Hidden Voices: Undocumented Radios in Solar Devices

The latest supply chain cyber threat could be sitting on the side of the road.

The US Department of Transportation’s Federal Highway Department alerted highway agencies and infrastructure firms that “solar-powered highway infrastructure including chargers, roadside weather stations, and traffic cameras should be scanned for the presence of rogue devices — such as hidden radios — secreted inside batteries and inverters,” according to a Sept. 10 report published by Reuters. While the advisory did not single out a manufacturer or nation-state rival as the source of concern, the alert comes as the US takes increasing aim at inexpensive goods flowing from China.

Undocumented cellular radios are not likely to be malicious, but could be used for malicious purposes, says Chris Grove, director of cybersecurity strategy for Nozomi Networks, a maker of OT cybersecurity technology.

“Having these things out there in our ecosystem allows opportunities,” he says. “Maybe [a road] sign isn’t the actual target — that sign enables my offensive operator to get into some place that is one hop away from a secure facility, for example, so it’s another leg.”

Equipment used for transportation in the US is the latest critical infrastructure technology to have its security scrutinized. A year ago, the House of Representatives’ Select Committee on the Chinese Communist Party (CCP) highlighted the overreliance of US ports on equipment made in China — equipment that often could be communicated with remotely. In November, an Environmental Protection Agency (EPA) report found that nearly 100 large community water systems (CWSs) had serious security weaknesses.

Related:How Has IoT Security Changed Over the Past 5 Years?

Modern Transportation Relies on Radio

Overall, much of the distributed infrastructure in the US, such as pipelines, power distribution, water and wastewater treatment, and transportation use radio frequencies to communicate with the disparate devices. In fact, they serve as the primary channel for critical communications across nearly every industry channel, says Aditya K. Sood, vice president of security engineering and AI strategy at Aryaka, a provider of wide-area software-defined networking connectivity.

“The use of radios is considered universal for any operation of significant size, with a long-standing government study concluding that radio-equipped fleets are significantly more efficient than those without radio equipment, ” he says. “This is not just a legacy technology; it has evolved into complex purpose-built systems.”

As the critical glue the binds together critical infrastructure, however, they could be a weak point. In July, the Cybersecurity and Infrastructure Security Agency (CISA) reported a vulnerability in devices mounted at the head and end of railway trains, known as end-of-train and head-of-train devices, which can send brake commands to stop a train or cause disruptions. The devices can be attacked using radio-frequency data packets, according to the CISA advisory.

Related:Water Systems Under Attack: Norway, Poland Blame Russia Actors

Similarly, many larger lithium Iron phosphate LiFePO4 batteries used in electric vehicles and solar applications come with a Bluetooth communications module connected to their battery management systems (BMS), says Reid Wightman, distinguished technical vulnerability lead at infrastructure security firm Dragos.

“These BMS only really advertise that they are read-only, but we suspect quite a few of them allow changing sensitive settings such as maximum charge state,” he says. “This could allow an adversary, for example, to discharge batteries, or prevent batteries from charging, making important signs, and other infrastructure useless.”

Undocumented Radios: A Common Problem

Overall, the vulnerability of operational technology (OT) has made it a focus of cyberattackers, who can better pressure organizations to pay ransoms if they can disrupt critical operation. In 2024, ransomware attacks against OT increased 87% over the previous year, targeting manufacturers, energy firms, and other industrial sectors, according to a report published by Dragos.

Related:Patch Now: Attackers Target OT Networks via Critical RCE Flaw

The ability to remotely connect to OT gear makes it even more vulnerable, and radios are more commonly deployed throughout critical infrastructure than most operators think, says Kate Johnson, director, vulnerability and malware threat research at Dragos. They are almost always are included by default or used by the supplier or original equipment manufacturer (OEM) to maintain the devices, she says.

“Many OEMs purchase parts that include cellular modems with no intention to use that functionality,” she says. “These have the potential to be a data leakage issue, but more likely, provide access to control or manage the devices remotely. … Access creates an avenue for exploitation, [and] being undocumented makes it more difficult to identify these avenues without a hardware or wireless assessment.”

While radio-controlled devices pose a low level of risk, adding nation-state cyber operations to the mix can change the threat landscape, says Sean Tufts, field chief technology officer (CTO) at Claroty, a provider of cyber-physical system security.

“A threat actor would need a very large number of devices under control to do sizable harm,” he says. “Yes, data tampering on individual road signs is dangerous, but what does the threat actor have to gain? There is a low economic reward for this activity, unless you’re a nation-state.”

He pointed out that China is amassing a large network of devices as part of its Salt Typhoon and Volt Typhoon efforts, with no immediate motive but to understand the US critical infrastructure and network.

Suppliers Need BOMs

Suppliers and their business or government customers should know what components are in their equipment. Asset discovery and hardware bills of materials can help a great deal to know what is vulnerable, but also where to look when a vulnerability is found, says Dragos’s Wightman.

“For government projects, project managers can evaluate the risk of the hardware bill of materials and make a risk-informed decision about using the equipment,” he says. “I view Bluetooth as low risk, but cellular modems or longer-range radio chips — [such as the] 400 MHz and 900 MHz unlicensed bands — introduce risk of exploitation from further away.”

In addition, while many industry standards focus on protecting the functionality of a device from remote compromise, these devices are often just used to gain access to other connected infrastructure, and so their network connections need to be monitored as well, says Nozomi’s Grove.

“The radio may be turned on by default or by accident, but it leaves an open pathway for someone who’s able to use air instead of coming across the wire to do the attacks,” he says. For that reason, monitoring east-west traffic — signs that an attacker is moving laterally — is important.

Long term, companies need to require suppliers to provide more secure products, without unnecessary features. The economic battle with China for marketshare, however, leaves brand-name manufacturers at a disadvantage, says Claroty’s Tufts. While pricing pressure of cheap goods is hurting trusted vendors and limits the financial resources to build devices correctly, companies focused on security will likely reap long-term wins.

“There is a growing trend of ‘least functionality’ programming and a greater focus on Software Development Life Cycle (SDLC) basics,” he says. “This news [about radios] augments the positive improvements our trusted vendors have made.”