A research group in the Technion’s Henry and Marilyn Taub Faculty of Computer Science was able to takeover Siemens’ new controllers, among the most secure in the world. These controllers are used in a wide range of systems, including aircraft, vehicles, production lines, power stations, gas and oil pipelines, smart homes, traffic lights, and even nuclear reactors.

The research was presented at the Black Hat USA 2024 conference by alumni Nadav Adir and Alon Dankner under the guidance of Professor Eli Biham, head of the Hiroshi Fujiwara Cybersecurity Research Center at the Technion, and Dr. Sara Bitan, a senior researcher at the center.

“Our appearances at Black Hat conferences repeatedly advance the security of these systems and are part of long-term research aimed at improving the security of control systems,” explained Prof. Biham. “Indeed, Siemens has made changes to its security mechanisms following our research.”

The group previously presented the “cracking” of Siemens’ smart controller. The research findings were transferred to Siemens to improve the product’s security.

“Siemens made changes to the security protocol of the controllers [as a result of this research], but we managed to identify a loophole that allows an attacker to disrupt secure communication with the controller, thereby affecting its internal operation and disguising the damage outwardly,” said Dr. Bitan.

The modern encryption world is entirely based on the use of a pair of mathematically related keys: a public key for encryption and a private key for decryption. The private key is supposed to be kept in a “vault,” a secure area within the controller. Technion’s newest research managed to penetrate that secure area and extract the private key, thus gaining control over both incoming and outgoing communications.

Black Hat conferences are prestigious international events, showcasing the latest relevant knowledge in cybersecurity. The tradition, which began in 1997 with a single annual conference, has expanded to four conferences per year, each in a different country, with the largest one held in Las Vegas in August.