forklift

Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data.

RTLS technology is widely used in industrial environments, mass transit, healthcare, and smart city applications. Its primary role is to assist in safety by defining geofencing zones using tracking tags, signal reception anchors, and a central processing system.

General architecture of RTLS systems
General architecture of RTLS systems (Nozomi)

Tampering with the limits of hazard zones or the position of people in these environments can have dire consequences for their health and safety.

Researchers at Nozomi Networks revealed the previously undocumented security flaws during Black Hat 2022, while the full technical details were published in a white paper yesterday.

Non-encrypted communications

Nozomi analysts focused on the Sewio Indoor Tracking RTLS UWB Wi-Fi kit and Avalue Renity Artemis Enterprise kit, two widely used RTLS solutions that support the safety functionalities described above.

The tracking tags communicate with the anchor via UWB signals, while the anchors use Ethernet or Wi-Fi to transmit or receive data from the central computer.

If Wi-Fi is selected, both devices use a custom binary network protocol for communications. However, since there’s no encryption in the data, Wireshark captures of the network packets make reverse engineering possible.

Captured Avalue network packet
Captured Avalue network packet (Nozomi)

The prerequisite for capturing those packets is to break into the Wi-Fi network, which is WPA2-PSK-protected. However, both vendors use a weak default password that may not be re-configured during installation, so many deployments are easy to breach.

If a remote attacker manages to compute the position of the anchors to derive the relative position of the tracking tags, they would be able to send arbitrary values to the central computer by forging sync and positioning packets.

Nozomi says the key information of anchor positioning can be derived through the transmitted power levels and timestamps, which indicate tag distances from the anchor points. However, physical access to the target area would simplify this process.

Transmission power levels in the packet
Transmission power levels in the packet (Nozomi)

Apart from data manipulation, an attacker may eavesdrop to track assets and people positions, either for stalking and reconnaissance or for locating a valuable item.

Obtaining the position of a tag
Obtaining the position of a target tag (Nozomi)

Movement patterns can be recorded and replayed during attacks to imitate realistic tag movement, like a guard on patrol, for example.

Tampering with geofencing

An attacker with access to the RTLS system can alter the position of a tag as needed to allow entrance to a restricted area or to raise false alarms and disrupt production line operations.

Placing a tag inside a protected zone
Placing a tag inside a protected zone at will (Nozomi)

Additionally, personnel could be put at physical harm risk by making them appear outside the proximity of machine safety zones, which would continue operating as if nobody was around.

Altering the position of a target tag
Altering the position of a target tag (Nozomi)

If the threat actor aims to steal a valuable item tracked by a tag, they could manipulate its position to make it appear stable inside a protected zone while physically removing it from the monitored area without raising any alarms.

Nozomi suggests that admins of RTLS systems should use firewalls to restrict access, add intrusion detection systems in the network, and use SSH tunneling with packet synchronization counter-values for data encryption.

Source: www.bleepingcomputer.com