Compromising Industrial Facilities From 40 Miles Away


Published on

Presented by: Lucas Apa and Carlos Mario Penagos, IOActive

Abstract: The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made might be modified, this could lead to unexpected, harmful, and dangerous consequences.

This presentation demonstrates attacks that exploit key distribution vulnerabilities we recently discovered in every wireless device made by three leading industrial wireless automation solution providers. We will review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions.

Published in: Technology, Travel
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Compromising Industrial Facilities From 40 Miles Away

  1. 1. COMPROMISING  INDUSTRIAL   FACILITIES  FROM  40  MILES  AWAY   Lucas  Apa   Carlos  Mario  Penagos  
  2. 2. About  Us   Vulnerability  Research   Exploita<on   Cryptography   Reverse  Engineering   ICS/SCADA     2   Lucas  Apa   Carlos  Penagos   Argen<na   Colombia   Security  Consultants   and  Researchers    
  3. 3. Agenda   §  Mo<va<on   §  Industries  and  Applica<ons   §  Wireless  Standards   §  Journey  of  Radio  Encryp<on  Keys   §  Vendor1  Wireless  Devices     §  Vendor2  Wireless  Devices   §  Vendor3  Wireless  Devices     3  
  4. 4. Mo<va<on   4   §  Cri<cal  Infrastructures  becoming  targets   §  Insider  aLacks  (Lately)   §  Devices  connected  to  Internet   §  0days  to  reach  the  PLC,  RTU,  HMI…   §  Stealth  and  precise  aLacks   §  Incident  response  at  hazardous  sites   §  ALack  families  of  devices  (+  reliable)    
  5. 5. Industrial  Wireless  Automa<on   5   §  Copper  wires  are  used  to  monitor  and  control   §  Corrosion,  Duc<lity,  Thermal  Conduc<vity   §  Cost  of  wires,  trenching,  moun<ng  and  installa<on   §  Industrial  Wireless  Solu<ons   §  Eliminate  cost  of  hardwiring,  logis<cs,  installa<on   §  Heavy  machinery  involved   §  Remote  control  and  administra<on  (Geography)   §  Minimize  Safety  Risk  &  Dangerous  Boxes   §  Adds  durability  
  6. 6. Industries  and  Applica<ons   6   Oil  &  Gas   Refined  Petroleum   Petrochemicals   §  Plunger  li_/ar<ficial  li_  op<miza<on   §  Well-­‐head  automa<on   §  RTU/EFM  I/O  extensions   §  Cathodic  protec<on  monitoring   §  Hydrogen  sulfide  (H2S)  monitoring   §  Tank  level  monitoring   §  Pipeline  cathodic  protec<on   §  Rec<fier  voltage  monitoring   §  Gas/liquid  flow  measurement   §  Pipeline  pressure  and  valve   monitoring  
  7. 7. Industries  and  Applica<ons  (2)   7   Energy  -­‐  U<li<es   Waste  &     Waste  Water   §  Transformer  temperature   §  Natural  gas  flow   §  Power  outage  repor<ng   §  Capacitor  bank  control   §  kV,  Amp,  MW,  MVAR  reading   §  Remote  pumping  sta<ons   §  Water  treatment  plants   §  Water  distribu<on  systems   §  Wastewater/sewer  collec<on  systems   §  Water  irriga<on  systems/agriculture  
  8. 8. Industrial  Wireless  Challenges   8   §  Defeat  electromagne<c  interference  (EMI)   §  Handle  signal  aLenua<on  and  reflec<ons   §  Reliability  is  far  more  important  than  Speed   §  Higher  transmiLer  power  levels   §  Site  surveys  to  assess  the  consistency  and   reliability  of  the  plant   §  Mainly  using  2.4Ghz  or  900Mhz  (ISM  Band)   §  No  “business”  protocols  
  9. 9. Cryptographic  Key  Distribu<on  (WSN)   9   §  Distribute  secrets  on  a  large  number  of  nodes   §  Base  sta<ons  with  clusters  surrounding   §  Limita<ons:   §  Deployment  in  public  or  hos<le  loca<ons   §  Post-­‐deployment  knowledge     §  Limited  bandwidth  and  transmission  power     §  Methods  for  crypto  key  distribu<on:   §  Out-­‐of-­‐band   §  In-­‐band   §  Factory  pre-­‐loaded  
  10. 10. IEEE  802.15.4  Standard   §  Wireless  Radios  (Low  Power/Speed)     §  Set  the  encryp<on  algorithm  and  AES  Key   §  Upper  Layer  Responsibility   §  Each  node  can  have  an  ACL   §  MAC  for  upper  layers:   §  ZigBee   §  WirelessHart   §  ISA  SP100   §  IETF  IPv6  -­‐  LoWPAN   10  
  11. 11. ZigBee  2007  (Standard  Security  Mode)   §  Goal:  Understand  Key  Schemes   §  Suite  of  high  level  communica<on  protocols   §  Based  on  IEEE  802.15.4  (Low  level  layers)   §  ISM  radio  bands   §  Trust  Center  introduced  in  2007     11   Two  Key  Distribu<on  Mechanisms:   1.  Pre-­‐Installa<on   2.  Over  the  air   §  Network  Key  (AES  128-­‐bit)   §  Pre-­‐installed  (Factory  Installed)   §  Individually  Commissioned   (Commissioning  tool)   §  Managed  by  the  Trust  Center     A Trust Center B
  12. 12. ZigBee  Pro  2007  (High  Security  Mode)   §  Many  enhancements   §  More  memory  requirements   §  New  keys  introduced   12   A B MasterKey_TA   LinkKey  TA   NetworkKey   MasterKey_AB   LinkKey  AB   MasterKey_TB   LinkKey  TB   NetworkKey   MasterKey_AB   LinkKey  AB   MasterKey_TA   LinkKey  TA   NetworkKey   MasterKey_TB   LinkKey  TB   Trust Center ①  Master  Key   §  Unsecured  Transport  L   §  Out-­‐of-­‐band  Technique  J   §  Secure  other  keys   ②  Link  Key     §  Unicast   §  Unique  between  nodes   ③  Network  Key     •  Regenerated  at  Intervals   •  Needed  to  join  the  NWK  
  13. 13. E n d   U s e r   D e v i c e   DeviceVendorID   Key  in  Firmware   Per-­‐Client  Encryp<on   Key   Change   Encryp<on   Key   Per-­‐Client   Encryp<on   Key   Device  Company   Encryp<on  Key   Device   Company   Encryp<on   Key   Change   Encryp<on   Key   No  Encryp<on  Key   Set   Encryp<on   Key   No   Encryp<on   key   No  Encryp<on   Key   The  Journey  of  Radio  Encryp<on  Keys   13   R a d i o
  14. 14. Reusing  Radio  Keys   §  Device  Company  Key  aLack   1.  Buy  same  Device  (Buy  same  Key)   2.  Remove  Radio  Module   3.  Connect  to  USB  Interface   4.  Interact:  API  &  AT  Command  Mode   5.  Send  frames  using  the  unknown  key   Warning:  Not  possible  if  exists  a  Per-­‐Client  Encryp<on  Key   14   §  End-­‐User  Node  Key  Storage   §  Shared  Secret   §  Same  Firmware  or  Same  Radio  Key    
  15. 15. Exploi<ng  Vendor1  Devices   §  Company  Profile  (+1990)   §  Frequency  Hopping  Wireless  Devices   §  Great  for  long  or  short  range  wireless   SCADA  applica<ons   §  Secure  proprietary  FHSS  with  128  bit  AES   encryp<on   §  Hazardous  loca<on  approvals,  Perfect  for   outdoor  Ethernet  SCADA  or  indoor  PLC   messaging   §  30+  miles  point  to  point  with  high  gain   antennas   15  
  16. 16. Vendor1  Key  Distribu<on   “<Vendor1  Tool>  is  easy  to  use  and  intuiBve.  Default  values  built  into   the  so0ware  work  well  for  ini4al  installa4on  and  tesBng  making  it   easy  for  first-­‐Bme  users.  <Vendor1  Tool>  manages  all  important   se8ngs  to  ensure  that  the  network  performs  correctly.”  (User  Guide)     16   §  RF  Encryp<on:  A  128-­‐bit   encryp<on  level  key  is   suggested  for  the  user.   §  Blank:  No  encrypted  packets   §  5-­‐7  Chars:  Field  is  translated   into  a  40-­‐bit  encryp<on  level.   §  15-­‐24  Chars:  Field  is  translated   into  a  128-­‐bit  encryp<on  level.    
  17. 17. Reversing  Passphrase  Genera<on   Compiled  C++  Binary:   §  srand  seeds  PRNG   §  <me  returns  epoch   §  srand(<me(NULL))   §  Low  Entropy  Seed   §  Same  algorithm   §  rand()   §  Bad  ANSI  C  func<on   17  
  18. 18. ALacking  Weak  PRNG   18   C:>passgen.exe   2013-­‐04-­‐04  21:39:08  =>  1365136748  =>  knc6gadr40565d3j8hbrs6o0  
  19. 19. The  Oldest  Passphrase   Help  File   19   C:>passgen.exe   2013-­‐04-­‐04  21:39:08  =>  1365136748  =>  knc6gadr40565d3j8hbrs6o0   2013-­‐04-­‐04  21:39:07  =>  1365136747  =>  nir3f1a0dm2sdt41q91c06nt   …   2008-­‐04-­‐17  15:20:47  =>  1208470847  =>  re84q92vssgd671pd2smj8ig  
  20. 20. Comissioning  Tool  Audit   §  Easily  breakable  by  an  outsider   §  Further  Research  with  the  Devices   §  Comissioning  Tools  needs  deep  tes<ng   20   Bruteforce  Passphrase   2570  Passphrases   Mixed  lower  case  alphabet  plus  numbers  and   common  symbols   Impossible  to  calculate  all  passphrases   Need  to  derive  AES  128-­‐bit  key  on  real<me   Weak  PRNG  ALack   ~156  Million  Passphrases   Every  second  passed,  one  more  key   Only  a  few  seconds  to  calculate  all  passphrases   Calculate  once  and  create  a  database  with  all   possible  AES  128-­‐bit  key  deriva<ons   vs  
  21. 21. Vendor2  Wireless  Devices   §  Market  leadership:  Oil  &  Gas   §  Wireless  and  wired  solu<ons  for  the  digital  oil  field   automa<on   §  Trusted  by  top  companies  in  different  industries   §  Family  System  (Point  to  Mul<point):     §  Wireless  Gateways   §  Wireless  TransmiLers   §  I/O  Expansion  Modules   §  Hardwire  Sensors   21  
  22. 22. 22  
  23. 23. An  Extended  Family  of  Devices   23   §  Applica<ons   §  Oil  &  Gas   §  Refining  /  Petro  Chemicals   §  Water  &  Waste  Water   §  U<li<es   §  Industrial  Process  Monitoring   §  TransmiLers   §  RTD  Temperature  TransmiLer   §  Analog/Discrete  TransmiLer   §  Flow  Totalizer  TransmiLer   §  Pressure  TransmiLer   §  Hydrosta<c  Level  TransmiLer   §  Many  more..  
  24. 24. 24   SCADA   PLC   RTU   EFM   HMI   DCS   RF   Modem  
  25. 25. Secure  Communica<ons   25   §  How  the  devices  access  the  wireless  informa<on?   §  “Enhanced  Site  Security  Key”   §  Security  Key  ==  Encryp<on  Key  ???   §  Legacy  Devices  Without  Encryp<on???   The  Enhanced  Site  Security  feature  designed  to  provide  an  addiBonal  level  of   protec4on  for  RF  packets  sent  and  received  between  <Vendor2>  devices  and   minimizes  the  possibility  of  interference  from  other  devices  in  this  area.  This   feature  is  not  available  on  some  older  versions  of  legacy  devices.    
  26. 26. Key  Genera<on  and  Distribu<on   26   §  Comissioning  Tool   §  Create  a  “Project  File”  and  update  all  Nodes   §  From  documenta<on:   This  Key  MUST  be  somewhere  on  the  Project  File   “If  the  project  file  name  is  changed,  a  new  Site   Security  Key  will  be  assigned”       Possible  Scheme:  Per-­‐Site  Encryp4on        
  27. 27. File  Name  Change  =>  New  Key   27  
  28. 28. Project  File  Binary  Diffing   28   ProjectA   x17x58x4fx51   1364154391   Sun,  24  Mar  2013   19:46:31  GMT   ProjectB   x51x58x4fx51   1364154449   Sun,  24  Mar  2013   19:47:29  GMT  
  29. 29. 29   §  Support  Center   §  Firmware  Images  &  Documenta<on   §  Radio  Modules,  Architectures  &  Processors     Component  IdenSficaSon   RISC  
  30. 30. Understanding  Firmware  Image  (RISC)   CrossWorks for MSP430 §  Industry  Standard  Format   §  @Address  and  content   §  Incomplete  Image  (Update)   §  Only  compiler  strings    
  31. 31. Component  IdenSficaSon  (MSP430)   430F149  
  32. 32. 32   YouTube  (XT09  and  802.15.4)  
  33. 33. No  Per-­‐Client  Key   Dear  <<Reseller  Sales  Eng>>,   We   are   going   to   borrow   a   used   “Analog   Transmider”   from   one   of   our  partners,   We   are   going   to   test   it   for   a   few   weeks  and  let  you  know  if  we  decide   to  buy  a  new  one.   Are   there   any   specific   concern   we   might   take   into   account   when   deploying   this   device   to   connect   it   with  our  <Device>?  Or  just  upgrade   all  project  configuraBon  files?   Thank  you   33   Lucas,   You  just  need  to  upgrade  the  configuraBon   files.   Thanks.  
  34. 34. Finding  Embedded  Keys   34   §  Two  kind  of  Firmwares  (ARM  and  MSP430)   §  One  possible  hardcoded  key  in  both  firmwares   §  “Binary  Equaling”    
  35. 35. Acquiring  the  Devices   35   §  Wireless  Gateway   §  Gateways  are  responsible  for  receiving/ collec<ng  data  from  wireless  end  nodes   §  The  collected  data  can  be  communicated   with  third-­‐party  Modbus  device  such  as  a   RTU,  PLC,  EFM,  HMI,  or  DCS   §  RTD  Temperature  TransmiLer   §  Integrates  Pla<num  100  ohm  RTD  Sensor   §  Ideal  for  use  in  various  mission-­‐cri<cal   industrial  applica<ons.   §  Ideal  for  Monitoring  Air,  Gas,  Water,  or   Liquid  Temperatures    
  36. 36. §  Steal  and  extract   §  Site  Security  Key   §  Project  File   Resilience  and  Node  Capture   36   Stolen   Node   Gateway   Tx   Tx  Tx   S e r i a l C a p t u r e FF  41  06  00  0A  00  00  00  33  2E  1D  CC   FF  41  0A  00  0A  00  00  00  04  00  AB  D0  9A  51  B0  ...  
  37. 37. A  crypto  aLack  disappointment   §  Protocol  Reverse  Engineering   §  Device  has  a  debug  interface   §  Developed  a  custom  tool  to  receive  and  send  802.15.4  data   §  2.4ghz  Transceiver  (Modified  Firmware  and  Reflashed  by  JTAG)   §  PyUsb,  IPython     §  Scapy  Dissectors,  etc.   §  Against  the  perfect  scheme:  Per-­‐Site  EncrypSon  Key       37   §  Key  not  really  used  for  data  encrypSon   §  Key  only  used  to  ”authenScate”  devices  (capture  SiteSecurityKey)   §  No  integrity  and  confidenSality     §  No  protecSon  for  RF  Packets  L  (vendor  lied)   §  Predict  IEEE  802.15.4  next  seqnums  to  inject   A  crypto  aLack  
  38. 38. Temperature  Injec<on  Live  Demo   §  Designed  an  HMI  Project   §  Developed  an  OPC  based   driver  for  the  HMI   §  Developed  an  exploita<on   framework  (Map/Inject)   §  Chemical  Safety  Board  (US)   background  video   §  Cost  of  the  aLack:  $40  USD   §  Live  Demo     38  
  40. 40. Remote  Memory  Corrup<on   §  Iden<fy  all  the  protocol  fields   §  Memory  corrup<on  bug  using  unhandled  values  on   a  parsing  func<on   §  Remotely  exploitable  over  the  air   §  Plant  Killer          =>     §  We  recorded  a  demo  (no  leak  today)   40  
  41. 41. 41   SCADA   PLC   RTU   EFM   HMI   DCS   RF   Modem  
  42. 42. Vendor3  Devices   42   §  Company  Profile   §  Self-­‐proclaimed  leader  in  process  and  industrial   automa<on,  “Undisputed  leader  in  sensors”   §  Clients:  Nearly  all  manufacturing  companies  from   Fortune  500   §  22.000  different  products  across  40  industries   §  Wireless  System  (Family)   §  Wireless  Gateway   §  Master  device  used  to  control  network   <ming  and  comm  traffic     §  Nodes   §  Collect  data  -­‐>  TX  Gateway  
  43. 43. Research   44   §  Wireless  Family  Technical  Note:   “Mul<-­‐layer  security  protocol  protects  your  data”   §  Network  Security   §  Data  Security   §  Data  Integrity  and  Control  Reliability     “The  wireless  I/O  systems  provide  a  level  of  security,  data   integrity,  and  reliability  far  exceeding  most  wireless  systems  on   the  market  today”  
  44. 44. Quotes  (Network  Security)   “This  family  is  designed  to   completely  eliminate  all   Internet  Protocol  (IP)  based   security  threats.  Wi-­‐Fi   access  points  have  the   poten<al  to  route  any  and   all  data  packets,  which  is   why  these  systems  use   encryp<on”   45   Route  packets  =>  Use  encrypSon   §  One  model  =>  Ethernet   Data  Radio   §  Uses  AES-­‐256  key  J   §  Other?  No  encryp<on  
  45. 45. Quotes  (Data  Security)   “The  protocol  only  carries  sensor  data   values.  Only  I/O  data  is  transmiLed  in   the  wireless  layer.”     “A  hacker,  if  they  managed  to  receive   wireless  data,  would  only  see  the   actual  sensor  data,  not  what  the   sensor  was  reading  or  what  role  the   sensor  played  within  the  wireless  I/O   network."   46   §  Insecure  I/O  data   §  Sensor  Readings   §  Binding  codes  
  46. 46. Quotes  (Comm  Protocols)   “Widely  used  open  protocols  such   as  Wi-­‐Fi  have  serious  security   issues.  Even  a  high  degree  of   encryp<on  may  not  protect  your   data.  It  is  common  for  new   encryp<on  schemes  to  be  hacked   within  months  of   implementa<on.  Proprietary   systems  are  more  difficult  to  hack   than  an  open  standard.”   47   §  Encryp<on  is   useless   §  Open  standards   are  easier  to  hack    
  47. 47. Quotes  (Comm  Protocols)   “Vendor  achieves  data  security   by  using  a  proprietary   protocol,  pseudo-­‐random   frequency  hopping,  and   generic  data  transfer.  The   protocol  only  carries  I/O  data,   making  it  impossible  for  a   malicious  executable  file  to  be   transmiLed.”     48   §  FHSS  to  avoid   sniffing   §  The  family  is   malware  safe    
  48. 48. Quotes  (Integrity)   “When  the  data  is  transmiLed,  a   CRC  algorithm  ensures  that  the   data  arrives  intact.  If  the  CRC   algorithm  fails,  the  corrupt  data   packet  is  discarded  and  the  data  is   automa<cally  retransmiLed  using   a  new  frequency  during  the  next   communica<on  cycle.”     49   §  Cyclic   Redundancy   Check   §  No  integrity   §  No  security   §  Only  for  network   errors  
  49. 49. Quotes  (Comm  Protocols)   “This  protocol  does  not   operate  like  an  open   protocol  such  as  Wi-­‐Fi  and   is  not  subject  to  the  risks   of  an  open  protocol.”     50  
  50. 50. Disclosure  and  Coordina<on   §  8  vulnerabili<es  reported  (today’s  vendors)   §  1  patched  =>  PRNG  Vulnerability  (ICSA-­‐13-­‐248-­‐01)   §  Are  vendors  responsible?     §  Did  they  no<fy  their  customers?   §  Is  documenta<on  truly  aligned?   §  Is  firmware  upgrade  easy?  
  51. 51. Conclusions  (Securing  the  scheme)   52   §  Out  of  bands  methods   §  Pre-­‐share  a  strong  secret  for  the  ini<al  link  (eg:  serial  comm)   §  Also  802.15.4  AES  Encryp<on  at  lower  layers  (MAC)   §  Secure  the  Node  Physical  Access  (Mainly  KDC)   §  Use  hardware  An<-­‐tamper  mechanisms   §  Audit  Source  Code  //  Audit  Site  regularly   §  ICS-­‐CERT  Hardening  Guides   §  Don’t  trust  vendor’s  documenta<on,  go  further.  
  52. 52. Conclusions   53   §  Problem  space  has  always  been  an  open  topic   §  The  journey  of  keys  allows  prac<cal  aLacks   §  WSN’s  standards  maturity  is  growing   §  Vendors  can  fail  when  implemen<ng  them   §  No  evidence  of  previous  security  reviews   §  Tes<ng  the  field  loca<on  is  possible  with  the  proper   Hardware  and  open  source  So_ware     CC1111   RZUSB   TelosB   HackRF  
  53. 53. Aknowledgements   54   §  ICS/CERT  –  US/CERT   §  References:  Piotr  Szcezechowiak,  Haowen  Chan,  A.   Perrig,  Seyit  A.  Camtepe,  Bulent  Yener,  Rob  Havelt,   Travis  Goodspeed,  Joshua  Wright…   §  All  IOAc<ve,  Inc.  
  54. 54. THANK  YOU  !   Lucas  Apa  (lucas.apa@ioac<   Carlos  Penagos  (carlos.hollman@ioac<   @lucasapa   @binaryman<s