Industrial Controllers are the basic building blocks for any automated factory. Our talk will demonstrate how an attacker can take over an entire factory by transmitting a single packet that will exploit one of the URGENT/11 vulnerabilities we've recently discovered.
PLCs (programmable logic controllers) are embedded devices responsible for the control of manufacturing processes, with hundreds of them scattered in industrial environments. Successful exploitation of such devices in mass, can have devastating implications on a factory or critical systems. Pulling it off in such a way that is hard to detect, debug, and eventually shut-down, such as done by the Stuxnet worm, requires a nation state level of sophistication.
In this talk, we will walk through the process of exploiting one of the URGENT/11 vulnerabilities we discovered earlier this year on a Rockwell PLC. We will detail how we were able to obtain debug capabilities on the devices, learn the internals of its implementation by reverse engineering its firmware, and eventually develop a reliable exploit that gains code execution by sending a single broadcast IP packet. An attacker can use this vulnerability to create a concurrent exploitation and infect an entire factory using a single malicious broadcast packet.
We will then continue to detail the steps that can be carried by an attacker post-exploitation, and how he could manipulate a critical device such as a PLC, leaving the industrial tools that are monitoring it in the dark about what is actually happening. We will conclude our talk with a live demo of multiple PLCs all being pwned simultaneously by a single broadcast packet.