Warcodes: Attacking ICS through industrial barcode scanners
Several days ago I came across an interesting entry in the curious ‘ICS Future News’ blog run by Patrick Coyle. Before anyone becomes alarmed, the description of this blog is crystal clear about its contents: “News about control system security incidents that you might see in the not too distant future. Any similarity to real people, places or things is purely imaginary.” IOActive provides research-fueled security services, so when we analyze cutting-edge technologies the goal is to stay one step ahead of malicious actors…
Hacking Wireless Ghosts Vulnerable For Years
Is the risk associated to a Remote Code Execution vulnerability in an industrial plant the same when it affects the human life? When calculating risk, certain variables and metrics are combined into equations that are rendered as static numbers, so that risk remediation efforts can be prioritized. But such calculations sometimes ignore the environmental metrics and rely exclusively on exploitability and impact. The practice of scoring vulnerabilities without auditing the potential for collateral damage could underestimate a cyber attack that affects human safety in an industrial plant and leads to…
The password is irrelevant
This story begins with a few merry and good hearted tweets from S4x13. These tweets in fact: Notice the shared conviviality, and the jolly manner in which this discussion of vulnerabilities occurs. It is with this same lightness in my heart that I thought I would explore the mysterious world of the. So I waxed my moustache, rolled up my sleeves, and began to use the arcane powers of Quality Assurance. Ok, how would an attacker who…
Industrial Device Firmware Can Reveal FTP Treasures!
Security professionals are becoming more aware of backdoors, security bugs, certificates, and similar bugs within ICS device firmware. I want to highlight another bug that is common in the firmware for critical industrial devices: the remote access provided by some vendors between their devices and ftp servers for troubleshooting or testing. In many cases this remote access could allow an attacker to compromise the device itself, the company the device belongs to, or even the entire vendor organization. I discovered this vulnerability while tracking connectivity test functions within the firmware…
Identify Backdoors in Firmware By Using Automatic String Analysis
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) this Friday published an advisory about some backdoors I found in two programmable gateways from TURCK, a leading German manufacturer of industrial automation products. http://ics-cert.us-cert.gov/advisories/ICSA-13-136-01 Using hard-coded account credentials in industrial devices is a bad idea. I can understand the temptation among manufacturers to include a backdoor “support” mechanism in the firmware for a product such as this. This backdoor allows them to troubleshoot problems remotely with minimal inconvenience to the customer. On the other hand, it is only a…
Energy Security 2013: Less Say, More Do
Due to recent attacks on many forms of energy management technology ranging from supervisory control and data acquisition (SCADA) networks and automation hardware devices to smart meters and grid network management systems, companies in the energy industry are increasing significantly the amount they spend on security. However, I believe these organizations are still spending money in the wrong areas of security. Why? The illusion of security, driven by over-engineered and over-funded policy and control frameworks and the mindset that security must be regulated before making a start is preventing, not…
S4x13 Conference
S4 is my favorite conference. This is mainly because it concentrates on industrial control systems security, which I am passionate about. I also enjoy the fact that the presentations cover mostly advanced topics and spend very little time covering novice topics. Over the past four years, S4 has become more of a bits and bytes conference with presentations that explain, for example, how to upload Trojan firmwares to industrial controllers and exposés that cover vulnerabilities (in the “insecure by design” and “ICS-CERT” sense of the word). This year’s…