About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Moving transactions online | Main | Put your game face on »

Stux on you

By Dave Birch posted Nov 29 2010 at 8:58 PM

[Dave Birch] The media are full of cyberwar at the moment. I'm sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.

President Mahmoud Ahmadinejad admitted Monday that "several" uranium enrichment centrifuges were damaged by "software installed in electronic equipment," amid speculation Iran's nuclear activities had come under cyberattack.

[From France24 - Iran admits uranium enrichment hit by malware]

So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.

Here are the bare bones.

the malicious code that Stuxnet aims to run on the industrial control system execute on the PLC and are written in MC7 bytecode. MC7 is the assembly language that runs on PLCs and is often originally written in STL... only CPUs 6ES7-417 and 6ES7-315-2 are infected

[From Exploring Stuxnet’s PLC Infection Process | Symantec Connect]

OK. So this seems reasonable. A clever virus writer has put together something that propagates across PCs and when it finds a particular CPU attached (for industrial control) is sends its "payload" to that CPU. It's very specific.

Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz. The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.

[From Missing piece completes Stuxnet jigsaw • The Register]

Pretty dastardly.

O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.

[From Stuxnet Analysis Supports Iran-Israel Connections | threatpost]

On the other hand, it was also the day that the Unabomber struck at Northwestern, so maybe it's got something to do with that? Or what if it is related to the famous Pierre Trudeau rally on that day and BC separatists are behind the hack, actually targeted at the Canadian oil industry? Of course, none of us has any idea whether any of this is true or not. I does make you wonder though: if there was a proper digital identity infrastructure in place, which managed M2M transactions as well as P2M transactions, then how would this kind of attack work? Suppose, for example, that the kind of digital identity infrastructure that uses digital signatures was in place that how would sneaky foreign viruses get their payload on board?

It turns out that the Stux story does involve digital signatures. Having followed the links from a few stories to try and find out what actually happened, I'm none the wiser. Perhaps journalists aren't reporting it properly, or perhaps bits of the story are missing.

Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.

[From Stuxnet Questions and Answers -]

I don't understand this. A stolen certificate wouldn't allow you to forge a signature, since it contains the public key, whereas you need the private key to form a signature. Is there anyone out there who can point me in the right direction to find out what has actually been going on? Or is this more evidence that someone has the master key to the internet that The Daily Telegraph told us about.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c4fd753ef0147e03ed092970b

Listed below are links to weblogs that reference Stux on you:

Comments

A stolen certificate wouldn't allow you to forge a signature, since it contains the public key, whereas you need the private key to form a signature.

The public key is already just that - public. There is no reason to steal it. What has been stolen is Realtek's and JMicron's private key.

Here is one related link on the topic: http://www.mail-archive.com/cryptography@metzdowd.com/msg11324.html

Thanks for this excellent pointer Eitan.

The comments to this entry are closed.