Power Corrupts; Corrupt It Back! Hacking Power Management in Data Centers

Presented at DEF CON 31 (2023), Aug. 12, 2023, 2 p.m. (45 minutes)

Our current administration lists "Defend Critical Infrastructure" as the #1 item in the 2023 National Cybersecurity Strategy. At the intersection of governmental and corporate concerns is data center security, a trend that is bound to continue as more and more operations move to the cloud. This talk details our findings in the domain of power management, the first category in a broader effort to investigate the security of critical data center components. We will reveal nine vulnerabilities in two integral data center appliances: a Power Distribution Unit (PDU) and a Data Center Infrastructure Management (DCIM) system. Continuing, we will delve into the technical details of the most impactful vulnerabilities and highlight the potential impact on their respective operations. The talk will challenge the misconception that data centers are inherently more secure than on-prem by exposing how attackers could leverage these vulnerabilities. This presentation will be valuable to data center professionals, security researchers, and anyone interested in understanding the characteristic vulnerabilities associated with modern data centers. REFERENCES: Contributing Researcher - Philippe Laulheret Claroty Research - https://claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices National Cybersecurity Strategy - https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

Presenters:

• Sam Quinn - Sr. Security Researcher at Trellix Advanced Research Center
  Sam Quinn is a Senior Security Researcher on the Advanced Research Center Vulnerability team, focused on finding new vulnerabilities in both software and hardware. Sam has a focus on embedded devices with knowledge in the fields of reverse engineering and exploitation. He has had numerous vulnerability findings, published CVEs in IOT and enterprise software, and has spoken at multiple industry conferences such as Def Con, BlackHat, North Sec, and Hardwear.io.
• Jesse Chick - Security Researcher at Trellix Advanced Research Center
  Jesse Chick is a Security Researcher with the Advanced Research Center's vulnerability team. Jesse focusses on vulnerability discovery and exploit development for all things connected to the internet and is credited with numerous CVEs affecting popular embedded devices. He is passionate about reverse engineering, full system emulation, and educating others in offensive security techniques.

Links:

• https://forum.defcon.org/node/245754

Similar Presentations:

• THOTCON 0x1 (2010) / Top 5 Ways in a Data Center
• DEF CON 30 (2022) / ONCD Cybersecurity Strategy Workshop
• Black Hat USA 2017 / And Then the Script-Kiddie Said, "Let There be No Light." Are Cyber-Attacks on the Power Grid Limited to Nation-State Actors?