![](\"https:\/\/media.wired.com\/photos\/597b80ea81c49267751c04a5\/master\/pass\/evilbubble-FA.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Sat, 29 Jul 2017 12:00:00 +0000<\/strong><\/p>\n Since the NSA\u2019s <\/span>infamous Stuxnet malware<\/a> started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard<\/em> sequels and into reality. As those attacks evolve<\/a>, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, those attacks could come in more insidious and unexpected forms than defenders expect.<\/p>\n In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems\u2014physical systems that can be manipulated by digital means\u2014might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.<\/p>\n Midway through her talk, Krotofil pointed to a Flowserve pump system, roughly the size of a big rig truck's engine, in front of the crowd. To that point, it had loudly cycled water through a series of transparent pipes. Then she cued a \u201chacker\u2019 in a black hoodie on stage, who typed a command that sent a thick flow of bubbles through those pipes. A sensor on the pump registered that it was subtly vibrating, reducing its efficiency and, Krotofil said, slowly damaging it. In a matter of hours, she said, the bubbles would start to wear pits in the pump's metal surfaces, and in days would wear down the \u201cimpellers\u201d that push water through it, until it\u2019s rendered useless.<\/p>\n \u201cBubbles can be evil,\u201d she said. \u201cThese bubbles are my attack payload. And I deliver them through the physics of the process.\u201d<\/p>\n Importantly, Krotofil's hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called \u201ccavitation,\u201d turn back into a liquid, transfering their energy to the pump. \u201cThey collapse at very high velocity and high frequency, which creates massive shockwaves,\u201d Krotofil explained.<\/p>\n Krotofil’s demo rig, a Flowserve industrial pump.<\/p>\n That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil's attack doesn't merely warn about the specific the danger of hacker-induced bubbles. Instead, it's meant as a harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven\u2019t directly breached.<\/p>\n \u201cShe can use a less critical piece to control that critical piece of the system,\u201d says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. \u201cIf you look at just the data flows, you\u2019re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.\u201d<\/p>\n That could not only allow a hacker to reach further into a sensitive system, but also make it far harder to detect their presence or the damage they've caused, Larsen says. Cavitation, for instance, is a hazard of industrial systems that often occurs by accident, so stealthy hackers could use it as a weapon without necessarily attracting attention.<\/p>\n 'Bubbles can be evil.' \u2013 Marina Krotofil, Honeywell<\/p>\n In her talk, Krotofil argued that defending against that kind of insidious attack requires more careful, broader measurements of industrial systems to identify potential hacker attacks as they unfold. She described that kind of anomaly detection as another necessary layer of defense for those with cyberphysical systems, beyond traditional data security protections like firewalls and IT-focused intrusion detection systems. "We know that we have to have defense in depth," Krotofil said. "This is how we build security." Hacker attacks that meddle with physical infrastructure remain exceedingly rare. But in 2015, for instance, hackers attacked a German steel mill<\/a>, preventing a furnace from being shut down and causing "massive" damage to the facility according to a government report. And late last year, hackers used a sophisticated piece of malware known as "Crash Override" or "Industroyer"<\/a> to automate an attack on the country's state-run power company Ukrenergo, triggering a blackout in Kiev.<\/p>\n Those sorts of attacks show that physical infrastructure hacking is indeed evolving, says Larsen. "What we see in research, we see attackers do five or six years later," Larsen says. Krotofil's work, he says, "is about laying the groundwork for when these attacks do start showing up." Given the potentially disastrous damage one of those physical attacks can cause, better to start imagining the future of evil bubble sabotage than wait for it to arrive.<\/p>\n