Talk: Reconnaissance and Reverse Engineering, 12-1 Fri 2/17
Study of the Cyber-physical Systems in UMBC's ILSB building
Friday, February 17, 2023 · 12 - 1 PM
The UMBC Cyber Defense Lab presents
Reconnaissance and Reverse Engineering: A Case Study of Cyber-physical Systems in the UMBC Academic Building ILSB
Andrea Ferketich, UMBC and JHU/APL
Joint work with Zachary Amoss, Leo Brown, Kevin Chen, Will DeStaffan, Brandon Hill, and Kathleen Koerner. This work was carried out in fall 2022 as part Alan Sherman's INSuRE cybersecurity research class, with Zachary Birnbaum (APL) serving as technical director.
12-1 pm Friday, 17 February 2023, via WebEx
We present our security analysis of three cyber-physical systems in UMBC’s new smart Interdisciplinary Life Sciences Building (ILSB): the access control system, the surveillance system, and the atrium's electrical system. Supported by reconnaissance and reverse engineering, we identify potential vulnerabilities, attacks, and risks, and make recommendations. Conducting reconnaissance and reverse engineering activities on academic cyber-physical infrastructure is currently an insufficiently researched area, unlike critical infrastructure such as smart power grids and the Industrial Internet of Things (IIoT). This project identifies how susceptible three cyberphysical systems in ILSB are to cyber attacks, and the significance of each attack to the relevant system. Without completing a full analysis and reconnaissance of the building, the DoIT and facilities manager cannot be sure how the online sensor infrastructure interacts with the physical infrastructure. Typically, academic spaces are more physically accessible than are industry equivalents, primarily due to the public nature of universities, which encourages unfettered access to buildings for the sake of collaboration and student freedom. This level of access, however, also expands the potential attack surface by opening up the university to cyber attacks performed via physical methods. Our group discovered multiple attacks on the three cyber-physical systems, produced recommendations to the university, and identified additional analysis that can be performed to secure the cyber-physical infrastructure further. Our group additionally created mappings of target systems that include interface details and connection types. After creating reconnaissance artifacts, we identified vulnerabilities within the target systems and vulnerabilities within the target system configurations.
Vulnerabilities we found include an authenticated command injection attack, and an unauthenticated denial of service on the webserver that hosts the physical access control system. Both vulnerabilities could be conducted by an adversary with a moderate level of effort and would enable the adversary to control the access control system, approving or denying access outside of normal operations. On the camera system, one attack we found is an incomplete client-side validation. Exploitation of this vulnerability requires more effort and would allow the adversary to inject arbitrary commands, including deleting camera footage.
Andrea Ferketich is an employee at JHU APL, working as a task leader for US Navy combat systems cybersecurity integration with tactical systems. She is a computer science PhD student at UMBC who is proficient with various cybersecurity tools, cyber network security, cyber risk assessment, cyber-physical security, policy and requirements writing, project management, executive-level presentations, and Android programming. Andrea served as her INSuRE group's technical project manager, coordinating with DoIT, and ensuring the overall project success with technical writing and resolving technical issues. Email: email@example.com
Host: Alan T. Sherman, firstname.lastname@example.org. Support for this event was provided in part by the National Science Foundation under SFS grant DGE-1753681. The UMBC Cyber Defense Lab meets biweekly Fridays 12-1pm. All meetings are open to the public. Upcoming CDL meetings: March 3, Enis Goleszewski (UMBC), Channel binding in FIDO should not be optional,