RUB-SysSec
Any new Progress?
I am working on some similar research around detecting compromised PLC's through electromagnetic side channels. I've been playing around with this repo for about a week now and our results are very good. The side channel signals from regular boot significantly differ from the example payloads in the repo.
Obviously, the payloads run during the very beginning of the PLC boot and then the PLC returns to normal execution after the payload is done.
Has there been any new progress on this project. I know your team mentioned in some live demos, possibilities of injecting code into the firmware directly into the web handler, etc.
Ideally the payload would be triggered from some external interface at a later date after the PLC was compromised or at least a simple delay. If I wanted a payload to execute during the runtime of the PLC where might I inject this payload? We have good side channel signals for runtime ladder logic and I'd like to compare that to a payload executing either simultaneously during runtime or supplanting the regular runtime execution.
Or something like changing the LED state either during the exploits in this repo or during runtime. Just looking for something more akin to a legitimate runtime attack that will be harder to detect via side channels.
Any help is appreciated, thanks!
