Multiple vulnerabilities in Ultra-wideband (UWB) Real-time Locating Systems (RTLS) have been reported, allowing threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location information.
The cybersecurity firm Nozomi Networks disclosed in a technical write-up last week, "The zero-days found specifically pose a security risk for workers in industrial environments. If a threat actor exploits these vulnerabilities, they have the ability to tamper with safety zones designated by RTLS to protect workers in hazardous areas."
RTLS is used for automatically identifying and tracking the location of objects or people in real-time, typically within a confined indoor area. This is accomplished by attaching tags to assets, which broadcast USB signals to fixed reference points known as anchors, which then determine their location.
However, flaws discovered in RTLS solutions (Sewio Indoor Tracking RTLS UWB Wi-Fi Kit and Avalue Renity Artemis Enterprise Kit) meant they could be weaponized to intercept network packets exchanged between anchors and the central server and stage traffic manipulation attacks.
Simply stated, the concept is to guesstimate the anchor coordinates and use them to manipulate the RTLS system's geofencing rules, effectively tricking the software into allowing access to restricted areas and even disrupting production environments. Even worse, by changing the position of tags and placing them within geofencing zones, an adversary can affect the shutdown of entire production lines by indicating that a worker is nearby even when no one is present.
In another situation, the location data could be tampered with to place a worker outside of a geofencing zone, causing dangerous machinery to restart while a worker is nearby, posing serious safety risks. However, it is worth noting that doing so requires an attacker to either compromise a computer connected to that network or covertly add a rogue device to gain unauthorised access to the network.
Last but not the least, how to prevent these attacks?
To prevent AitM attacks, it is recommended to enforce network segregation and add a traffic encryption layer on top of existing communications.
"Weak security requirements in critical software can lead to safety issues that cannot be ignored," researchers Andrea Palanca, Luca Cremona, and Roya Gordon said. "Exploiting secondary communications in UWB RTLS can be challenging, but it is doable."
Nozomi recommends that administrators of RTLS systems use firewalls to restrict access, intrusion detection systems, and SSH tunneling with packet synchronisation counter-values for data encryption.