Originally published in 2016
Velodyne LiDAR, Inc. HDL-64E, HDL-32E, and the PUCK
Velodyne is a LiDAR sensor manufacture. LiDAR (Light Detection And Ranging) is a way of locating physical objects in spatial relation to one another by triangulating the projection of a laser or an array of lasers. Today Velodyne LiDAR, Inc. claims to work in the following industries:
- Automation (ICS)
- Urban Planning
HDL-64E, HDL-32E, and the PUCK (AKA VLP-16) All make use of packet captures to relay in plain text (ASCII), telemetry from the sensor to server (Controller). The server will make a logical determination based on the telemetry this could be leveraged to, in the case of an automobile tell the server (CPU) in the system that the sensor or vehicle has a wall in front of it. They have also employed an embedded web server that doesn’t require authentication to access and update both firmware and calibration files for the lasers. If an attacker can gain network level access at any point they can modify the firmware and calibration files. With very little effort an attacker could access the GPS data also collected in some configurations of the sensor and launch a replay attack replaying telemetry from the sensor itself at a given latitude and longitude. Additionally if an attacker is on the network, all they need to do is launch an attack at a given telemetry and control what the vehicle (for our example) can see live thus allowing them to steer the vehicle if an attacker has commend and control of a network enabled device. Some of the documentation that is public also shows you how to parse the data.
The video below is a “proof of concept” on how an attack could play out using information and tools supplied to the public by the manufacture.
The official vulnerability of this system
Network level command and control without encryption or authentication lacking basic security practices.
Full network segmentation. Recall any devices that are used in mission critical, or could present a health and welfare risk to users, and/or bystanders. Until basic security practices can be implemented.
ICS-CERT collaboration concluded.
Velodyne LiDAR, Inc. has been contacted about this issue far in advance of publishing and has refused assistance to fix and acknowledge the issue. Due to this, examples on how replay attacks could be made more effective against this device, and how to attack at a GPS location have been withheld for safety concerns. It is not my intention to harm or weaponize this vulnerability.