Reverse-Engineering Wireless SCADA Systems

Presented at ShmooCon XII (2016), Jan. 17, 2016, noon (60 minutes)

Over the past few years, interest in ICS/SCADA systems security has grown immensely. However, most of this interest has been focused on IP-connected SCADA networks, largely ignoring numerous deployments relying on other technologies such as wireless serial links. In this talk, I'll introduce a new GNU Radio module which lets you sniff SCADA networks that use a popular RF modem for their communications. I'll also describe the process of reverse-engineering the proprietary RF protocol used. Finally, I'll talk about the higher-layer protocols used in SCADA networks, including ModBus and DNP3, demonstrate how we are able to monitor the (unencrypted and unauthenticated) sensing and control systems used by a large electricity distribution network, and discuss some of its implications.

Presenters:

• Karl Koscher / supersat   as Karl Koscher
  Karl is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems. Since earning his ham license in 2014 (and later upgrading to Amateur Extra), he has become interested in many aspects of wireless communications.

Links:

• https://infocon.org/cons/ShmooCon/ShmooCon 2016/Reverse Engineering Wireless Scada Systems.mp4
• https://infocon.org/cons/ShmooCon/ShmooCon 2016/Reverse Engineering Wireless Scada Systems.srt (subtitles)

Similar Presentations:

• ToorCon San Diego 12 (2010) / Exploiting SCADA Systems
• HushCon Seattle 2015 / Reverse-engineering RF SCADA Networks
• AppSec USA 2013 / Why is SCADA Security an Uphill Battle?