Internet-Facing PLCs - A New Back Orifice

Presented at Black Hat USA 2015, Aug. 6, 2015, 12:10 p.m. (50 minutes).

Pretty much everyone should have realized by now that our modern societies critically depend on industrial control systems (ICS) and that these systems are beginning to move into the focus of hacking attacks. A recent example that received comparatively little attention is a 2014 attack on a German steel production facility. The attack led to an uncontrolled shutdown of a blast furnace and caused damages in the millions. Reportedly, the attackers compromised the business IT first and worked their way to the actual control systems from there. Much simpler attack vectors frequently exist for those knowledgeable enough to use them. SHODAN is a case in point that a plethora of industrial control systems can be attacked directly.

In our talk, we will showcase novel tools and techniques to leverage one Internet-facing PLC, in order to explore and gain control over entire production networks. We use Siemens PLCs as our example. Our tools differ from what has been made public before in that we implement and run them directly on PLCs in their native STL language. Specifically, we explain and demonstrate in detail the following attack process. We automatically locate PLCs and automatically instrument the STL code of a running PLC, so that it provides additional functions in parallel to its original ones. One function we implemented is that of a UDP/SNMP scanner. Another one is that of a SOCKS5 proxy. Using these functions, adversaries can easily map, instrument and control any remaining PLCs on the network using existing tools. We demonstrate attacks on Siemens PLCs through our proxy connection using an existing Metasploit S7-300 Stop module and an exploit for CVE-2015-2177 that we disclosed to Siemens. As part of our demonstration, we explain why implementing a TCP scanner is impractical on Siemens PLCs.


Presenters:

  • Jan-Ole Malchow - SCADACS (Freie Universität Berlin)
    Jan-Ole Malchow is co-founder and technical advisor of SCADACS. He currently pursues a PhD in information security at Freie Universität Berlin. His research focuses on secure communication systems. He holds a MSc in Computer Science from Freie Universität Berlin and is a state-certified German Computer Science Professional for software development. Before turning to academia he served as software developer and as a CTO.
  • Daniel Marzin - SCADACS (Freie Universität Berlin)
    Daniel Marzin is co-founder of SCADACS and currently pursues a PhD in information security at Freie Universität Berlin. His research interests are code analysis and network security. Daniel holds a MSc. in Computer Science from Freie Universität Berlin. He has worked as a security consultant and penetration tester with a focus on industrial control systems.
  • Johannes Klick - SCADACS (Freie Universität Berlin)
    Johannes Klick is co-founder and program manager of SCADACS. He currently pursues a PhD in information security at Freie Universität Berlin where he obtained his MSc. in Computer Science. His research interests focus on ICS security. He has given presentations at PHDays and several industrial conferences in Germany. Previously, he has worked as a security consultant and penetration tester for industrial control systems.
  • Stephan Lau - SCADACS (Freie Universität Berlin)
    Stephan Lau is a recent MSc. graduate of Freie Universität Berlin and a member of SCADACS. His research interests are reverse engineering and PLC virtualization.
  • Volker Roth - SCADACS (Freie Universität Berlin)
    Volker Roth is full professor at Freie Universität Berlin (Germany) since 2009 and co-founder of SCADACS. Before, he was Senior Researcher at FX Palo Alto Laboratory (California, USA), Chief Technology Officer of a company in Omaha (Nebraska, USA), Senior Researcher and Deputy Head of Department at Fraunhofer Gesellschaft Institut für Graphische Datenverarbeitung (Darmstadt, Germany). He received his Dr.-Ing. in Informatik from Technische Universität Darmstadt. And all that only because he got hooked on coding assembler on a C64 some time around 1984.

Links:

Similar Presentations: