From an URGENT/11 Vulnerability to a Full Take-Down of a Factory, Using a Single Packet

Presented at Black Hat Asia 2020 Virtual, Oct. 2, 2020, 12:30 p.m. (40 minutes).

Industrial Controllers are the basic building blocks for any automated factory. Our talk will demonstrate how an attacker can take over an entire factory by transmitting a single packet that will exploit one of the URGENT/11 vulnerabilities we've recently discovered.

PLCs (programmable logic controllers) are embedded devices responsible for the control of manufacturing processes, with hundreds of them scattered in industrial environments. Successful exploitation of such devices in mass, can have devastating implications on a factory or critical systems. Pulling it off in such a way that is hard to detect, debug, and eventually shut-down, such as done by the Stuxnet worm, requires a nation state level of sophistication.

In this talk, we will walk through the process of exploiting one of the URGENT/11 vulnerabilities we discovered earlier this year on a Rockwell PLC. We will detail how we were able to obtain debug capabilities on the devices, learn the internals of its implementation by reverse engineering its firmware, and eventually develop a reliable exploit that gains code execution by sending a single broadcast IP packet. An attacker can use this vulnerability to create a concurrent exploitation and infect an entire factory using a single malicious broadcast packet.

We will then continue to detail the steps that can be carried by an attacker post-exploitation, and how he could manipulate a critical device such as a PLC, leaving the industrial tools that are monitoring it in the dark about what is actually happening. We will conclude our talk with a live demo of multiple PLCs all being pwned simultaneously by a single broadcast packet.

Presenters:

• Barak Hadad - Security Researcher, Armis
  Barak Hadad is a security researcher at Armis Labs, responsible for hunting zero days and reverse engineering. Formerly an R&D team lead in the Israeli Defense Forces Intelligence, his current focus is unraveling the mysteries of various embedded devices. While breaking a factory production line is Barak's idea of fun at work, in his free time Barak enjoys gaining as many hobbies as possible, including windsurfing, volleyball, ski, water-ski, volley-ski, ball-water-ski, and of course his favorite, wind-ball-surf-volley-ski.
• Dor Zusman - Security Researcher, Armis
  Dor Zusman is a researcher at Armis, with a rich real-world experience in cybersecurity research. Prior to Armis, Dor was a researcher, network security specialist and a developer in the Israeli Defense Forces intelligence. Dor specializes in reverse engineering, vulnerability research and network pentesting of large corporate networks. He is currently reversing IoT devices in search for novel ways to abuse them as bridgeheads into corporate networks. In his free time Dor likes to self-construct his house, to compensate for walls he takes down in the cyberspace.

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#from-an-urgent11-vulnerability-to-a-full-take-down-of-a-factory-using-a-single-packet-18490

Similar Presentations:

• DEF CON 27 (2019) / HVACking: Understand the Difference Between Security and Reality!
• Black Hat USA 2020 Virtual / EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks
• Black Hat Europe 2021 / Greetings from the '90s: Exploiting the Design of Industrial Controllers in Modern Settings