediately to WIRED’s request for comment on Santamarta’s findings. According to Santamarta, Ludlum dismissed the report when he showed it to them, arguing that its monitoring gates are used in secure facilities that protected them from his attacks. Santamarta says Mirion told him it was working to add more security protections to its future products.
When WIRED reached out to Digi, which makes Mirion’s radio module, the company acknowledged that the Mirion sensors lacked encryption and authentication despite the radio makers’ recommendations to customers that they implement those protections themselves.
“Ultimately it’s up to the end customers to choose the security and settings and do the risk assessment,” says Donald Schleede, an information security officer for the company. He noted that Santamarta’s injection of false data seemed possible: “Without that network being secure, it’s quite trivial to put that data in.” But Schleede also noted that based on his knowledge of how Mirion’s sensors are applied, they wouldn’t trigger automated responses to a leak, and other means of radioactivity detection would be present in nuclear facilities, too. WIRED also reached out to the Nuclear Regulatory Commission for comment, but the agency didn’t immediately respond.
‘It Doesn’t Make Sense’
Each of Santamarta’s attacks represents only a small part of a dangerous hypothetical. To smuggle plutonium with his gate-hacking technique, attackers would have to have already compromised the network of the border security facility. And for his nuclear power plant vulnerabilities to cause serious harm, a radioactive leak of some kind would likely have to already be underway.
‘You could smuggle whatever radioactive material you want.’ – Ruben Santamarta, IOActive
But fears of hackers with their sights on nuclear targets is more than hypothetical. The Department of Homeland Security recently warned utilities of attempted intrusions, likely by Russian hackers, into the business networks of a dozen US energy facilities, including a Kansas nuclear power plant. And last month, the NotPetya ransomware that swept through Ukraine and other countries at one point disabled automated radioactivity measurement tools at the site of the 1986 Chernobyl nuclear meltdown, forcing staff to resort to more manual monitoring methods.
With that backdrop, Santamarta’s findings form a piece of a growing picture of nuclear insecurity against digital attack. “Mirion, Ludlum, Digi, they weren’t thinking about security when they designed these products, and we’re talking about nuclear power plants, borders, secure facilities,” Santamarta says. “It doesn’t make sense to have this kind of exposure.”