DEF CON 23 – Aditya K Sood – Dissecting the Design of SCADA Web HMIs: Hunting Vulns

DEF CON 23 – Aditya K Sood – Dissecting the Design of SCADA Web HMIs: Hunting Vulns


>>So what we are going to talk
today is on SCADA HMIs, and to understand the different kind of
vulnerabilities that exist in those kind of app interfaces
that are used by SCADA devices — so let’s get it started. So a
little bit of background on mine. I’m actually part of the
cloud tech labs, cloud security in Elasticka in San Jose, and
just wrote a book on targeted cyber attacks, if you get a
chance, take a look at it. So before going to discuss research
on this topic, I just want to very quickly, lay a disclaimer
vulnerabilities or issues we’re going to discuss are solely
based on my research. It does not relate to my previous or
present employers and all the vulnerabilities we are going to
take a look at have been reported, in the scenario, and
they are in the process of patching it. A couple of
vulnerabilities have already been patched, and other vendors
are actually working to address the issue. So let me get into
the brief idea why SCADA is becoming a problem, because of
critical infrastructure, several things, because this is getting
on the edge at the spot of time. Hackers are targeting SCADA
infrastructure, devices, and all along try to get control of
infrastructure, and then from there on, you can have
diversified impact on the target, so just pick up what
media is talking about in here, SCADA systems face diverse
software attacks and thats in several other issues. But the
end point is this is a problem and we need to take a look into
it as a community, hunt for vulnerabilities, report it, and
make it secure. A little down the lane during the host of this
presentation, you will realize that SCADA design is completely
broken. something — so take a look into it, so before moving
further, let’s have an idea of you know the vulnerabilities of
SCADA existed in last few years how the trend is going on. I did
this snapshot from the SCADA hacker, very good website, and
so they took the SCADA from OSV and they get an idea that with
moving forward, so 2015 you’ll see 98 vulnerabilities have been
released, and if you look at from the last couple of years,
the trend is increasing. Its exponential. It means that the
more that you have visibility here, the more attacks in this
scenario and that is what is happening in this SCADA
infrastructure. Another brief look on the way the SCADA
vulnerabilities from the advisories, this one released,
[indiscernible] just like a few weeks back. Different kind of
[indiscernible] like different kind of vulnerabilities that
exist in SCADA devices here, and so it goes from overflows,
directory travels, man in the middle, hijacking and different
kind of things and even if you look the scenario,
vulnerabilities, file inclusion, local file inclusion,
authentication bypasses, those scenarios, wide variety of
vulnerabilities out there. We’ll take a look into it. Now, again,
its a big problem because if you look as service, attackers
in underground market, compromises SCADA infrastructure
and sells control to other buyers for making money and that
is one interesting, because the SCADA is not up to that mark,
SCADA becomes very easy for them to go ahead, just sell the
excess, manufacturing plan [indiscernible], you know things
like that. But this is a big problem these days, and as a
community, as a nation, you know, find issues, have them to
patch things. So take a look at it, the simple SCADA model.
Sometimes I have a couple suspicions with the search
engine, pretty good researchers, audience. Sometimes they think
HMI is not actually a part of SCADA, but whole model, if you
look at, so this is an etching, its the one complement of it.
BLC programmer, to watch and controls your drivers driving,
and the SCADA devices and in this picture I have basically
taken a simple scenario, you have HMI complement BLC,
interface through drivers, and then it goes from the actual
manufacturing point, devices. So if you look in this particular
model, you see HMI is actually being used at the front end and
from there onwards, a lot of statistics about different
components of SCADA, and you can perform operations, you can look
into statistics. Execute commands that will be
[indiscernible] through BLC to drivers and have the inclined
motor. Target is looking into the HMI [indiscernible] so
basically, HMI human machine interface to a web. Could be a
web server, phone, further application, desktop
applications, but in this particular talk [indiscernible].
An interesting point HMI, visually presentation of what is
going inside the complete SCADA environment. And how the data
is, you know, taken from the panel and then how it’s taken
from the various devices that are running back end. So simple
way, centralized control center managed through web. If you
control the web, the front component of it, you can do much
more with it. And we’ll take a look with a scenario. So this is
basically a Web HMI, embedded web server in a phone, which is
exposed on the internet, or maybe not properly secure, and
things like that. But our motive in particular talk to go into
the design and the security, of the web HMI, how they have
designed, why they’re not following secure design
principles and what could be the impact. So in this particular
talk, I mean, you can say most of these devices are not
deployed with SSL, which is fine. They are basically
configured in wrong manner because not securely configured.
They have having a default username and password or even if
they configured the password, the password is weak.
[Indiscernible] Security which actually means that if the web
server tries to send some sort of hacker, embedded web server
no capability at this point in time to send some sort hackers
back to the browser, and from there on the browser can act
accordingly. For example, extreme options can include,
intense security, so there’s no concept of that, at this point
in time. But we are not going into these issues in this talk,
but what we are going to talk about is how the design has been
done. So what we are going to have in — so any embedded,
primarily web servers, power lines slash — web technology
used by HMS, anything exposed through web is target of this
talk. So we are basically, in this particular talk, is going
to target front end. Any web based software used to control
HMI, any software that is used to spool HMI, any web component
providing interface to these SCADA device, so that’s the
target here. So what vendors we are going to look into from
security vulnerability point of view. So there are many vendors
out there, but I chosen for this talk, automation [indiscernible]
paired devices, Schneider electric prisma, [indiscernible]
and a whole lot of vulnerabilities out there, can’t
discuss in this because of time constraint. What I will say now
is that there are a lot of vulnerabilities out there. And
we’ll take a look and you might, you know, think of it as fun,
but it is actually a fun, when you look at vulnerabilities,
there are so many ridiculous vulnerabilities out there. Now
we are going to target for the next couple of minutes on the
BMX family of devices, which has been provided by Schneider
Electric. Basically HMI active web services, as a part of the
web server, embedded in the phone here. It requires real
time communication with internet ECPI, used for that end device.
It has a capacity to host dynamic user defined web pages
to provide more updated information, for what’s going
on. One target, let’s talk about some vulnerabilities, so while I
was doing research on it hard core vulnerability, possible
actually [indiscernible] account, in the [indiscernible]
file. We have multiple [indiscernible] vulnerabilities,
a remote file inclusion, local file inclusion, authentication
design. And in this particular device, and put the most stress
on the RF file, which I will hopefully be demoing, hopefully
DEFCON network will work, otherwise we have a video. But
let’s just go into a better analysis. Let’s say
[indiscernible] and I have not masked a URL in this case. You
find this device, and you open it in your browser, you will be
presented with Java. You need to install Java for that. You will
be install like this, you will install it, because in order to
excess all the HMI functionalities you have to
access this shallow template, to install it accordingly.>>When
you install it, you come up with, you know when you download
this, the update, you try to look into the source code, you
know where the Java update has been placed, how you can access
it and things like that. So the whole just this slide is going
to tell you where the Java update is placed for that
particular web HMI and how you can access. Basically looking
into the source code of it, that browser. When you do the source
code analysis, just presenting a figure here, if you do the
source code analysis of the Java file, password in it and you can
see, Schneider, and then you have activity log and a sys log.
So you’re basically looking into the decompilation of the Java
source for analysis and this is hard coded. You can use it to
actually access the FTB [indiscernible] server. Moving
forward, so a bit more of source code analysis, you get an idea
all the config files are hard coded, pick apart, put in URL,
and if you are authenticated you can even access it, or in
certain cases you can even bypass that too. Moving forward,
so vulnerabilities, specify, so it is a complete URL, which is
simply HTTP. You have parameters. Force the user to
click on the link and you can change the password. You can
control the editor password. Things like that. It’s all open
in that scenario and this is one is interesting one, so they have
vulnerability in the scenario, unauthenticated, file inclusion,
one URL, when you search for URLs on that web HMI, specific
URL, validates the input you are supplying, so basically framing
the content. In this case I have shown that, on this particular
device you can include a remote trial, and I will be demoing in
just a bit in seconds. Similarly, all these
vulnerabilities are also present in the factory cost this is
[indiscernible] I think Schneider Electric and
Telemecanique are collaboratively releases these
devices. If you go ahead to like the previous devices, some old
school devices, or even devices that are being, you know
released these days, the same vulnerabilities apply affect the
cost. So I’m going to demo here, remote file inclusion
vulnerability, I hope. Connect with box. [No audio] This was
working just five minutes back, so. It happens DEFCON all the
time but I have a backup. [Laughter] Very interesting
demo, actually somehow you can even download malware, encode
format to device. If you get a chance later on, and I can show
you where the network is working, so this was the demo.
So let’s take a look from the video point of view. So this you
will see that we are highlighting file inclusion
vulnerability in Schneider, BMX, CPUs. Web HMI, the video might
not tell you exactly how you can download [indiscernible] in the
encoded format but it can give you an idea where is the
vulnerability and what you can do with it. We just try you know
as a researcher try to look at what’s going on in and out of a
system, and you can see that even if you try to access some
of the source, basically restricted, so you need to
provide a basic — so actually a basic authentication here. But,
we have — this is a case we want to show. We want to
actually look at it. So I closed it. So you see that the
vulnerability is present in one of the index HTML file not
actually validating what kind of content is being passed through,
so you can easily load any third party website directly into it,
and in this case we uploaded the BlackHat One so I can explain
how this can be used in targeted attacks. A similar case, you can
go find a host or some sort of malware on the third party
domain. You know, its used for any [indiscernible] effect.
You basically encode the URL or you can use URL shockna, you can
simply pass it through it and force the user to click it. Any
SCADA administer or other guy and that way download the
malware and use the system and it’s very interesting. You can
also pass an XY code through to and HTMP file. Wherever its
framed, HTML in the browser, but then you can get compromised.
But basically, simply through RFI in this case. The next
device I’m going to target here is the mock Sy Logic. From the
authentication final view. Just a simple [indiscernible] So
basically they dont provide any [indiscernible] for XTPS in
this. If you look at how the password is being hacked, this
is basically the MD5 and no fault provided for it, so —
which makes it pretty difficult to replay attacks and you can
crack it within a spec of time. So whatever the vulnerabilities,
I’m discussing in this, test radius [indiscernible] along
different devices and these are basically tested on the real
devices on the internet. So once you, this is basically in
software is like a bad design, where you pass your credentials
in the HTTP get because its got cached [indiscernible] and
then it becomes easy for the attackers get access to that,
any proxy device or it may have been the web server, everything
is going to get cached that’s bad security design. But in this
case, we did our test for real time device, so in this case, if
you look, you will be presenter with this web log in prompt. You
provide a password and that kind of STTP request is issued. You
can see that the [indiscernible] hash has passed, and in this
particular case — so we actually moved forward and just
hoping some normal website on the internet and you can see
here, that when we pass by a hash, it was easily crackable
and once get access to the password, you can go ahead and
access the complete [indiscernible]. So the problem
is that no [indiscernible] an HTTP can get, no man in the
middle and things like that. But this is a big problem with —
from the authentication point, several web HMIs, they are not
up to the mark. On the next target, Symantic HMI rap, I
personally like the vulnerability that exists in
this web HMI. The reason, this HMI provides an exploder
interface. So when you click the exploder interface you are
presented with a directory listing of all hard drives that
are connected to it and any directories connected on the
server. In that scenario if you move forward, just in case, I
want to highlight vulnerability, [indiscernible] file uploading.
So it is possible to actually upload a file by sending a link
to a target. Once it clicks the link, the file will be uploaded
to the USB device that is connected to it. This web HMI or
any exploder with interface on it. But again, these are
vulnerabilities out there. You can execute any command or force
the user to perform any actions, which not authorized to do. Just
snapshot, you get an idea that when you are uploading a file,
[indiscernible] specified, which is very bad design practice, and
— but this exists. So this is actually a web HMI for Symantec.
I have actually shown an exploder interface, so you can
get an idea, we are into the directory of that web HMI for
this particular one, and another small snapshot is present, once
we uploaded the file, you can access the file directly from
there. And if you look at this particular screenshot, you get
an idea that we use simple external HTTP request to trigger
the cross origin not actually the cross origin, just trigger
the cross request, and from there on, which we can upload
any file directly to it. And then actually once we access it,
you get a control of it, you can process files. A lot of data out
of it. Maybe you can upload malware through the USB
directly. If you remember in 2009, Stuxnet, they simply put a
malware on the USB, but in this particular case, you can —
through the web and force the user to click on a link, file
will be uploaded directly to the USB. Once disconnected, it will
be taken care of that. But once connected, you can also upload
files on the web panel, and things like that. You have
another cross [indiscernible] vulnerability, you can delete
any files, by forcing the user to have no tokens. You can keep
on deleting files, lock files and other interesting things.
Let’s take a look at this vulnerability. Actually — if I
remember correctly, Semens in the process of patching this
vulnerability. Might have already patched. But we can try.
In this case, we go to the file browser. You can see that
there’s a www route temp directory storage card, storage
card two, and — so this is our target. We want to upload a file
here. I just created a custom demo, so just for the sake of
showing what is exactly happens in the back, so we clicked the
button. But you can basically send a link, once it has been
clicked by the user, backups is automatically cookies will be
taken care of, and then the request will issue. so this is a
classified site file, vulnerability. Next part is just
uploading that test file. If you see, we don’t have any test file
at this point of time. There’s no file uploaded right now. And
let’s figure the export code. Show how has been issued through
the HTTP box. And this all — URL can be sent out in an
automated manner. So we clicked it. The request has been issued.
So request has been accepted by the web server. This is a file
we uploaded a simple text file in this case. If you go back,
and refresh the page, and there you go. We got a XTP file there.
So the idea is that you can upload any file, executable, as
I mentioned earlier and from there onwards you can access the
file through URL. Like routing or compromising the systems
through web, and all these vulnerabilities play a
significant role in it, and all these vulnerabilities as I
mentioned tested against a real environment. So moving next, we
going to tackle a similar device in this scenario. Im going to
show you in just a few but these are interesting vulnerabilities
to understand what kind of design they are following. In
the solar device, again hard coded administrator password and
these devices are heavily used for visualization for solar
plans, take a look into it. Once you open — you know this HMI
interface to a web, you will be have this XP Java template. Just
the name. You have to install a Java or download a .jar file to
it, and another snapshot you can see that there is links to where
the .jar file is placed, so follow the same tactics, and we
perform this source code analysis, and then from there on
wards we get an idea, just an old system for the vulnerability
demonstration, so if you take a look in that. SO you get a
username and password as [indiscernible] and then
something, 2008, all of that. This password will give you a
direct access to the web HMI. Now once we use this password,
and then you can see we get access to that device, and if
you see, this HMI interface, placed in that mimic diagram,
and then you can get complete idea that you are in control of
that — this solar panel, maybe solar devices, through importers
and all of that. The problem again here is that its just a
web, these problems persist, and from there on, that hacker can
easily to gain control of that. I always believe if I can do it,
and I think any other person can easily do it, because the reason
is that, SCADA, things from that perspective, and hackers are
thinking from much more wider perspective because they have a
lot of time, significant and solicit interest and I think
these vulnerabilities can be powned pretty easily and control
all these devices. So I just — we can take a look into it. Demo
here. Just one minute demo. Just want to show that the
vulnerability actually exists there, so the vulnerability has
been avoided. I see they are working with the vendor now, so
see you get a Java [indiscernible] like this. You
have to accept the risk in this case. We are trying to accept
the Java application here. Try the admin password but it’s not
going to work. You’re not allowed, so we are going to
follow our simple tactic, we going to go into the source code
and go to the .jar file, to try to see what is actually in
there. The file they have this VM — VMS.jar file, and we I
already downloaded it, and now we’re going to look into the
source code analysis, just a simple thing, five minute of
stuff. And once you look at the classes once you do a lot of
source code analysis, you get an idea where you have to look
into. For example, authentication log in classes,
you know, session identifier classes, things like that. So
just skimming over things. So of course, we’re going to look into
hard coded configuration and any other things. So now here you
go. When we look into this, hard coded information. It just five
to ten minute, in this case and for an advance tech it might be
a little lesser. Again, the thing is that your hard core
credentials are being presented in .jar files. Flash files,
insecure authentication design and frameworks, and we are using
SCADA a lot these days, and we are finding vulnerability
protocol levels, and you know [indiscernible] and all those
kind of things but we also need to look into the web HMIs, just
broken, and take a look a bit more into it. If you see access
to the complete HMI I can look into, I can change configuration
and I can screw the device if I want. Just for testing purposes.
So again, you don’t need to attack the infrastructure right
away. You just need to access the device to web, and then you
have the idea of whats going on in and out of the system, and
there you go. You got access. Now, in the next set of devices,
Im just going to show the wide variety of devices to show
the vulnerabilities we are discussing in here, are not
actually present in one specific device but a wide range of
devices, and this time I cannot cover all of them,
vulnerabilities, but still whatever the best I can, I will
take care of it. In this [indiscernible] automation,
[indiscernible] there’s a variety of they have devices
here. I766. I769 family and thing. Simple thing I want to
highlight information basically through default files. A lot of
information being presented in it and by default design, web
applications and things. You need to get the credential first
to provide any kind of info but in this case, the design
principle is not following. Again, you have a RFI, you have
a local file inclusion, and long live processed scripting. Good
to find out, again it can be used is Schneiders, but in
case of SCADA, I don’t consider this that kind of pretty
advanced vulnerability or basically hard core one. So if
you look at this particular screenshot information
disclosure is happening. We move forward, more file inclusion.
Again we just uploaded the data. BlackHat web page in it and
its all authenticated, so you don’t need to wait for the
person to do the authentication and process the link. You just
place the link and it should be done. And I see if I get time
later on and the network is working, I rapidly show you that
demo that you can download malware on the fly with this
thing. So scripting as usual. Unauthenticated, simply send a
link, get whatever you want. Now, we have gone through the
Schneider electrical devices, drop [indiscernible] prisma and
we’re going to target fisma web. Interesting, one of the most, I
think easy vulnerability you can, or funny vulnerability.
Fisma web is one of the vendor that are based out of the [
indiscernible] and they actually build different devices like
metal detectors. Build devices like jack [indiscernible] and
stuff like that. And they also build devices for X rays like
inspection machines. So interesting thing with this
device is web HMI, the password disclosure in JavaScript file.
Who could ever imagine this? So you are, lets say you are
acting in so some sort of airport or another place with a
metal detector. Or somewhere you found is a prisma web metal
detector, somewhere you get access to IP. Boom, I mean you
can do a lot of bad things. It’s all in JavaScript, the client
side. and it was working, the all the vulnerability has been
reported. Again these are full of [indiscernible]
vulnerabilities, which I don’t want to go in right now, but
this one is interesting through simple JavaScript file. Take a
look. So we access this, prisma web here, so you get this web
panel, and from there on, try to look into the source code to
just understand what kind of components are being used, what
kind of files are being included in with this web HMI. If you
see, we access two specific JS files, one is log in .path JS,
the other one is config.JS So the config.JS. has been
configured in a simple manner. But if you look in a log in .JS,
it says Fisma web, and fisma. So this actually show that it might
be running in this case a default password could be
possible, but they are storing it in a JavaScript file, so if
you are going to configure, any administrator is going to
configure a new password for it, it’s still going to be present
in the JavaScript file because thats how exactly how that
device works. And — so we have the credentials. So I got access
to the fisma web by using the password, and from there on, you
can see particular device, you can set up the parameters, can
screw up the process it is going in. But this is — this is one
of the funniest vulnerability I’ve seen in this SCADA HMI
research. A lot of impact. This vulnerability, if you were going
to manipulate metal detectors, it’s just crazy. But — from
there onwards you also have a crosseyed request forgery. Means
the connector tokens is totally, not followed with SCADA HMI
simple through HTTP guest, and change the password on the fly
and then you can gain access to it. Now, see if internet is
working, but I [No audio] Looks like we’re not lucky
today. I can show you the demo, if you’re interested. Just
outside somewhere I can show you the real time how this can be.
Just some live device somewhere. Moving forward, now we’re going
to take a look into the ITC controller devices, primarily
that goes in thumbs, so if you look into these thumbs, these
are basically used for pumping water, some sort of further
purposes. Again, you can look into the snapshot and you can
get an idea that what it actually looks like as a — you
know, the controller 3,000 design for it, and you’ll again
have a web HMI for it. But they have like some problem, again
you can upload the phoneware in this case, uploading the files.
You can go and upload the phoneware, forgery. From there
onwards, you can go ahead and play the device through in this
case but this is also so there’s a lot of other
vulnerabilities also present in this [indiscernible] controller,
which might not cover but just an open platform. You can go
ahead, if you have some time, motivated enough to hunt for
vulnerabilities. I think this is a very good platform and work
with the [indiscernible] to report them those issues. And
following that, this is one IDC controller, request, actually
the request and response mechanism, and from there, how
the request has been issued and has been accepted, so you can
upload files, phoneware, things. With this vulnerability, once
you control the phoneware, so you control [indiscernible]
using in addition to that, these are totally configured.
You can find a lot of devices and the passwords and all of
that. But this is just from the design perspective all security
has been lined according to, to the research. Basically these
are people who dwell this kind of devices. Now, from there
onwards, hunting continues, a little discussion, and — this
is just tip of the iceberg. If you go around and search,
vendors out there that provide HMI web services and keep
looking for them, research different devices, you will find
a lot of vulnerabilities, just not rocket science, you need to
look into the control point that you need to control. And from
there on wards you can spy own input stuff and see device is
working according to the way you want it to be. There’s a big
playground out there. You just broken, not enough
vulnerabilities in web HMI have been reported back to the IC,
but more on the protocol level, [indiscernible] hijacking, but
if you open the scan, a lot of vulnerabilities in there. And
from the conclusion, I can only say this research, and other
vulnerabilities out there, the SCADA web HMI security is
completely broken. Why is so? Because we all used to say all
is good and all is gold and you can see SCADA technology has
been used for a long period of time but in this case when it
comes to security it’s not that golden. But the problem here is
that it’s still being used in more stronger critical functions
on the internet, or our day to day routine purposes, like
discussed earlier metal detector, thumbs, and a lot of
further additional details out there so easy to find
vulnerabilities, so easy to attack them, so easy to control
them and you can see how a big market crimeware as a service
can build a threat. But you go ahead find it, distribute an
account and start selling these devices in the underground
community. This is a real problem, and for that, I think
for researchers, any motivated people, they need to come up and
hunt vulnerabilities, work with the teams, whatever the best we
can. This is actual the state this amount of time. Moving
forward, some of the relative research done earlier, other
people portals, good resources to look into to understand what
kind of vulnerabilities have already been disclosed, what new
are there. Personally feel that the vulnerabilities like cross
side file uploading, phoneware uploading, remote file inclusion
all have a a potential impact considering the state of
security and web HMI. And thanks and I’m open to questions.
You’re free to have any questions. If you need some
demos I can show you that. [ Applause ]

Leave a Reply

Your email address will not be published. Required fields are marked *