Compromising Industrial Facilities From 40 Miles Away
1 like1,572 views
The document outlines vulnerabilities related to industrial wireless automation systems, highlighting the increasing risk of cyberattacks targeting critical infrastructure. It discusses various industries affected, including oil and gas, energy, and wastewater management, as well as the challenges associated with wireless communication and cryptographic key distribution. Additionally, it addresses security flaws in devices from multiple vendors and stresses the importance of robust security measures in safeguarding industrial systems.
Compromising Industrial Facilities From 40 Miles Away
- 1. COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos
- 2. About Us Vulnerability Research Exploita<on Cryptography Reverse Engineering ICS/SCADA 2 Lucas Apa Carlos Penagos Argen<na Colombia Security Consultants and Researchers
- 3. Agenda § Mo<va<on § Industries and Applica<ons § Wireless Standards § Journey of Radio Encryp<on Keys § Vendor1 Wireless Devices § Vendor2 Wireless Devices § Vendor3 Wireless Devices 3
- 4. Mo<va<on 4 § Cri<cal Infrastructures becoming targets § Insider aLacks (Lately) § Devices connected to Internet § 0days to reach the PLC, RTU, HMI… § Stealth and precise aLacks § Incident response at hazardous sites § ALack families of devices (+ reliable)
- 5. Industrial Wireless Automa<on 5 § Copper wires are used to monitor and control § Corrosion, Duc<lity, Thermal Conduc<vity § Cost of wires, trenching, moun<ng and installa<on § Industrial Wireless Solu<ons § Eliminate cost of hardwiring, logis<cs, installa<on § Heavy machinery involved § Remote control and administra<on (Geography) § Minimize Safety Risk & Dangerous Boxes § Adds durability
- 6. Industries and Applica<ons 6 Oil & Gas Refined Petroleum Petrochemicals § Plunger li_/ar<ficial li_ op<miza<on § Well-‐head automa<on § RTU/EFM I/O extensions § Cathodic protec<on monitoring § Hydrogen sulfide (H2S) monitoring § Tank level monitoring § Pipeline cathodic protec<on § Rec<fier voltage monitoring § Gas/liquid flow measurement § Pipeline pressure and valve monitoring
- 7. Industries and Applica<ons (2) 7 Energy -‐ U<li<es Waste & Waste Water § Transformer temperature § Natural gas flow § Power outage repor<ng § Capacitor bank control § kV, Amp, MW, MVAR reading § Remote pumping sta<ons § Water treatment plants § Water distribu<on systems § Wastewater/sewer collec<on systems § Water irriga<on systems/agriculture
- 8. Industrial Wireless Challenges 8 § Defeat electromagne<c interference (EMI) § Handle signal aLenua<on and reflec<ons § Reliability is far more important than Speed § Higher transmiLer power levels § Site surveys to assess the consistency and reliability of the plant § Mainly using 2.4Ghz or 900Mhz (ISM Band) § No “business” protocols
- 9. Cryptographic Key Distribu<on (WSN) 9 § Distribute secrets on a large number of nodes § Base sta<ons with clusters surrounding § Limita<ons: § Deployment in public or hos<le loca<ons § Post-‐deployment knowledge § Limited bandwidth and transmission power § Methods for crypto key distribu<on: § Out-‐of-‐band § In-‐band § Factory pre-‐loaded
- 10. IEEE 802.15.4 Standard § Wireless Radios (Low Power/Speed) § Set the encryp<on algorithm and AES Key § Upper Layer Responsibility § Each node can have an ACL § MAC for upper layers: § ZigBee § WirelessHart § ISA SP100 § IETF IPv6 -‐ LoWPAN 10
- 11. ZigBee 2007 (Standard Security Mode) § Goal: Understand Key Schemes § Suite of high level communica<on protocols § Based on IEEE 802.15.4 (Low level layers) § ISM radio bands § Trust Center introduced in 2007 11 Two Key Distribu<on Mechanisms: 1. Pre-‐Installa<on 2. Over the air § Network Key (AES 128-‐bit) § Pre-‐installed (Factory Installed) § Individually Commissioned (Commissioning tool) § Managed by the Trust Center A Trust Center B
- 12. ZigBee Pro 2007 (High Security Mode) § Many enhancements § More memory requirements § New keys introduced 12 A B MasterKey_TA LinkKey TA NetworkKey MasterKey_AB LinkKey AB MasterKey_TB LinkKey TB NetworkKey MasterKey_AB LinkKey AB MasterKey_TA LinkKey TA NetworkKey MasterKey_TB LinkKey TB Trust Center ① Master Key § Unsecured Transport L § Out-‐of-‐band Technique J § Secure other keys ② Link Key § Unicast § Unique between nodes ③ Network Key • Regenerated at Intervals • Needed to join the NWK
- 13. E n d U s e r D e v i c e DeviceVendorID Key in Firmware Per-‐Client Encryp<on Key Change Encryp<on Key Per-‐Client Encryp<on Key Device Company Encryp<on Key Device Company Encryp<on Key Change Encryp<on Key No Encryp<on Key Set Encryp<on Key No Encryp<on key No Encryp<on Key The Journey of Radio Encryp<on Keys 13 R a d i o
- 14. Reusing Radio Keys § Device Company Key aLack 1. Buy same Device (Buy same Key) 2. Remove Radio Module 3. Connect to USB Interface 4. Interact: API & AT Command Mode 5. Send frames using the unknown key Warning: Not possible if exists a Per-‐Client Encryp<on Key 14 § End-‐User Node Key Storage § Shared Secret § Same Firmware or Same Radio Key
- 15. Exploi<ng Vendor1 Devices § Company Profile (+1990) § Frequency Hopping Wireless Devices § Great for long or short range wireless SCADA applica<ons § Secure proprietary FHSS with 128 bit AES encryp<on § Hazardous loca<on approvals, Perfect for outdoor Ethernet SCADA or indoor PLC messaging § 30+ miles point to point with high gain antennas 15
- 16. Vendor1 Key Distribu<on “<Vendor1 Tool> is easy to use and intuiBve. Default values built into the so0ware work well for ini4al installa4on and tesBng making it easy for first-‐Bme users. <Vendor1 Tool> manages all important se8ngs to ensure that the network performs correctly.” (User Guide) 16 § RF Encryp<on: A 128-‐bit encryp<on level key is suggested for the user. § Blank: No encrypted packets § 5-‐7 Chars: Field is translated into a 40-‐bit encryp<on level. § 15-‐24 Chars: Field is translated into a 128-‐bit encryp<on level.
- 17. Reversing Passphrase Genera<on Compiled C++ Binary: § srand seeds PRNG § <me returns epoch § srand(<me(NULL)) § Low Entropy Seed § Same algorithm § rand() § Bad ANSI C func<on 17
- 18. ALacking Weak PRNG 18 C:>passgen.exe 2013-‐04-‐04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0
- 19. The Oldest Passphrase Help File 19 C:>passgen.exe 2013-‐04-‐04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0 2013-‐04-‐04 21:39:07 => 1365136747 => nir3f1a0dm2sdt41q91c06nt … 2008-‐04-‐17 15:20:47 => 1208470847 => re84q92vssgd671pd2smj8ig
- 20. Comissioning Tool Audit § Easily breakable by an outsider § Further Research with the Devices § Comissioning Tools needs deep tes<ng 20 Bruteforce Passphrase 2570 Passphrases Mixed lower case alphabet plus numbers and common symbols Impossible to calculate all passphrases Need to derive AES 128-‐bit key on real<me Weak PRNG ALack ~156 Million Passphrases Every second passed, one more key Only a few seconds to calculate all passphrases Calculate once and create a database with all possible AES 128-‐bit key deriva<ons vs
- 21. Vendor2 Wireless Devices § Market leadership: Oil & Gas § Wireless and wired solu<ons for the digital oil field automa<on § Trusted by top companies in different industries § Family System (Point to Mul<point): § Wireless Gateways § Wireless TransmiLers § I/O Expansion Modules § Hardwire Sensors 21
- 22. 22
- 23. An Extended Family of Devices 23 § Applica<ons § Oil & Gas § Refining / Petro Chemicals § Water & Waste Water § U<li<es § Industrial Process Monitoring § TransmiLers § RTD Temperature TransmiLer § Analog/Discrete TransmiLer § Flow Totalizer TransmiLer § Pressure TransmiLer § Hydrosta<c Level TransmiLer § Many more..
- 24. 24 SCADA PLC RTU EFM HMI DCS RF Modem
- 25. Secure Communica<ons 25 § How the devices access the wireless informa<on? § “Enhanced Site Security Key” § Security Key == Encryp<on Key ??? § Legacy Devices Without Encryp<on??? The Enhanced Site Security feature designed to provide an addiBonal level of protec4on for RF packets sent and received between <Vendor2> devices and minimizes the possibility of interference from other devices in this area. This feature is not available on some older versions of legacy devices.
- 26. Key Genera<on and Distribu<on 26 § Comissioning Tool § Create a “Project File” and update all Nodes § From documenta<on: This Key MUST be somewhere on the Project File “If the project file name is changed, a new Site Security Key will be assigned” Possible Scheme: Per-‐Site Encryp4on
- 27. File Name Change => New Key 27
- 28. Project File Binary Diffing 28 ProjectA x17x58x4fx51 1364154391 Sun, 24 Mar 2013 19:46:31 GMT ProjectB x51x58x4fx51 1364154449 Sun, 24 Mar 2013 19:47:29 GMT
- 29. 29 § Support Center § Firmware Images & Documenta<on § Radio Modules, Architectures & Processors Component IdenSficaSon RISC
- 30. Understanding Firmware Image (RISC) CrossWorks for MSP430 § Industry Standard Format § @Address and content § Incomplete Image (Update) § Only compiler strings
- 31. Component IdenSficaSon (MSP430) 430F149
- 32. 32 YouTube (XT09 and 802.15.4)
- 33. No Per-‐Client Key Dear <<Reseller Sales Eng>>, We are going to borrow a used “Analog Transmider” from one of our partners, We are going to test it for a few weeks and let you know if we decide to buy a new one. Are there any specific concern we might take into account when deploying this device to connect it with our <Device>? Or just upgrade all project configuraBon files? Thank you 33 Lucas, You just need to upgrade the configuraBon files. Thanks.
- 34. Finding Embedded Keys 34 § Two kind of Firmwares (ARM and MSP430) § One possible hardcoded key in both firmwares § “Binary Equaling”
- 35. Acquiring the Devices 35 § Wireless Gateway § Gateways are responsible for receiving/ collec<ng data from wireless end nodes § The collected data can be communicated with third-‐party Modbus device such as a RTU, PLC, EFM, HMI, or DCS § RTD Temperature TransmiLer § Integrates Pla<num 100 ohm RTD Sensor § Ideal for use in various mission-‐cri<cal industrial applica<ons. § Ideal for Monitoring Air, Gas, Water, or Liquid Temperatures
- 36. § Steal and extract § Site Security Key § Project File Resilience and Node Capture 36 Stolen Node Gateway Tx Tx Tx S e r i a l C a p t u r e FF 41 06 00 0A 00 00 00 33 2E 1D CC FF 41 0A 00 0A 00 00 00 04 00 AB D0 9A 51 B0 ...
- 37. A crypto aLack disappointment § Protocol Reverse Engineering § Device has a debug interface § Developed a custom tool to receive and send 802.15.4 data § 2.4ghz Transceiver (Modified Firmware and Reflashed by JTAG) § PyUsb, IPython § Scapy Dissectors, etc. § Against the perfect scheme: Per-‐Site EncrypSon Key 37 § Key not really used for data encrypSon § Key only used to ”authenScate” devices (capture SiteSecurityKey) § No integrity and confidenSality § No protecSon for RF Packets L (vendor lied) § Predict IEEE 802.15.4 next seqnums to inject A crypto aLack
- 38. Temperature Injec<on Live Demo § Designed an HMI Project § Developed an OPC based driver for the HMI § Developed an exploita<on framework (Map/Inject) § Chemical Safety Board (US) background video § Cost of the aLack: $40 USD § Live Demo 38
- 40. Remote Memory Corrup<on § Iden<fy all the protocol fields § Memory corrup<on bug using unhandled values on a parsing func<on § Remotely exploitable over the air § Plant Killer => § We recorded a demo (no leak today) 40
- 41. 41 SCADA PLC RTU EFM HMI DCS RF Modem
- 42. Vendor3 Devices 42 § Company Profile § Self-‐proclaimed leader in process and industrial automa<on, “Undisputed leader in sensors” § Clients: Nearly all manufacturing companies from Fortune 500 § 22.000 different products across 40 industries § Wireless System (Family) § Wireless Gateway § Master device used to control network <ming and comm traffic § Nodes § Collect data -‐> TX Gateway
- 44. Research 44 § Wireless Family Technical Note: “Mul<-‐layer security protocol protects your data” § Network Security § Data Security § Data Integrity and Control Reliability “The wireless I/O systems provide a level of security, data integrity, and reliability far exceeding most wireless systems on the market today”
- 45. Quotes (Network Security) “This family is designed to completely eliminate all Internet Protocol (IP) based security threats. Wi-‐Fi access points have the poten<al to route any and all data packets, which is why these systems use encryp<on” 45 Route packets => Use encrypSon § One model => Ethernet Data Radio § Uses AES-‐256 key J § Other? No encryp<on
- 46. Quotes (Data Security) “The protocol only carries sensor data values. Only I/O data is transmiLed in the wireless layer.” “A hacker, if they managed to receive wireless data, would only see the actual sensor data, not what the sensor was reading or what role the sensor played within the wireless I/O network." 46 § Insecure I/O data § Sensor Readings § Binding codes
- 47. Quotes (Comm Protocols) “Widely used open protocols such as Wi-‐Fi have serious security issues. Even a high degree of encryp<on may not protect your data. It is common for new encryp<on schemes to be hacked within months of implementa<on. Proprietary systems are more difficult to hack than an open standard.” 47 § Encryp<on is useless § Open standards are easier to hack
- 48. Quotes (Comm Protocols) “Vendor achieves data security by using a proprietary protocol, pseudo-‐random frequency hopping, and generic data transfer. The protocol only carries I/O data, making it impossible for a malicious executable file to be transmiLed.” 48 § FHSS to avoid sniffing § The family is malware safe
- 49. Quotes (Integrity) “When the data is transmiLed, a CRC algorithm ensures that the data arrives intact. If the CRC algorithm fails, the corrupt data packet is discarded and the data is automa<cally retransmiLed using a new frequency during the next communica<on cycle.” 49 § Cyclic Redundancy Check § No integrity § No security § Only for network errors
- 50. Quotes (Comm Protocols) “This protocol does not operate like an open protocol such as Wi-‐Fi and is not subject to the risks of an open protocol.” 50
- 51. Disclosure and Coordina<on § 8 vulnerabili<es reported (today’s vendors) § 1 patched => PRNG Vulnerability (ICSA-‐13-‐248-‐01) § Are vendors responsible? § Did they no<fy their customers? § Is documenta<on truly aligned? § Is firmware upgrade easy?
- 52. Conclusions (Securing the scheme) 52 § Out of bands methods § Pre-‐share a strong secret for the ini<al link (eg: serial comm) § Also 802.15.4 AES Encryp<on at lower layers (MAC) § Secure the Node Physical Access (Mainly KDC) § Use hardware An<-‐tamper mechanisms § Audit Source Code // Audit Site regularly § ICS-‐CERT Hardening Guides § Don’t trust vendor’s documenta<on, go further.
- 53. Conclusions 53 § Problem space has always been an open topic § The journey of keys allows prac<cal aLacks § WSN’s standards maturity is growing § Vendors can fail when implemen<ng them § No evidence of previous security reviews § Tes<ng the field loca<on is possible with the proper Hardware and open source So_ware CC1111 RZUSB TelosB HackRF
- 54. Aknowledgements 54 § ICS/CERT – US/CERT § References: Piotr Szcezechowiak, Haowen Chan, A. Perrig, Seyit A. Camtepe, Bulent Yener, Rob Havelt, Travis Goodspeed, Joshua Wright… § All IOAc<ve, Inc.
- 55. THANK YOU ! Lucas Apa (lucas.apa@ioac<ve.com) Carlos Penagos (carlos.hollman@ioac<ve.com) @lucasapa @binaryman<s