DTM Components: Shadow Keys to the ICS Kingdom

Presented at Black Hat Europe 2014, Oct. 16, 2014, 5 p.m. (60 minutes)

Today, industrial control system architectures are complex, multilayered networks, based on many popular (now and not so long ago) technologies, such as XML, COM, ActiveX, OLE32, JSON, .Net, and others. FDT/DTM is one of such architectural elements. In short, FDT/DTM standardizes the communication and configuration interface between all (industrial) field devices and host systems. This is archived with the help of DTM - COM, ActiveX or .Net components. Such components exist for many devices used in oil, gas, energy, nuclear, chemical, and other critical industries. Look at any factory, plant, or other industry object, and you'll find an RTU or PLC that is configured by a DTM component.

During our research, we've analyzed the components for hundreds of field devices based on the Modbus, HART, and Profibus DP low-level protocols. Many of them are exposed to insufficient filtration of user-supplied data, XSS, XXE, SSRF, DoS, and other vulnerabilities. We will provide detailed statistics on the security flaws of DTM components from various vendors.

Presenters:

• Gleb Cherbov - Digital Security
  Gleb is a Senior IS Auditor and Security Researcher at Digital Security. He is a hardware and wireless geek experienced in ERP, banking systems, web application penetration testing, and other wired stuff script kiddie. He is a co-organizer and speaker at ZeroNights conference. He also actively participates in the Russian DEF CON Group.
• Alexander Bolshev - Digital Security
  Alexander is an Information Security Researcher at Digital Security. He holds a PhD in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. He works on distributed systems, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems, and industrial protocol security. He has spoken at the following conferences:Black Hat USA, ZeroNights, S4. Alexander actively participates in the life of the Russian Defcon Group.

Links:

• https://www.blackhat.com/eu-14/briefings.html#Bolshev
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/DTM Components - Shadow Keys to the ICS Kingdom.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/DTM Components - Shadow Keys to the ICS Kingdom.srt (subtitles)
• https://www.youtube.com/watch?v=VeMgbC0a-u8
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Bolshev-DTM-Components-Shadow-Keys-To-The-ICS-Kingdom.pdf
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Bolshev-DTM-Components-Shadow-Keys-To-The-ICS-Kingdom-wp.pdf

Similar Presentations:

• AppSec USA 2013 / Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development
• DEF CON 28 (2020) Virtual / Hacking the Supply Chain - The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical Devices
• Black Hat USA 2014 / ICSCorsair: How I Will PWN Your ERP Through 4-20 mA Current Loop