SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
For two years SCADA StrangeLove speaks about Industrial Control Systems and nuclear plants. This year we want to discuss Green Energy. Our hackers' vision of Green Energy, SmartGrids and Cloud IoT technology. We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence. Our latest research was devoted to the analysis of the architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security. We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common and why one should not develop brand new web server. Specially for the specialists on the other side of the fences, we will show by example of one industry the link between information security and industrial safety and will also demonstrate how a root access gained in a few minutes can bring to nought all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence. ────────── ➤Speaker: Sergey Gordeychik, Aleksandr Timorin
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
- 1. *AllpicturesaretakenfromDr StrangeLovemovieandother Internets Sergey Gordeychik Aleksandr Timorin
- 2. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
- 12. ― Google dorks ― Configuration scripts ― FS structure ― etc
- 18. --snip-- Comment to PT-SOL-2014001: The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more. Comment to PT-SOL-2014002: The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely. Second comment to PT-SOL-2014002: In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission. --snip--
- 33. To hack what? Grandmom’s reel 2 reel recorder?
- 38. Popular HMI Relatively new system Platform independent Custom webserver
- 39. http://cvedetails.com for Apache HTTP Server
- 45. 1 2 9 7 6 10 11 14 17 73 100 96 899 94 135 285 81 0 100 200 300 400 500 600 700 800 900 1000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
- 55. PLC1 PLC2 PLC3 Some networ ks WinCC Web- Client WinCC SCADA- Clients WinCC SCADA- Client +Web- Server WinCC DataMonitor WinCC Web-Client WinCC DataMonitor WinCC Servers LAN PROFINET PROFIBUS Internet, corp lan, vpn’s Engineering station (TIA portal/PCS7)
- 65. +1337
- 69. 3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes) d37fa1c3 - CONST (4 bytes) 0001 - user logout counter (2 bytes) 0001 - counter of issued cookies for this user (2 bytes) 00028ad7 - value that doesn’t matter (4 bytes) 0a00aac8 - user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 - value that doesn’t matter (12 bytes) So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???
- 70. 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 3e6cd1f7bdf743cac6dcba708c21994f MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) What is SECRET ?
- 71. SECRET is generates after PLC start by PRNG. PRNG is a little bit harder than standard C PRNG. SEED in {0x0000 , 0xFFFF} It’s too much for bruteforce (PLC so tender >_<)
- 72. What about SEED ? SEED very often depends on time value SEED = PLC START TIME + 320 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time How to obtain PLC START TIME ?
- 73. PLC START TIME = CURRENT TIME – UPTIME Current time Uptime
- 75. SSA-654382 , SSA-456423 Affected devices: • Siemens S7-1200 PLC • Siemens S7-1500 PLC CVSS Base Score: 8.3
- 76. SCADASL:13.01.2013 S7 PLC private/public community string for SNMP protocol can't be changed … Siemens:06.02.2013 … you cannot change the SNMP community string … This issue has no effect on security, as only non-sensitive information can be changed via SNMP. … community strings changeable in TIA Portal v12.5. SCADASL:05.08.2013 … vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP. Siemens:22.10.2013 Hardcoded SNMP strings are in fact an issue … We might eventually migrate to SNMPv3 …
- 78. 0 50 100 150 200 250 ABB Advantech Emerson Honeywell Other Siemens Schneider Electric Total Total Fix Vulns Fixed
- 79. PHDays 2013 Choo Choo Choo Pwn Security assessment/Pentest PHDays IV Critical Infrastructure Attack 0-day research http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/
- 80. Goals ICS components 0-day research Make a disaster 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster) Mom, I can spoof MODBUS tag = 0 ;) Tragets Schneider Electric Wonderware System Platform, Indusoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOM C264 Siemens Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300 (314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2 Rockwell Automation RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3) etc.
- 81. Winners 1Alisa Esage – SE Indusoft Web Studio 7.1 Nikita Maximov & Pavel Markov - ICP DAS RTU Dmitry Kazakov - Siemens Simatic S7-1200 PLC 2 days – 10+ 0days Responsible disclosure: in progress Fixes?
- 82. In 2013 we reported 9 vulnerabilities PT-EMR-DV-13002 World readable/writable *** (CVSSv2 6.8) PT-EMR-DV-13003 World readable *** (CVSSv2 6.8) PT-EMR-DV-13004 Weak cryptography used to store *** (CVSSv2 9.0) PT-EMR-DV-13005 Multiple SQL injections in *** (CVSSv2 10.0) PT-EMR-DV-13006 Weak cryptography used to *** (CVSSv2 6.8) PT-EMR-DV-13007 Memory corruption in *** (CVSSv2 5.0) PT-EMR-DV-13008 Format string vulnerability in *** (CVSSv2 10.0) PT-EMR-DV-13009 Hardcoded access credentials *** (CVSSv2 10.0) CVSS form 5.0 to 10.0
- 83. Advisory (ICSA-14-133-02) Emerson DeltaV v10-12 Vulnerabilities CVE-2014-2349 Configuration File Manipulation Local Privilege Escalation CVSSv2 6.2 CVE-2014-2350 Service Processes Default Hardcoded Credentials CVSSv2 2.4 http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02
- 85. 1 2
- 86. 150 freight cars 12 500 tons Several locomotives
- 89. Safety Integrity Level Probability of Failure on Demand (PFD) Probability of Failure per Hour (PFH)
- 91. 1 2
- 95. Modern Smart Grid: - ICS/SCADA - Mobile carrier - Billing/Payment - IoT -Cloud
- 97. Alexander @arbitrarycode Zaitsev Alexey @GiftsUngiven Osipov Kirill @k_v_nesterov Nesterov Dmtry @_Dmit Sklyarov Timur @a66at Yunusov Gleb @repdet Gritsai Dmitry Kurbatov Sergey Puzankov Pavel Novikov
- 100. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
Editor's Notes
- CEИспользованиеRN Аэропорты Zurich, Geneve 25 электростанций RAG - подземное хранилище газа Другие “WinCC Open Architecture – больше чем SCADA”