Trying to break the “unbreakable”

If you say something is “unhackable,” you just might get a few takers — researchers who want to see if they can hack through.

Here, a researcher takes on a security device called a data diode.

Watch here:

What’s a Data Diode?

A data diode is a little light that
sends signals — in one direction only — to a receiver.

You might think of it like a
flashlight.

Your eye may be able to see the
light from far away.

But you can’t take over my
flashlight and turn it on or off.

Only I can control it.

My flashlight can only send, not
receive.

So, people use data diodes to
protect really important things, like nuclear power plants and national
secrets.

Some advertising describes some data diode products as “unhackable” and “enforced by physics.”


A model of a data diode by FoxGuard Solutions researcher Monta Elkins. Image: Archer News

A Challenge

Researcher Monta Elkins of FoxGuard
Solutions decided to try.

“It’s the unhackable device. It’s
impossible one, right?” he said to Archer News. “So, yeah, you have to
give it a try. You have to crack the impossible device.”

He created a data diode of his own
—also called a unidirectional gateway — in a miniature-sized nuclear power
plant model.

The computer inside his plant
connects to the data diode, then the data diode connects to another computer
outside the plant.

In theory, the plant can use the
one-way gate to send out info about how much energy the plant is
producing, but no one can send anything back in, like a nasty command
to shut off the cooling fans and cause a nuclear accident.

“They might do something bad,” Elkins said. “Leave it to your imagination. Plants, Industrial control plants. Water. Power. Nuclear power plants. You don’t want to shut them down. You don’t them to overheat, you don’t want these things to happen.”


Researcher Monta Elkins’ portable model nuclear power plant with data diode. Image: Archer News

One Way

You may hear that data diodes are
like a one-way street.

A one-way sewer valve.

A revolving security gate that lets
you out, but not in.

“People can walk through this in one
direction,” Elkins said, using the revolving gate as an example in a presentation
to an audience in Stockholm, Sweden. “But to go the other
way, you need a Star Trek transporter.”

Elkins may have found his transporter.


Elkins compares a data diode to a revolving security gate that allows you to travel in one direction only. Image: PublicDomainPictures

How It Works

Here’s how the attack plays out, according to Elkins:

  • He puts malware onto the computers in the data diode.

  • His malware turns the data diode computers into tiny radios that can transmit & receive signals — in both directions.

  • The radio signals bypass the one-way data diode connection.

  • Attackers outside the plant can use that two-way radio connection to control the model plant & shut down the cooling system.

“We’re shutting off the cooling in the plant which basically means it may overheat and melt down,” he said“That’s bad.”


Elkins’ model nuclear reactor cooling fan, shut down by “attackers” who bypassed the plant’s data diode. Image: Archer News

Should You Still Use Them?

Elkins’ data diode is a custom
version, not an exact copy of the ones in real nuclear plants.

But he says cyber invaders may try
to use this kind of attack to spy or do damage.

“Did you think someone is
actually doing this attack right now, somewhere?” Archer News asked Elkins.

“You know very possibly,” he
answered. “If I’m running an intelligence agency, there’s a bunch of
people like me sitting in rooms working on this technology for when it’s
necessary. Probably in preparation. You don’t want to start these attacks
right now, necessarily. People aren’t ready to start a war, but people always prepare
for war.”

Does he think people should still
use data diodes for security?

Yes.

“I’m not saying, ‘Don’t use
those devices.’ None of the security devices that we use are perfect,”
said Elkins.

“Data diodes in a properly organized network can be very useful,” he added. “This is saying, ‘Consider that they may not be perfect.’”


Security researcher Monta Elkins describes his attack on data diode technology in Anaheim, California. Image: Archer News

Vulnerable?

Archer News asked some companies
selling data diode products for their thoughts.

Owl Cyber Defense says their data
diode device is more complex and not vulnerable to this kind of attack.

Waterfall Security Solutions says
their unidirectional gateway device is also more complex and not vulnerable.

Advenica says they have taken this kind
of attack into account when designing their data diode product — and
you should, too, if you use data diodes on your systems.

The Department of Homeland Security
says data diodes can help
industrial systems stay safe
.

“If you recognize the potential
for the attack you can mitigate it,” Elkins said. “You still need
to ‘do security’ inside your plant, regardless of any air gap or data
diode.” 



Leave a Reply