SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]

*AllpicturesaretakenfromDr
StrangeLovemovieandother
Internets
Sergey Gordeychik
Aleksandr Timorin

 Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko

https://icsmap.shodan.io/

― Google dorks
― Configuration scripts
― FS structure
― etc

--snip--
Comment to PT-SOL-2014001:
The upload path has been changed. It is still possible to upload files, but they
can't overwrite system critical parts any more.
Comment to PT-SOL-2014002:
The system backup is created in a randomly chosen path an deleted afterwards.
Therefore an unauthorized access is made much more difficult and very unlikely.
Second comment to PT-SOL-2014002:
In order to compensate the weak encryption in the configuration file, the whole
configuration file is now encrypted via the new HTTP transmission.
--snip--

To hack what? Grandmom’s reel 2 reel recorder?

Popular HMI
Relatively new system
Platform independent
Custom webserver

http://cvedetails.com for Apache HTTP Server

http://www.digitalbond.com/blog/2013/03/21/s4x13-video-wincc-under-x-rays-by-sergey-gordeychik/

1 2 9 7 6 10 11 14 17
73 100 96
899
94
135
285
81
0
100
200
300
400
500
600
700
800
900
1000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

PLC1 PLC2 PLC3
Some
networ
ks
WinCC
Web-
Client
WinCC
SCADA-
Clients
WinCC
SCADA-
Client
+Web-
Server
WinCC
DataMonitor
WinCC
Web-Client
WinCC
DataMonitor
WinCC
Servers
LAN
PROFINET
PROFIBUS
Internet, corp lan,
vpn’s
Engineering station
(TIA portal/PCS7)

PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM=
uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=
Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM=
tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM=
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143
32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143
b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143

3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes)
d37fa1c3 - CONST (4 bytes)
0001 - user logout counter (2 bytes)
0001 - counter of issued cookies for this user (2 bytes)
00028ad7 - value that doesn’t matter (4 bytes)
0a00aac8 - user IP address (10.0.170.200) (4 bytes)
00000000000000008ad72143 - value that doesn’t matter (12 bytes)
So, what about
3e6cd1f7bdf743cac6dcba708c21994f ???

3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
3e6cd1f7bdf743cac6dcba708c21994f
MD5( NEXT 26 BYTES OF COOKIE + 16BYTES
OF SECRET + 2 NULL BYTES)
What is SECRET ?

SECRET is generates after PLC start by PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
It’s too much for bruteforce (PLC so tender >_<)

What about SEED ?
SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates after ~ 3-4
seconds of PLC start using current time
How to obtain PLC START TIME ?

PLC START TIME = CURRENT TIME – UPTIME
Current time
Uptime

 SSA-654382 , SSA-456423
 Affected devices:
• Siemens S7-1200 PLC
• Siemens S7-1500 PLC
 CVSS Base Score: 8.3

SCADASL:13.01.2013
S7 PLC private/public community string for SNMP protocol can't be changed …
Siemens:06.02.2013
… you cannot change the SNMP community string … This issue has no effect on security, as only
non-sensitive information can be changed via SNMP. … community strings changeable in TIA Portal
v12.5.
SCADASL:05.08.2013
… vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP.
Siemens:22.10.2013
Hardcoded SNMP strings are in fact an issue …
We might eventually migrate to SNMPv3 …

0
50
100
150
200
250
ABB Advantech Emerson Honeywell Other Siemens Schneider Electric
Total Total Fix Vulns Fixed

 PHDays 2013 Choo Choo Choo Pwn
 Security assessment/Pentest
 PHDays IV Critical Infrastructure Attack
 0-day research
http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/

 Goals
 ICS components 0-day research
 Make a disaster
 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)
 Mom, I can spoof MODBUS tag = 0 ;)
 Tragets
 Schneider Electric
 Wonderware System Platform, Indusoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOM
C264
 Siemens
 Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300
(314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2
 Rockwell Automation
 RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA
 WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware
KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3) etc.

 Winners
 1Alisa Esage – SE Indusoft Web Studio 7.1
 Nikita Maximov & Pavel Markov - ICP DAS RTU
 Dmitry Kazakov - Siemens Simatic S7-1200 PLC
 2 days – 10+ 0days
 Responsible disclosure: in progress
 Fixes?

 In 2013 we reported 9 vulnerabilities
 PT-EMR-DV-13002 World readable/writable *** (CVSSv2 6.8)
 PT-EMR-DV-13003 World readable *** (CVSSv2 6.8)
 PT-EMR-DV-13004 Weak cryptography used to store *** (CVSSv2 9.0)
 PT-EMR-DV-13005 Multiple SQL injections in *** (CVSSv2 10.0)
 PT-EMR-DV-13006 Weak cryptography used to *** (CVSSv2 6.8)
 PT-EMR-DV-13007 Memory corruption in *** (CVSSv2 5.0)
 PT-EMR-DV-13008 Format string vulnerability in *** (CVSSv2 10.0)
 PT-EMR-DV-13009 Hardcoded access credentials *** (CVSSv2 10.0)
 CVSS form 5.0 to 10.0

 Advisory (ICSA-14-133-02) Emerson DeltaV v10-12
Vulnerabilities
 CVE-2014-2349 Configuration File Manipulation Local Privilege
Escalation
 CVSSv2 6.2
 CVE-2014-2350 Service Processes Default Hardcoded
Credentials
 CVSSv2 2.4
 http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02

150 freight cars
12 500 tons
Several locomotives

Safety Integrity Level
Probability of Failure on Demand (PFD)
Probability of Failure per Hour (PFH)

http://www.theguardian.com/world/2013/jul/25/spain-train-crash-travelling-so-fast

Modern Smart Grid:
- ICS/SCADA
- Mobile carrier
- Billing/Payment
- IoT
-Cloud

Alexander @arbitrarycode Zaitsev
Alexey @GiftsUngiven Osipov
Kirill @k_v_nesterov Nesterov
Dmtry @_Dmit Sklyarov
Timur @a66at Yunusov
Gleb @repdet Gritsai
Dmitry Kurbatov
Sergey Puzankov
Pavel Novikov

*AllpicturesaretakenfromDr
StrangeLovemovieandother
Internets

*Allpicturesaretakenfrom
googleandotherInternets
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko

SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]

More Related Content

What's hot (20)

Similar to SCADA StrangeLove: Too Smart Grid in da Cloud [31c3] (20)

More from qqlan (20)

Recently uploaded (20)

SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]

Editor's Notes