SlideShare a Scribd company logo

MKAD_black_V2

Marina Krotofil
Marina Krotofil
1 of 81
Download to read offline
Marina Krotofil & A. D. or MKAD ;-) Hack Like a Movie Star Step-by-step guide to crafting SCADA payloads for physical attacks with catastrophic consequences
Movies are inspiring….
Who we are: A. D.  PhD candidate in embedded security  Likes playing CTF and to reverse engineer  Hardware and software developer
Who we are: Marina Krotofil  Formally trained ex-academician and engineer  Interested in cyber-physical exploitation  Never thought I was a hacker before my hacker friends told me I was
Prehistory
Prehistory: Hacking chemical plants Control Access DiscoveryCleanup Damage M. Krotofil. Hacking Chemical Plants for Competition and Extortion. Black Hat USA (2015) J. Larsen. Breakage. Black Hat Federal (2007)
At DefCon ICS village  Several types of control systems (traffic lights, robots, power grid) available for hacking  Many hacking master minds  Applied techniques they use to hack IT systems o Nmap-ing & traffic analysis o Firing vulnerabilities scanners to get shell o No success & lost interest
Control Access DiscoveryCleanup Damage Stages will help you!
Control Access DiscoveryCleanup Damage Stages will help you!
CybatiWorks Traffic Light kit  Semi-handcrafted demo tool o Legally obtained image from the Internet o Own hardware components o Permission for full disclosure Thanksgiving: Matthew Luallen of Cybati https://cybati.org/cybatiworks Our first testbed
Project kick-off meeting :-)
Control Access DiscoveryCleanup Damage Access
Getting in  Somewhere out there in the world there is a lonely traffic light system. How do you connect to it?
Getting in  In our case the system is just in front of us That was hard!
Control Access DiscoveryCleanup Damage Discovery
American traffic-light-controlled crossroad
Configuration The Bad Guy 176.16.192.10 CybatiWorks-1 platform 176.16.192.30 RPi 2 hard wired GPIOModbus TCP Rex Peak HMI Rex Wireshark here
Rex control system https://www.rexcontrols.com/rex-control-system-raspberry-pi  REX Control System is a family of software products for automation projects  RexDraw - development tool for creation of control programsh von  RexView - diagnostic tool, allows watching the runtime core execution of control algorithm  RexCore - run time environment handles timing and execution of control algorithms
Cyber-physical system  IT systems “embedded” in an application in the physical world o Cyber-physic al attacks has  The goal of the attacker o Bring system into a specific state o To make system performing desired actions
Layers of cyber-physical system PhysicallayerControllayerCyberlayer Process behavior Control algorithm Measured process state Control commands Inputs ControllerHMIDB Engineering stationServer x(t) y(t) Outputs
Configuration Diagnostic Visualization RexDraw RexCompiler RexView Peak HMI TCP IP Modbus TCP RexCore *.mdl *.rex HOST,CybatiVM Physical application RPi Drv Mb Drv Control and monitoring architecture
Understanding the network and the traffic  Rex communication protocol o Proprietary, reverse engineerable  Modbus TCP o Open source o No [authentication, integrity protection, encryption]
Understanding the traffic
Understanding the traffic
Understanding the traffic
 Everything what could be measured (inputs) and set (outputs) is called a point o Points have tags (variable name) o You need to reconstruct point-tag nomenclature o Points come in analog, digital, and integer flavors o Points can be read, write, or read/write  Often multiple conversion based on tables stored somewhere on the servers or Internet o Go find them Understanding points and tags
HMI for traffic light management  No authentication and access control
Look around HMI Alarms not enabled (?)
Alarms  Alarm is (min/max) threshold/warning of a point value or process/system condition  Warns operator about unwanted/dangerous conditions/events o They tell you what process creator was worried about  Alarm can be generated o In controller o In data base o On the HMI  The attacker may need to suppress alarms during the attack (Illustrative alarms)
Alarms Empty alarm log -> looks like really no alarms configured, good for us :-)
Sorting out your discoveries
Control logic
Control logic  Defines what should/should not happen o Under which conditions o At what time o YES or NO proposition  If-then statements and Boolean logic o [if input 1 true] AND [input 2 not true] -> [do something]
Where/how to get it?  Engineering/programming station o Some engineer has programmed it o Some human has uploaded it o Often stored on some server  Go grab it from the controller o Reverse engineer the compiler  E.g. see talk of Felix ‘FX’ Lindner talk on building custom disassemblers http://data.proidea.org.pl/confidence/9edycja/materialy/prezentacje/FX.pdf
Control algorithm
Control logic (schematics) [0 0 1;1 5 6;1 1 2; 2 2 3……..7 7 8; 8 8 1] STT – State Transition Table touts – timeouts, time limit for current state Current state State the system will transit Condition to move to the next state Q2 U1 Y U2 NY TOUT2 AND_TOUT2 C2
State machine
Physical outputs of the states Tags, pins, Modbus labels
Mapping tags and pins
Outcome of the discovery stage  Understanding how the systems is built and functions o Static discovery of the system
Control Access DiscoveryCleanup Damage Control
Things which we can change  There are two major things the attacker can control o The state of the traffic light (red-yellow-green & blinking) o The timeout of each state  The state of the traffic light can be controlled o Directly o Indirectly (by manipulating the inputs to control logic)  We brainstormed a list of 30 approaches o Implemented half of it (at the end it is just a hacking exercise for fun & more fun)
DEMO 1  Forcing the point  Setting point value from the debagger (RexView) o “Set that on green because I am your engineer and I said so!”  Setting point from the microcontroller (RPi) o Using suid binary o Does not require root privileges (enjoy!) gpio write 3 1
DEMO 2  Stale Data attack o Stopping CPU on command o Traffic lights will remains in their last state 1. ssh pi@172.16.192.30 2. sudo su 3. ps -ax|grep Rex find out the pid of RexCore 4. kill -STOP [pid] 5. kill -CONT [pid] (repeat 4 and 5 at will) P.S. We achieved the same effect by clumsily uploading modified firmware – unintended fuzzing 
DEMO 3  Speeding up the clock o Modifying timer tick o Making things happening faster 1. ssh pi@172.16.192.30 2. sudo su 3. ps -ax|grep RexCore find out the pid of RexCore 4. gdb -[pid] 5. info files find address ranges for .data in /usr/lib/libRex_T-2.10.6.so use start address XXX in the following formula 6. x/x XXX - 0x98bc8 + 0x9a1d4 you should get a new offset with location of the timer tick 0xXXX: 0x02af080 use XXX in the following formula 7. set *(int)0xXXX=1000 (50000 speed factor) modify touts as needed 8. [ 1 1 300 1 1 1 1 1 1 1 1 1]
Reverse engineering RexCore P.S. Thanks to Ole André Vadla Ravnås for Frida (www.frida.re)
DEMO 4  Modification of control logic o Rewire/redesign the logic in a way you want o E.g. No-REDs-Allowed! removed constant ON removed
Outcome of the control stage  A portfolio of attacks instances to include into final payload o All various ways you can influence the state of the physical application o Choose which you want to use in final payload  Those which are more reliable and most effective
Control Access DiscoveryCleanup Damage Damage
 Safety related (very catastrophic) o Damage to the vehicles o Killing road users (drivers, pedestrians, cyclists…) o Both  Economy related (very inconvenient) o Denial of traffic light service o Maintenance efforts o Traffic impairment  Force amplifier (very unfortunate) o Making a way for bad guys o Denying a way for good guys (ambulance, police) Attack goal
Traffic jams and gridlocks Paris amore…..
Designing attack scenario  Final payload is tailored to the system you are attacking o Requires knowledge of traffic light system solution, (cross)road layout, traffic patterns, driving culture, etc. o E.g. in India nobody follows traffic lights, traffic lights in many U.S. cities are desynchronized anyway and “Germans don’t need traffic lights”  Traffic light hack in Los Angeles in 2006 o Disgruntled city traffic engineers reprogrammed lights to stay red longer o Used their comprehensive knowledge of the city's traffic patterns and chose few key intersections o Caused a massive traffic bottleneck and several days of gridlock https://www.youtube.com/watch?v=zv9FQZ7kgqU
Control Access DiscoveryCleanup Damage Cleanup
Cyber-physical attacks  Cyber-physical attacks change things in the physical world o The impact of such attacks cannot be made invisible by smart “stealth techniques” or by modifying logs  Because it is NOT INVISIBLE, somebody responsible will try to intervene if things are not going right  Make those people unaware of true system’s state
Traffic light HMI
DEMO 5  Blinding operator about real state of the traffic lights o Requires some form of MITM o Can be implemented at the network layer, on the HMI host, DB, etc. http://www.nrl.navy.mil/itd/ncs/products/core [1 (0)]: /opt/ZN/hmi_on.ef [2 (0)]: /opt/ZN/hmi_blank.ef [3 (0)]: /opt/ZN/hmi_yellow.ef [4 (0)]: /opt/ZN/hmi_red.ef [5 (0)]: /opt/ZN/hmi_main_yellow.ef [6 (0)]: /opt/ZN/hmi_side_yellow.ef [7 (1)]: /opt/ZN/hmi_main.ef [8 (0)]: /opt/ZN/hmi_side.ef  Intercepting traffic to the operator o Ettercap filters for traffic manipulation o We used Common Open Research Emulator (CORE) installed on Cybati platform o Tool for emulating networks on one or more machines
Public tenders Regulatory standards Point database Visit locations VLog Changing point value Realtime data from sensors Bypass Supervisor Reports on traffic jam costs Traffic experts Custom research Final Payload Custom operator spoofs Waiting for rare events Log tampering Minimal traffic system model Accidents in newspapers Forensic footprint Discovery Control Damage Cleanup Access Traffic flow Management Regulatory logging Dig up cables Wireless links
What is in the real world?
Modern traffic light systems are complex  All traffic light systems are built and configured differently! o Even from the same vendor o To the customer specification  Complex interactive system o Traffic IS a part of the system  Seems like no security requirements or regulations YET
Traffic Management Traffic Information Historical Data bank RoadworksStatus lanes Point speeds & Travel time Traffic intensity and vehicle categories Traffic reports Apps, radio, tv, Websites, navigation Status bridges BiiiiiiG DATA
Road traffic management center
Modern traffic light systems ensure safety http://theconversation.com/traffic-light-hacking-shows-the-internet-of- things-must-come-with-better-security-30803 PhysicallayerControllayerCyberlayer Process behavior Control algorithm Measured process state Control commands Inputs ControllerHMIDB Engineering stationServer Safety x(t) y(t) Outputs
Functional safety requirements  European and local directives o EN 12675 - Traffic signal controllers. Functional safety requirements. First published in 2000. o National normatives based on EN 12675  Detection of failure o Minimal time to detect the occurrence of fault and take action is 100-850 ms depending on class of fault o Diagnostic checks of controller logic system and action to be taken shall not be greater than 10 sec http://www.ganino.com/games/British%20standard/BS%20EN/BS%20EN%2012675-2001.pdf
 MMU can be implemented as stand alone supervisor or as safety processor on the main CPU board (the latter is more common) o At this point we cannot judge on the security of implementation  Failure modes o Typical safety state of operation is blinking yellow o Major fault – irreversible, requires (manual) controller reset o Minor fault – reversible, controller may return to full functionality Functional safety
Typical safety checks  All color and green/green conflicts  Signal sequences  Min. and max. times for all signal states  Min. and max. cycle time for coordinated signals  Min. and max. lamp load for red, amber and green  Min. and max. main supply voltage for safe operation  Min. and max. main supply frequency  and others https://www.swarco.com/en/Products-Services/Traffic-Management/Urban-Traffic- Management/ITC-Traffic-Controllers/ITC-3-Traffic-Controller#tab-7642
Access
In the mass media
Previous works  Cesar Cerrudo of IOActive o Sent fake data to vehicle detection sensors’ Access Point o Could influence behavior of the traffic lights http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html http://web.eecs.umich.edu/~brghena/projects/green_lights/ghena14green_lights.pdf  Research group of University of Michigan o Hacked into wireless traffic light control communication and into controller o Could influence behavior of the traffic lights  Bastian Bloessl o Reversed engineered local wireless traffic light communication o Reversed and decoded live bus stops telemetry http://www.bastibl.net/traffic-lights/
Shodan old friend…..  According to vendors’ specifications, traffic light systems are Internet-friendly o Remote accessible diagnostic tools o Internet accessible control panel o Application updates o Logs are accessible over internet o (Internet connectivity is used with care by traffic lights operators in EU (?)) -> at least with ones we spoke to  We did not find a traffic light online YET o But several Traffic Management Systems (with weak protection) o Not allowed to disclose
KAR - Korte Afstands Radio <=> Short Distance Radio  System for requesting green for emergency vehicles o Based on open standards http://bison.connekt.nl/standaarden/ https://en.wikipedia.org/wiki/OpenAIR  Request packet contains among others: o ID of intersection, vehicle speed, direction o Type of car and its ID (e.q. police, fire brigade, ambulance, public transport) CALL FOR ZERO DAY EXPLOIT ;-) o No authentication, authorization or encryption Otherprotocols:TransitSignalPriority(TSP) http://www.gtt.com/file/transit-signal-priority/79-1000-0444- 0_B%20TSP%20Sell%20Sheet.pdf
Afterword
And Oscar goes to…… Nope, not to Marina
And Oscar goes to those…. Who can design meaningful attack scenario OR Who can overcome safety protections
And it’s feeling goooood……
It’s green, so keep good speed! Bad day :-(
(ouch!) Also under traffic light controllers supervision
 Anybody can mimic the sound signal and play it when NOT GREEN o Is real current concern o Please don’t kill pedestrians! Sight challenged pedestrians
Who can design meaningful attack scenario OR Who can overcome safety protections And Oscar goes to those….
Possible Attack on Safety Confirmed by a traffic engineer as “maybe possible”  Central traffic managements receives status of Safety Unit  CAN Bus interface between Application and Safety CPU is found in current solutions  Steps to take: o Acquire the hardware (like Cesar Cerrudo/IOActive) o Fuzz the connection between Application and Safety o Reverse engineer safety implementation o Discover remote vulnerability o Exploit vulnerability to bypass safety
Marina Krotofil marina.krotofil@tuhh.de @marmusha THANK YOU A. D. Thanksgiving: Cesar Cerrudo for patiently answering many questions

Recommended

DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3Marina Krotofil
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_KrotofilMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 

Recommended

DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3Marina Krotofil
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_KrotofilMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your InputsAlexander Bolshev
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Mike Boudreaux
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017Marina Krotofil
 

More Related Content

What's hot

Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Mike Boudreaux
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 

What's hot (20)

Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
 
ICS security
ICS securityICS security
ICS security
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 

Viewers also liked

New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017Marina Krotofil
 
Разведка угроз промышленных предприятий
Разведка угроз промышленных предприятийРазведка угроз промышленных предприятий
Разведка угроз промышленных предприятийAnton Shipulin
 
RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...
RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...
RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...Joaquin Delgado PhD.
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfDEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
 
Использование однонаправленных шлюзов/диодов данных в сетях АСУ ТП
Использование однонаправленных шлюзов/диодов данных в сетях АСУ ТПИспользование однонаправленных шлюзов/диодов данных в сетях АСУ ТП
Использование однонаправленных шлюзов/диодов данных в сетях АСУ ТПКРОК
 
Методика обеспечения информационной безопасности АСУ ТП
Методика обеспечения информационной безопасности АСУ ТПМетодика обеспечения информационной безопасности АСУ ТП
Методика обеспечения информационной безопасности АСУ ТПКРОК
 
Актуальные решения по обеспечению безопасности промышленных систем
Актуальные решения по обеспечению безопасности промышленных систем Актуальные решения по обеспечению безопасности промышленных систем
Актуальные решения по обеспечению безопасности промышленных системКРОК
 
Текущее состояние проблемы безопасности АСУ ТП в России и мире
Текущее состояние проблемы безопасности АСУ ТП в России и миреТекущее состояние проблемы безопасности АСУ ТП в России и мире
Текущее состояние проблемы безопасности АСУ ТП в России и миреКРОК
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Противодействие хищению персональных данных и платежной информации в сети Инт...
Противодействие хищению персональных данных и платежной информации в сети Инт...Противодействие хищению персональных данных и платежной информации в сети Инт...
Противодействие хищению персональных данных и платежной информации в сети Инт...Dmitry Evteev
 
пр Куда идет ИБ в России? (региональные аспекты)
пр Куда идет ИБ в России? (региональные аспекты)пр Куда идет ИБ в России? (региональные аспекты)
пр Куда идет ИБ в России? (региональные аспекты)Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...OWASP Russia
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...OWASP Russia
 

Viewers also liked (18)

New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
Разведка угроз промышленных предприятий
Разведка угроз промышленных предприятийРазведка угроз промышленных предприятий
Разведка угроз промышленных предприятий
 
RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...
RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...
RecSys 2015 Tutorial - Scalable Recommender Systems: Where Machine Learning m...
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfDEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
 
Использование однонаправленных шлюзов/диодов данных в сетях АСУ ТП
Использование однонаправленных шлюзов/диодов данных в сетях АСУ ТПИспользование однонаправленных шлюзов/диодов данных в сетях АСУ ТП
Использование однонаправленных шлюзов/диодов данных в сетях АСУ ТП
 
Методика обеспечения информационной безопасности АСУ ТП
Методика обеспечения информационной безопасности АСУ ТПМетодика обеспечения информационной безопасности АСУ ТП
Методика обеспечения информационной безопасности АСУ ТП
 
Актуальные решения по обеспечению безопасности промышленных систем
Актуальные решения по обеспечению безопасности промышленных систем Актуальные решения по обеспечению безопасности промышленных систем
Актуальные решения по обеспечению безопасности промышленных систем
 
Текущее состояние проблемы безопасности АСУ ТП в России и мире
Текущее состояние проблемы безопасности АСУ ТП в России и миреТекущее состояние проблемы безопасности АСУ ТП в России и мире
Текущее состояние проблемы безопасности АСУ ТП в России и мире
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
penetest VS. APT
penetest VS. APTpenetest VS. APT
penetest VS. APT
 
Противодействие хищению персональных данных и платежной информации в сети Инт...
Противодействие хищению персональных данных и платежной информации в сети Инт...Противодействие хищению персональных данных и платежной информации в сети Инт...
Противодействие хищению персональных данных и платежной информации в сети Инт...
 
пр про SOC для ФСТЭК
пр про SOC для ФСТЭКпр про SOC для ФСТЭК
пр про SOC для ФСТЭК
 
пр Спроси эксперта про прогнозы ИБ
пр Спроси эксперта про прогнозы ИБпр Спроси эксперта про прогнозы ИБ
пр Спроси эксперта про прогнозы ИБ
 
пр Куда идет ИБ в России? (региональные аспекты)
пр Куда идет ИБ в России? (региональные аспекты)пр Куда идет ИБ в России? (региональные аспекты)
пр Куда идет ИБ в России? (региональные аспекты)
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
 

Similar to MKAD_black_V2

OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...
Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...
Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...AMD Developer Central
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Operating System Fingerprinting Prevention
Operating System Fingerprinting PreventionOperating System Fingerprinting Prevention
Operating System Fingerprinting Preventiondcalhoun1984
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN
DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUNDEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN
DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUNÖmer Coşkun
 
Defcon23 why nation-state_malware_target_telco_omercoskun
Defcon23 why nation-state_malware_target_telco_omercoskunDefcon23 why nation-state_malware_target_telco_omercoskun
Defcon23 why nation-state_malware_target_telco_omercoskunÖmer Coşkun
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2Lori Head
 
Mind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data Exfiltration
Mind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data ExfiltrationMind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data Exfiltration
Mind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data ExfiltrationCheckmarx
 
Uvm presentation dac2011_final
Uvm presentation dac2011_finalUvm presentation dac2011_final
Uvm presentation dac2011_finalsean chen
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 

Similar to MKAD_black_V2 (20)

OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...
Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...
Keynote (Mike Muller) - Is There Anything New in Heterogeneous Computing - by...
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Operating System Fingerprinting Prevention
Operating System Fingerprinting PreventionOperating System Fingerprinting Prevention
Operating System Fingerprinting Prevention
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
PhD Slides
PhD SlidesPhD Slides
PhD Slides
 
DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN
DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUNDEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN
DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN
 
Defcon23 why nation-state_malware_target_telco_omercoskun
Defcon23 why nation-state_malware_target_telco_omercoskunDefcon23 why nation-state_malware_target_telco_omercoskun
Defcon23 why nation-state_malware_target_telco_omercoskun
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
Mind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data Exfiltration
Mind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data ExfiltrationMind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data Exfiltration
Mind the (Air)Gap: Checkmarx Research into NFC and Smart Bulb Data Exfiltration
 
Uvm presentation dac2011_final
Uvm presentation dac2011_finalUvm presentation dac2011_final
Uvm presentation dac2011_final
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 

MKAD_black_V2

  • 1. Marina Krotofil & A. D. or MKAD ;-) Hack Like a Movie Star Step-by-step guide to crafting SCADA payloads for physical attacks with catastrophic consequences
  • 3. Who we are: A. D.  PhD candidate in embedded security  Likes playing CTF and to reverse engineer  Hardware and software developer
  • 4. Who we are: Marina Krotofil  Formally trained ex-academician and engineer  Interested in cyber-physical exploitation  Never thought I was a hacker before my hacker friends told me I was
  • 6. Prehistory: Hacking chemical plants Control Access DiscoveryCleanup Damage M. Krotofil. Hacking Chemical Plants for Competition and Extortion. Black Hat USA (2015) J. Larsen. Breakage. Black Hat Federal (2007)
  • 7. At DefCon ICS village  Several types of control systems (traffic lights, robots, power grid) available for hacking  Many hacking master minds  Applied techniques they use to hack IT systems o Nmap-ing & traffic analysis o Firing vulnerabilities scanners to get shell o No success & lost interest
  • 10. CybatiWorks Traffic Light kit  Semi-handcrafted demo tool o Legally obtained image from the Internet o Own hardware components o Permission for full disclosure Thanksgiving: Matthew Luallen of Cybati https://cybati.org/cybatiworks Our first testbed
  • 13. Getting in  Somewhere out there in the world there is a lonely traffic light system. How do you connect to it?
  • 14. Getting in  In our case the system is just in front of us That was hard!
  • 17. Configuration The Bad Guy 176.16.192.10 CybatiWorks-1 platform 176.16.192.30 RPi 2 hard wired GPIOModbus TCP Rex Peak HMI Rex Wireshark here
  • 18. Rex control system https://www.rexcontrols.com/rex-control-system-raspberry-pi  REX Control System is a family of software products for automation projects  RexDraw - development tool for creation of control programsh von  RexView - diagnostic tool, allows watching the runtime core execution of control algorithm  RexCore - run time environment handles timing and execution of control algorithms
  • 19. Cyber-physical system  IT systems “embedded” in an application in the physical world o Cyber-physic al attacks has  The goal of the attacker o Bring system into a specific state o To make system performing desired actions
  • 20. Layers of cyber-physical system PhysicallayerControllayerCyberlayer Process behavior Control algorithm Measured process state Control commands Inputs ControllerHMIDB Engineering stationServer x(t) y(t) Outputs
  • 21. Configuration Diagnostic Visualization RexDraw RexCompiler RexView Peak HMI TCP IP Modbus TCP RexCore *.mdl *.rex HOST,CybatiVM Physical application RPi Drv Mb Drv Control and monitoring architecture
  • 22. Understanding the network and the traffic  Rex communication protocol o Proprietary, reverse engineerable  Modbus TCP o Open source o No [authentication, integrity protection, encryption]
  • 26.  Everything what could be measured (inputs) and set (outputs) is called a point o Points have tags (variable name) o You need to reconstruct point-tag nomenclature o Points come in analog, digital, and integer flavors o Points can be read, write, or read/write  Often multiple conversion based on tables stored somewhere on the servers or Internet o Go find them Understanding points and tags
  • 27. HMI for traffic light management  No authentication and access control
  • 28. Look around HMI Alarms not enabled (?)
  • 29. Alarms  Alarm is (min/max) threshold/warning of a point value or process/system condition  Warns operator about unwanted/dangerous conditions/events o They tell you what process creator was worried about  Alarm can be generated o In controller o In data base o On the HMI  The attacker may need to suppress alarms during the attack (Illustrative alarms)
  • 30. Alarms Empty alarm log -> looks like really no alarms configured, good for us :-)
  • 31. Sorting out your discoveries
  • 33. Control logic  Defines what should/should not happen o Under which conditions o At what time o YES or NO proposition  If-then statements and Boolean logic o [if input 1 true] AND [input 2 not true] -> [do something]
  • 34. Where/how to get it?  Engineering/programming station o Some engineer has programmed it o Some human has uploaded it o Often stored on some server  Go grab it from the controller o Reverse engineer the compiler  E.g. see talk of Felix ‘FX’ Lindner talk on building custom disassemblers http://data.proidea.org.pl/confidence/9edycja/materialy/prezentacje/FX.pdf
  • 36. Control logic (schematics) [0 0 1;1 5 6;1 1 2; 2 2 3……..7 7 8; 8 8 1] STT – State Transition Table touts – timeouts, time limit for current state Current state State the system will transit Condition to move to the next state Q2 U1 Y U2 NY TOUT2 AND_TOUT2 C2
  • 38. Physical outputs of the states Tags, pins, Modbus labels
  • 40. Outcome of the discovery stage  Understanding how the systems is built and functions o Static discovery of the system
  • 42. Things which we can change  There are two major things the attacker can control o The state of the traffic light (red-yellow-green & blinking) o The timeout of each state  The state of the traffic light can be controlled o Directly o Indirectly (by manipulating the inputs to control logic)  We brainstormed a list of 30 approaches o Implemented half of it (at the end it is just a hacking exercise for fun & more fun)
  • 43. DEMO 1  Forcing the point  Setting point value from the debagger (RexView) o “Set that on green because I am your engineer and I said so!”  Setting point from the microcontroller (RPi) o Using suid binary o Does not require root privileges (enjoy!) gpio write 3 1
  • 44. DEMO 2  Stale Data attack o Stopping CPU on command o Traffic lights will remains in their last state 1. ssh pi@172.16.192.30 2. sudo su 3. ps -ax|grep Rex find out the pid of RexCore 4. kill -STOP [pid] 5. kill -CONT [pid] (repeat 4 and 5 at will) P.S. We achieved the same effect by clumsily uploading modified firmware – unintended fuzzing 
  • 45. DEMO 3  Speeding up the clock o Modifying timer tick o Making things happening faster 1. ssh pi@172.16.192.30 2. sudo su 3. ps -ax|grep RexCore find out the pid of RexCore 4. gdb -[pid] 5. info files find address ranges for .data in /usr/lib/libRex_T-2.10.6.so use start address XXX in the following formula 6. x/x XXX - 0x98bc8 + 0x9a1d4 you should get a new offset with location of the timer tick 0xXXX: 0x02af080 use XXX in the following formula 7. set *(int)0xXXX=1000 (50000 speed factor) modify touts as needed 8. [ 1 1 300 1 1 1 1 1 1 1 1 1]
  • 46. Reverse engineering RexCore P.S. Thanks to Ole André Vadla Ravnås for Frida (www.frida.re)
  • 47. DEMO 4  Modification of control logic o Rewire/redesign the logic in a way you want o E.g. No-REDs-Allowed! removed constant ON removed
  • 48. Outcome of the control stage  A portfolio of attacks instances to include into final payload o All various ways you can influence the state of the physical application o Choose which you want to use in final payload  Those which are more reliable and most effective
  • 50.  Safety related (very catastrophic) o Damage to the vehicles o Killing road users (drivers, pedestrians, cyclists…) o Both  Economy related (very inconvenient) o Denial of traffic light service o Maintenance efforts o Traffic impairment  Force amplifier (very unfortunate) o Making a way for bad guys o Denying a way for good guys (ambulance, police) Attack goal
  • 51. Traffic jams and gridlocks Paris amore…..
  • 52. Designing attack scenario  Final payload is tailored to the system you are attacking o Requires knowledge of traffic light system solution, (cross)road layout, traffic patterns, driving culture, etc. o E.g. in India nobody follows traffic lights, traffic lights in many U.S. cities are desynchronized anyway and “Germans don’t need traffic lights”  Traffic light hack in Los Angeles in 2006 o Disgruntled city traffic engineers reprogrammed lights to stay red longer o Used their comprehensive knowledge of the city's traffic patterns and chose few key intersections o Caused a massive traffic bottleneck and several days of gridlock https://www.youtube.com/watch?v=zv9FQZ7kgqU
  • 54. Cyber-physical attacks  Cyber-physical attacks change things in the physical world o The impact of such attacks cannot be made invisible by smart “stealth techniques” or by modifying logs  Because it is NOT INVISIBLE, somebody responsible will try to intervene if things are not going right  Make those people unaware of true system’s state
  • 56. DEMO 5  Blinding operator about real state of the traffic lights o Requires some form of MITM o Can be implemented at the network layer, on the HMI host, DB, etc. http://www.nrl.navy.mil/itd/ncs/products/core [1 (0)]: /opt/ZN/hmi_on.ef [2 (0)]: /opt/ZN/hmi_blank.ef [3 (0)]: /opt/ZN/hmi_yellow.ef [4 (0)]: /opt/ZN/hmi_red.ef [5 (0)]: /opt/ZN/hmi_main_yellow.ef [6 (0)]: /opt/ZN/hmi_side_yellow.ef [7 (1)]: /opt/ZN/hmi_main.ef [8 (0)]: /opt/ZN/hmi_side.ef  Intercepting traffic to the operator o Ettercap filters for traffic manipulation o We used Common Open Research Emulator (CORE) installed on Cybati platform o Tool for emulating networks on one or more machines
  • 57. Public tenders Regulatory standards Point database Visit locations VLog Changing point value Realtime data from sensors Bypass Supervisor Reports on traffic jam costs Traffic experts Custom research Final Payload Custom operator spoofs Waiting for rare events Log tampering Minimal traffic system model Accidents in newspapers Forensic footprint Discovery Control Damage Cleanup Access Traffic flow Management Regulatory logging Dig up cables Wireless links
  • 58. What is in the real world?
  • 59. Modern traffic light systems are complex  All traffic light systems are built and configured differently! o Even from the same vendor o To the customer specification  Complex interactive system o Traffic IS a part of the system  Seems like no security requirements or regulations YET
  • 60. Traffic Management Traffic Information Historical Data bank RoadworksStatus lanes Point speeds & Travel time Traffic intensity and vehicle categories Traffic reports Apps, radio, tv, Websites, navigation Status bridges BiiiiiiG DATA
  • 61.
  • 63. Modern traffic light systems ensure safety http://theconversation.com/traffic-light-hacking-shows-the-internet-of- things-must-come-with-better-security-30803 PhysicallayerControllayerCyberlayer Process behavior Control algorithm Measured process state Control commands Inputs ControllerHMIDB Engineering stationServer Safety x(t) y(t) Outputs
  • 64. Functional safety requirements  European and local directives o EN 12675 - Traffic signal controllers. Functional safety requirements. First published in 2000. o National normatives based on EN 12675  Detection of failure o Minimal time to detect the occurrence of fault and take action is 100-850 ms depending on class of fault o Diagnostic checks of controller logic system and action to be taken shall not be greater than 10 sec http://www.ganino.com/games/British%20standard/BS%20EN/BS%20EN%2012675-2001.pdf
  • 65.  MMU can be implemented as stand alone supervisor or as safety processor on the main CPU board (the latter is more common) o At this point we cannot judge on the security of implementation  Failure modes o Typical safety state of operation is blinking yellow o Major fault – irreversible, requires (manual) controller reset o Minor fault – reversible, controller may return to full functionality Functional safety
  • 66. Typical safety checks  All color and green/green conflicts  Signal sequences  Min. and max. times for all signal states  Min. and max. cycle time for coordinated signals  Min. and max. lamp load for red, amber and green  Min. and max. main supply voltage for safe operation  Min. and max. main supply frequency  and others https://www.swarco.com/en/Products-Services/Traffic-Management/Urban-Traffic- Management/ITC-Traffic-Controllers/ITC-3-Traffic-Controller#tab-7642
  • 68. In the mass media
  • 69. Previous works  Cesar Cerrudo of IOActive o Sent fake data to vehicle detection sensors’ Access Point o Could influence behavior of the traffic lights http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html http://web.eecs.umich.edu/~brghena/projects/green_lights/ghena14green_lights.pdf  Research group of University of Michigan o Hacked into wireless traffic light control communication and into controller o Could influence behavior of the traffic lights  Bastian Bloessl o Reversed engineered local wireless traffic light communication o Reversed and decoded live bus stops telemetry http://www.bastibl.net/traffic-lights/
  • 70. Shodan old friend…..  According to vendors’ specifications, traffic light systems are Internet-friendly o Remote accessible diagnostic tools o Internet accessible control panel o Application updates o Logs are accessible over internet o (Internet connectivity is used with care by traffic lights operators in EU (?)) -> at least with ones we spoke to  We did not find a traffic light online YET o But several Traffic Management Systems (with weak protection) o Not allowed to disclose
  • 71. KAR - Korte Afstands Radio <=> Short Distance Radio  System for requesting green for emergency vehicles o Based on open standards http://bison.connekt.nl/standaarden/ https://en.wikipedia.org/wiki/OpenAIR  Request packet contains among others: o ID of intersection, vehicle speed, direction o Type of car and its ID (e.q. police, fire brigade, ambulance, public transport) CALL FOR ZERO DAY EXPLOIT ;-) o No authentication, authorization or encryption Otherprotocols:TransitSignalPriority(TSP) http://www.gtt.com/file/transit-signal-priority/79-1000-0444- 0_B%20TSP%20Sell%20Sheet.pdf
  • 73. And Oscar goes to…… Nope, not to Marina
  • 74. And Oscar goes to those…. Who can design meaningful attack scenario OR Who can overcome safety protections
  • 75. And it’s feeling goooood……
  • 76. It’s green, so keep good speed! Bad day :-(
  • 77. (ouch!) Also under traffic light controllers supervision
  • 78.  Anybody can mimic the sound signal and play it when NOT GREEN o Is real current concern o Please don’t kill pedestrians! Sight challenged pedestrians
  • 79. Who can design meaningful attack scenario OR Who can overcome safety protections And Oscar goes to those….
  • 80. Possible Attack on Safety Confirmed by a traffic engineer as “maybe possible”  Central traffic managements receives status of Safety Unit  CAN Bus interface between Application and Safety CPU is found in current solutions  Steps to take: o Acquire the hardware (like Cesar Cerrudo/IOActive) o Fuzz the connection between Application and Safety o Reverse engineer safety implementation o Discover remote vulnerability o Exploit vulnerability to bypass safety
  • 81. Marina Krotofil marina.krotofil@tuhh.de @marmusha THANK YOU A. D. Thanksgiving: Cesar Cerrudo for patiently answering many questions