SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor

Presented at DEF CON 20 (2012), July 29, 2012, 11 a.m. (50 minutes)

SCADA HMI software provides a "control panel" interface to SCADA/ICS systems, allowing system operators and engineers the capability to visually monitor and make changes to parameters in the system. Many HMI packages provide the ability to authenticate users, to allow access to dangerous or sensitive controls and data to specific users, while restricting other users to observation or less sensitive areas of the system. Microsoft Bob was a failed Microsoft project from 1995: an attempt to make computers easy for end-users by providing a non-technical captive interface of "rooms" that users could move around, use the launch programs, and store files. Cartoon guides helped users with every step of the way. Thanks to an overly-helpful cartoon dog that would offer to change your password for you if you forgot it, it's frequently used as an example of bad security design choices. In this presentation, Wesley will point out the similarities and differences between Microsoft Bob and SCADA HMI software, and demonstrate previously unpublished vulnerabilities in the HMI systems that are very reminiscent of the problems with Microsoft Bob (which will also be demonstrated!). For penetration testers, the techniques used to quickly identify these vulnerabilities will be discussed, as well as mitigations for those who have to defend such systems.


  • Wesley McGrew - Research Associate and Lecturer Critical Infrastructure Protection Center, National Forensics Training Center, Mississippi State University
    Robert McGrew is currently a lecturer and researcher at Mississippi State University's National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community. He is currently expanding and exposing the rest of the security community to the SCADA HMI research he began with the release of user authentication vulnerabilities in the iFIX HMI product. Twitter: @McGrewSecurity


Similar Presentations: