OT Cyber Attack Workshop [ Case Study 06 ]: Replay Attack on Safety Surveillance Camera

This week we will introduce the sixth workshop case study : Replay Attack on Railway Station Train Docking Safety Surveillance Camera System. We will comprehensively cover the attack tactics, techniques, and procedures (TTPs) and will include practical demonstrations on the effort of the replay attack, the whole attack scenario also includes the FCI attack and firmware attack which introduced in the previous case studies. If you are interested about other case study, please refer to below links:

1. Case Study 1: False Data/Command Injection Attack
2. Case Study 2: OT-Network ARP Spoofing Attack
3. Case Study 3: DDoS on Modbus Channel Attack
4. Case Study 4: Man-in-the-Middle Attack on HMI-PLC Control Chain
5. Case Study 5: Drone Firmware Attack and Defense

Program Design Purpose: The objective of this cyber attack case study is to develop a workshop aimed at showcasing a practical demonstration of a replay attack on a station train docking safety surveillance camera within a railway OT-system. In the attack scenario, the replay attack is executed by a sophisticated cyber attacker within the OT system, exploiting a successful camera firmware attack. Specifically, the attack targets the train detection camera located in the station docking area, which serves as a crucial safety mechanism for the train surveillance system. The scenario involves a red team attacker implanting malicious firmware into the train detection camera, thereby compromising its functionality. This compromised camera is then used to capture video footage, which is subsequently replayed and sent back to the station control room. The goal of this attack is to disrupt the safety surveillance system and deceive the station operator, highlighting the vulnerabilities inherent in OT systems and the potential impact of cyber attacks on critical infrastructure.

Attacker Vector : Firmware Attack, Replay Attack        

Important : The demonstrated attack case is used for education and training for different level of IT-OT cyber security ICS course, please don't apply it on any real world system.

Attack Scenario Demo Video:

Introduction

This case study aims to create a simplified emulation of the railway train detection surveillance system, which serves as a dual safety mechanism within the train station's docking assistant system. The primary objective is to illustrate the potential impact of a replay attack on the system using this platform. The project comprises two principal sections:

• Railway OT System Station Docking Assistant System: Within our railway emulation setup, we will devise a mechanism enabling station operators to manage rail docking procedures. This system incorporates a dual safety check mechanism utilizing both train position/motion sensors and train visual detection cameras. When either sensor detects a train in motion entering the station, it triggers the activation of the train brakes to reduce the train's speed.
• OT System Replay Attack Demo: This section will demonstrate a scenario where a red team attacker infiltrates the railway system OT network, then attack the docking's dual safety check mechanism through false data injection (FCI) attacks on the train position sensor signal control chain and disrupt the safety camera detection system via camera video replay attack.

Railway OT System Station Docking Assistant System Introduction

Within our railway OT system, each station's entrance docking area is equipped with two distinct sensors:

• One train motion and position detection sensor next to the railway.
• One train object detection surveillance camera facing to the docking area.

Both two sensors are tasked with detecting a train's movement as it enters the station. The system workflow is depicted in the image below:

When a train approaches a station and enters the docking preparation zone:

• The position and motion detection sensor, connected to the station control PLC, detects the train's presence, prompting the PLC to dispatch a signal indicating the train's arrival to the station's HMI (depicted in the blue signal section of the workflow diagram).
• Simultaneously, the train object detection camera streams video footage of the passing train to a dedicated train detection computer. This computer utilizes computer vision (CV) object detection algorithms to identify the train and calculate its speed, subsequently sending this information to the HMI (illustrated in the green signal section of the workflow diagram).
• The HMI processes data from both the PLC and the train detection computer, assessing whether the train is decelerating and managing the station's operations accordingly.

OT Station Docking Surveillance System Replay Attack Demo

The attack demo will focus on compromising the two safety mechanisms: the train motion detection sensor and the train object detection camera.

For the motion detection sensor connected to the PLC, the red team attacker can manipulate its sensor state through a false data injection attack.

For the train object detection camera, it is hard for hacker to modify the byte data in the video stream via man in the middle attack. Instead, the attacker will implement a firmware attack on the camera to establish a "backdoor." Subsequently, the following steps will be executed to conduct the replay attack:

1. Initiate a firmware attack to inject a backdoor into the camera.
2. Utilize the camera's backdoor to record a video indicating no train detection.
3. Simultaneously with the false data injection attack on the PLC-HMI part, the attacker will transmit the pre-recorded video to the train detection computer, triggering the replay attack.

The attack flow is shown below:

By combining the false data injection attack on the PLC and the replay attack on the camera, the red team attacker can disrupt the station docking assistant system, rendering the station HMI and operator unable to detect incoming trains for docking.

Key Tactics, techniques, and procedures (TTP) of Replay Attack

The tactics, techniques, and procedures (TTP) of a surveillance camera replay attack involve several steps that an attacker might take to intercept, manipulate, and replay video footage from a surveillance camera in an OT (Operational Technology) system.

Reconnaissance:

• Tactics: Identify the target surveillance camera or cameras within the OT system.
• Techniques: Gather information about the camera's make and model, location, network configuration, and any existing security measures.
• Procedures: The red team attacker will scan the network service to find the RTSP video server host by the camera, based on the camera admin page to find the camera's model then find some of the camera API from online document.

Interception and Analysis:

• Tactics: Monitor the communication between the surveillance camera and the monitoring/recording system.
• Tactics: Capture video footage and associated data packets as they are transmitted over the network.
• Procedures: The red team attacker will analyze the the camera connection packets detail to find the connected video process computer to identify the replay attack target.

Replay:

• Tactics: Replay the manipulated video footage to the monitoring/recording system or operators.
• Tactics: Ensure that the replayed footage aligns with the attacker's objectives, such as concealing unauthorized access, tampering, or other malicious activities.
• Procedures : The red team attack will send the pre-saved fake video to the video process computer to mess up the train detection safety mechanism.

Background Knowledge

In this section, we will introduce the basic knowledge of Replay Attack and Real Time Streaming Protocol which is used for sending the camera video to the train image CV detection computer.

Replay Attack

In OT system cyber attacks, the replay attack is frequently employed to target communication channels or control chains that utilize intricate protocols or handle large data flows. This method differs from traditional attack methods such as FDI/FCI (False Data Injection/False Command Injection) or Man-in-the-Middle (MitM) attacks. Instead of directly tampering with data or commands, a replay attack involves intercepting and retransmitting previously captured data packets. This approach can be particularly effective when dealing with complex protocols or high-volume data streams, allowing attackers to exploit vulnerabilities in the communication process without directly altering the transmitted information.

A replay attack is a type of network attack in which an attacker captures a valid network transmission and then retransmit it later. The main objective is to trick the system into accepting the retransmission of the data as a legitimate one. Additionally, replay attacks are hazardous because it’s challenging to detect. Furthermore, it can be successful even if the original transmission was encrypted.

An attacker can lunch a replay attack to gain unauthorized access to systems or networks. Furthermore, a replay attack can disrupt the regular operation of a system by inundating it with repeated requests. An attacker can plan to carry out this attack by intercepting and retransmitting data packets over a network. Additionally, a successful replay attack can be performed by replaying recorded audio or video transmissions.

A simple replay diagram is shown below:

Reference : https://www.baeldung.com/cs/replay-attacks

A replay attack on a camera in an OT (Operational Technology) system involves capturing video footage from the camera, altering it or replaying it, and then sending it back to deceive the system or its operators. This type of attack can have various implications depending on the specific application of the camera within the OT system.

Real Time Streaming Protocol

To make the replay attack can be easily implemented, the video protocol we use for the camera is the RTSP (unencrypted).

The Real-Time Streaming Protocol (RTSP) is an application-level network protocol designed for multiplexing and packetizing multimedia transport streams (such as interactive media, video and audio) over a suitable transport protocol. RTSP is used in entertainment and communications systems to control streaming media servers. RealNetworks developed RTSP in 1996, designed to control the entertainment and communication systems in a streaming server RTSP utilizes User Datagram Protocol (UDP) and Real-time Transport Protocol (RTP). RTSP is the standard protocol used for streaming video data from IP cameras and supports reliable segmented streaming, enabling users to watch streams while it's still being downloaded. The protocol also provides extensive customization options to help you build your own streaming applications and add new features. The main disadvantage of RTSP is that it isn't widely used for broadcasting multimedia over the Internet.

An example of RTSP in action with the video and audio data being delivered over a separate UDP-based RTP stream is shown below :

The protocol is used for establishing and controlling media sessions between endpoints. Clients of media servers issue commands such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (video on demand) or from a client to the server.

Reference: https://www.informit.com/articles/article.aspx?p=169578&seqNum=3

Project Design

In this section we will introduce how we design the Railway OT system station docking assistant system and the replay attack detail steps.

Design of Railway OT System Station Docking Assistant System

The train safety surveillance camera is constructed using a Raspberry Pi 3B+ equipped with a camera module. In the physical setup, preceding the designated slow-down zone of the railway station, two thermal reflection sensors are positioned. These sensors are linked to the PLC for train detection purposes. Adjacent to these sensors, our surveillance camera is installed to further detect approaching trains. The camera captures video footage, which is then transmitted to a dedicated video processing computer. Our program utilizes computer vision (CV) algorithms to perform both motion and train object detection.

The position of the camera and the sensor is shown below:

In our digital twin real-world emulator, we replicate this configuration faithfully. When a train passes through the sensor and camera detection area:

• The PLC converts the electrical signal from the sensors into digital format and transmits it to the Human-Machine Interface (HMI). The HMI displays the train detection result and, based on the detection time and train length, calculates the train's speed speed-val-1.
• Simultaneously, the motion detection program running on the camera's video processing computer triggers the train object detection algorithm to confirm the train's passage. Subsequently, it calculates the train's speed speed-val-2.

If either of the two speed values (speed-val-1 and speed-val-2) exceeds the designated train docking speed, the station control HMI issues a signal to instruct the train to decelerate.

The detail operation scenario is shown below :

Design of Surveillance Camera Replay Attack

As illustrated in the preceding introduction to the Railway OT system station docking assistant system workflow, two safety mechanisms are in place: the train motion detection sensor and the train object detection camera. Regarding the motion detection sensor connected to the PLC, a malicious actor can alter its state through a false data injection attack. However, manipulating the byte data in the video stream of the train object detection camera via a man-in-the-middle attack proves challenging for hackers. Therefore, the attacker opts to execute a firmware attack on the camera, creating a "backdoor" to facilitate the replay attack, following these steps:

1. Implement a firmware attack to enable the camera to run modified firmware with a backdoor.
2. Utilize the camera's backdoor to record a video depicting the railway without a passing train.
3. Concurrently with the false data injection attack on the PLC-HMI interface, interrupt the video stream transmitted from the camera to the train detection computer. Subsequently, replay the pre-recorded video captured in the previous step.

The detail attack flow is shown below:

By employing the false data injection attack on the PLC and the replay attack on the camera, the red team attacker disrupts the station docking assistant system, rendering the station HMI and operator unable to detect approaching trains for docking.

To check the demo video, please refer to this link in my YouTube channel:

Online Video link: https://youtu.be/nTv7dcfjZts?si=h-ptx8jN6Gs1Q1JK

Thanks for reading, if you have any question and suggestion, please feel free to message me. Many thanks if you can give some comments and share any of the improvement advice so we can make our work better ~