Cracking a Continuous Flow Reactor: A Vulnerability Assessment for Chemical Additive Manufacturing Devices

摘要

The proliferation of additive manufacturing devices such as 3D-printers and chemical Continuous Flow Reactors (CFR) have commoditized the creation of complex physical and liquid products. CFR machines are computer controlled pumps and mixers designed to synthesize industrial and medical chemical compounds. Similar to many new digital products, CFRs often lack standard forms of access control and are vulnerable to physical and network-based attacks. This paper reviews the common attack vectors and vulnerabilities associated with Supervisory Control and Data Acquisition (SCADA) systems and uses these lessons to inform an initial analysis and security test of the Cole-Parmer Masterflex CFR. Using standard penetration testing techniques, we show that the Masterflex CFR is susceptible to multiple types of remote and local attack including query flooding, malformed ping attacks, and firmware retrieval via an “Evil Maid Attack”. These attacks are trivial to perform and can potentially harm the device, nearby operators, or the users of manufactured products via cyber- physical attack. We believe that these findings in the Cole-Parmer Masterflex are indicative of similar vulnerabilities in other CFR models.