Expert: Radiation monitoring systems rife with security flaws

Radiation monitoring systems — from those designed to prevent the theft of nuclear materials to those that monitor leaks at power plants — have cybersecurity flaws that could be used to render them useless or incite panic, a researcher announced Wednesday. 

Ruben Santamarta, a principal security consultant at the cybersecurity firm IOActive, announced security vulnerabilities found in a variety of radiation monitoring systems. Not all of those flaws immediately appear to be repairable. 

“The attacks are not easy,” he told The Hill. “I’m pretty sure only a nation-state could perform them.” 

But Santamarta worried that, if a nation did use the attack, it could, for example, disrupt operations at a nuclear power plant by falsely alerting workers to a safety hazard or block a safety alert that should be issued. 

{mosads}

Santamarta tested gate monitoring devices from the company Ludlum. In one case, it found that the device had a hidden default password that would give an attacker the highest level of privileges to control the device. In another, he found that its Wi-Fi connections were not secured, opening the door for attackers to intercept and alter its communications and control. 

He said that Ludlum believed that the vulnerabilities were not severe, due to nuclear facilities being secure, with the Wi-Fi attack requiring physical proximity to pull off and the passcode attack requiring access to a secure network. 

Santamarta also tested radiation monitoring systems that checked for errant radiation throughout a facility and found a communications protocol used by multiple vendors, designed by the firm Mirion, opened these devices to attack. 

He was able to reverse engineer the encryption keys used by the devices. With access to a facility, he could either hijack the hardware to a device or use malicious radio signals to cause a device to send faulty information about facility safety.  

Many plants guard these devices against errant radio signals. 

“Initially, we were told it could not be patched,” said Santamarta.