By Philippe Lin, Roel Reyes, Shin Li, and Gloria Chen (Trend Micro Research)
When a legacy protocol is connected via Ethernet, and subsequently to the internet, security issues arise. Standard Commands for Programmable Instruments (SCPI) is a legacy protocol that many advanced measurement instruments support. It can be issued via General Purpose Interface Bus (GPIB), Universal Asynchronous Receiver/Transmitter (UART), Universal Serial Bus (USB), or Ethernet. However, it is important to note that authentication is not innate in this protocol.
The SCPI protocol, now 30 years old, was initially designed for sensors communicating over serial lines. It was designed as a simple ASCII text protocol that makes adoption via different languages and hardware interfaces as easy as possible. (Even today, the SCPI consortium references SCPI as a standard that works well over RS-232 interfaces and with the BASIC programing language.)
Over time, many high-end sensor devices adopted the protocol, and of course, the Ethernet became the dominant hardware interface. Today, these devices are being exposed to the internet as more networks get connected, but they have never been designed for it and network administrators might not be aware that this is happening. It should also be noted that devices such as logic analyzers and room sensors do not run on known operating systems and do not show up on PC inventory lists.
Overview of the Research
Keysight Technologies of the Agilent Technologies is a key player in the market of measurement equipment. We have used its digital multimeters (DMM) and power supplies, but when we read their whitepaper
Support the originator by clicking the read the rest link below.
