Security researchers at Black Hat discussed various weaknesses still found in industrial-control systems while reminding attendees of Stuxnet.
Security researchers pointed
out the vulnerability of industrial-control systems, such as programmable logic
controllers and other units, during the recent Black Hat security conference in
SCADA (Supervisory Control
and Data Acquisition) systems are used to run power plants, manufacturing
processing, petrochemical production and other critical infrastructure. At the
Black Hat conference in Las Vegas, SCADA
systems kept popping up in various panels as researchers discussed various
ways they were vulnerable.
Dillon Beresford, a
researcher with NSS Labs, revealed a backdoor in Siemens S7-300, S7-400 and
S7-1200 devices that allowed him to hack inside and capture passwords. In a
live demonstration, he showed how he could reprogram and control the
programmable logic controllers. These Siemens devices are used in power and
manufacturing plants around the world, and were vulnerable to this hack, which
could cause them to shut down or crash attached systems.
Beresford claimed it took
him only two-and-a-half hours to write the exploit code after he found a
hard-coded password that allowed him to open a command shell. He was able to do
"other things," such as perform a memory dump and capture passwords.
The backdoor was likely put in place for diagnostic purposes, Beresford said.
There are plenty of PLCs
connected to the Internet, and "an attack on PLCs for 24 hours could cause
it to blow up a plant," Bereseford said, adding that he wasn't trying to
"freak" anyone out. Hacking SCADA systems is no longer in the hands
of nation-states, but in those of independent researchers as well, and it was
just a "matter of time," according to Beresford.
"It's not just the
spooks who have these capabilities. Average guys sitting in their basements can
pull this off," said Beresford.
Thomas Brandstetter, acting
head of Siemens' product computer emergency response team, was on stage with
Beresford and confirmed the company was working on fixes for its devices.
"Siemens created a
product CERT eight months ago to handle vulnerabilities in its products and to
work with the security community," Brandstetter said.
In a more light-hearted
finding, Beresford also found an "Easter egg" of animated dancing monkeys
in the Siemens firmware.
In a different session Aug.
4, Tom Parker, CTO of FusionX, typed in some search terms associated with a
programmable logic controller, in Google. A page referencing the Remote
Terminal Unit's pump status, like those used in water-treatment plants and
pipelines that connect to the Internet, appeared in the search results page.
The search also yielded up the RTU's default password, "1234."
Attackers are increasingly
using search engines to discover vulnerable systems, default passwords and sensitive
files, Noa Bar Yosef told eWEEK. With
Google and Microsoft compiling and maintaining very thorough search indexes,
attackers have access to valuable vulnerability information when planning and
executing attacks, Yosef said. Attackers use automated tools to generate more
than 80,000 daily queries to probe the Web for vulnerable Web applications,
according to Yosef.
Most SCADA protocols have no
security built in, so when a PLC receives a command, it assumes it's from a
legitimate source and executes it without performing any checks or
authentication, according to Jonathan Pollet, founder of Red Tiger Security,
who co-presented with Parker. Anyone who discovers the PLC's IP address can
send commands to the device, Pollet said.
In the case of Parker's
presentation, if that RTU had any motors attached to it, remote attackers could
use the information available online to turn it off or create an outage. Parker
and Pollet discovered through a series of Google searches that an electricity
substation in the United Kingdom was running a transformer with no password
required. They were able to see circuit breaker statuses, when it was last
worked on and the unit's status, Pollet said.
Interest in SCADA security
has increased since last year when Stuxnet,
a worm that targets Siemens SCADA systems, emerged. Exploiting the auto-run
vulnerability in Windows systems and other security flaws in Siemens systems,
the worm damaged centrifuges in Iran's nuclear enrichment facility.
During a panel on how GSM
networks can be used to hack into cars, Don Bailey, a researcher with security consulting company iSec Partners, also mentioned how SCADA
systems were vulnerable as they could be controlled via text messages.