How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Thursday, July 9, 2015

Hot Cyberwar. Hackers and Missile Launchers


The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object.

General

A missile launcher on a turret rotating about two axes, and a target were presented on a stand. The contest's participants must gain control over the industrial system, turn the missile to the target and hit it (breaking down the equipment wouldn't count).

According to the contest's scenario, a hacker bypassed the external perimeter and had access to the office's network segment. Those who connected to the network received the operator's login and password and could watch the system in operation. IP addresses of all the set devices were listed in a table on the stand.

This year's format combined various competitions and capture the flag contests (for more information see our blog). About 40 PHDays attendees and several CTF teams took part in the contest.

Technical details

The SCADA system was deployed on the panel PC Advantech TPC-1840WP and was running on Windows 7 Ultimate without any additional protection systems.

The operating system's updates were installed, Windows firewall was up. The SCADA system was implemented on Advantech WebAccess 8.0.

Since the software could contain unpatched vulnerabilities, the operator's access was limited to visualization of the processes that go on in the controller. The controller's tags were read-only, and rewriting them didn't affect the equipment's operation. With administrator privileges, the attacker could access the page containing description of the system's structure and intrinsic addressing.


Interconnection between the SCADA system and the PLC was maintained via Modbus TCP with the use of pseudoregisters (reading not from I/O modules, but from the controller's program memory ).

In standard mode, client and administrator web access to the SCADA system is available via Internet Explorer through HTML4 using IIS, which is part of a standard Windows distribution kit. By default, authentication is performed by the SCADA system itself.

The physical connection between the SCADA system and the PLC was provided by the L2 managed switch Advantech EKI-7659C with the use of common Fast Ethernet. The connection for contestants was performed through the same switch, via the wire through EKI-4654R or via Wi-Fi through EKI-6351. The switch was not used for VLAN or as a filter for MAC addresses, though it could be used in that way. In addition, the laptop used for managing the stand was connected to the subnetwork.


PLC functions were implemented via the PAC controller Advantech APAX-5620KW, a device based on an ARM processor under WinCE 5. The controller turned the missile launcher due to the timer (for our purpose: it controlled the technological program of the process). For this purpose, the softlogic kernel ProConOs (written by KW Software) was used as a task at the kernel level. The movement program was implemented by the developer in ladder logic by using KW Multiprog. The cycle was 50 msec.


The controller had three standard connection methods: via VGA and USB (unavailable for contestants); via remote desktop (password-protected); via a development system in IEC 61131: it allowed controlling the softlogic subsystem and debug it.

The controller supported two LAN ports, one of which was connected to the SCADA system (the office subnetwork); and the other one, to the input/output modules (the field subnetwork). Network ports had addresses in different subnetworks. This solved the problem of load balancing and separation of access.

For input/output, ADAM-6050 modules (for discrete input from the axes final position sensor) and ADAM-6260 modules were used (for relay control). These modules have the ability of distributed programming in GCL, due to which emergency protection was provided. In particular, when riding into a fin, the DI module reports it to the DO module, and the DO module reversed the appropriate motor for 3 sec. Watchdog that disabled all outputs was installed, in case of communication interruption. The missile actuator control unit's block could be bypassed by recording a logical 1 in a separate internal variable (for which it was necessary to perform a recording function in the Modbus register within the internal subnet).

The physical connection between the modules was performed without the use of an external switch, by using the daisy chain technology in ADAM-6260.
The launcher's turret was supplied by a separate 5 VDC unit and was equipped with three motors (rotation around the vertical and horizontal axis and rocket launch). A relay circuit was used to reverse rotary engines and as zero-level protection against short-circuit in the power unit. In addition, the rocket launcher was equipped with five ground-pressure final position sensors (left, right, up, down, volley performed).

Almost all the components of the system contained non-dictionary (generated) passwords of 8—10 characters that included Latin uppercase and lowercase letters, numbers, punctuation marks.

The battle

The contest lasted for two days during Positive Hack Days.

Day 1

During the first day, contestants mostly examined the external subnet's structure and tried to attack the system via SCADA. The hackers disabled operating system services, including the firewall, managed to foist a new user (without administrator privileges though), restarted the PC twice.


Several participants managed to obtain administrator access to WebAccess by using Windows and SCADA exploits, looked through tag descriptions and had the opportunity to stop the system's kernel. However, the system didn't react to the efforts of rewriting tags; the kernel started automatically via Windows Scheduler. At the end of the day the hackers, exhausted, left an autograph on a page of the system and postponed further efforts till the next morning

Day 2

During the first half of the second day, the contest's participants searched for the source of control signals. One of the participants detected an exploit in WinCE 5, but wasn't able to use it.

At 2 p.m. a hint was given: the controller's external segment is read-only and you could try to "pass" the controller.


At this point RDot (a CTF team) joined. In an hour and a half the team managed to access the remote desktop APAX-5620, gained the opportunity to "kill" and launch the softlogic task and manipulate network adapters.

One of the contestants claimed to have received the opportunity to unidirectional forwarding from LAN1 to LAN2 without receiving return packages. However, Modbus did not allowed using this opportunity for destructive purposes.

At 3 p.m. some mechanical problems occurred on the stand. The contestants gained the opportunity to intercept packages between KW Multiprog and the controller (stop and restart of the controller, enabling the debug mode, the use of the force function with respect to controller memory cells). However, the contestants didn't use this information.

At 4 p.m. participants were provided with program source codes of the APAX and ADAM modules, which could contribute to discovering ways of exploiting regular programs. RDot was noted for the successful attempt of backward reading the program from the controller (this function in KW Software was not password-protected), turning on the debug mode, and monitoring the controller's registers.

At 5 p.m. users were admitted to the internal network; they launched a DDoS attack against the emergency protection system and tried to disable it.


The contest ended at 6 p.m. No one managed to stop the GCL program or to gain control over the outputs, although there were signs of impact on the modules' firmware.

Prize-winning participants were determined due to the points they gained:
  • 1st place: Artur G. from the team Rdot (for hacking the APAX remote desktop, successful work with the source code in IEC61131),
  • 2nd place: Pavel I. (the first one to gain administrator access to the SCADA system's interface),
  • 3rd place: Alexander Y. (for sending packages between the APAX controller's ports and for applied efforts).
Consolation prize: Alexey P. (for using social engineering methods: detecting SCADA project backup from the administrator's laptop and obtaining the administrator password).

The contest's organizers concluded that:
  • Most intruders do not know much about ICS specifics. Participants mainly performed attacks (against ports) or used methods that did not comply with the system's features (monitoring Modbus traffic via Wireshark). However, it is possible to study the system's structure and its standard operation.
  • The most vulnerable are those components that are the closest to the operator interface: SCADA client input, remote desktops. For systems based on Windows, additional software is required to protect both computers (firewalls) and communication channels (encryption).
  • An enterprise bus and fieldbus must be physically isolated from each other at least by a device with two network cards. Using VLAN is not always effective because of vulnerabilities in web interfaces pf switches.

31 comments:

  1. Hi, I log on to your weblogs daily. Your humorist design is witty, keep it up!

    ReplyDelete
  2. That was very interesting article, thank you for posting it! As for me, rather curious architecture was used.
    Thank you again and lots of luck.

    ReplyDelete
  3. You just need to read this highster mobile review, to not get in trouble with hacker attacking your phone.

    ReplyDelete
  4. buy assignment help
    Thanx for sharing such useful post keep it up.

    ReplyDelete
  5. MBA Report Writing
    Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.

    ReplyDelete
  6. Biology Assignment Help Service
    I’m really impressed with your article, such great & usefull knowledge you mentioned here

    ReplyDelete
  7. Pretty helpful material, much thanks for this article
    C Programming Project Help

    ReplyDelete
  8. Content Creation Service
    by visiting this site I found cool stuff here keep it up.

    ReplyDelete
  9. Finance Project Assignment Help
    only professional writers can make this kind of material, cheers

    ReplyDelete
  10. java programming help
    The leading assignment help UK firm offers state of the art services to its clients with a promise of delivering all the required work well within the deadline.

    ReplyDelete
  11. Do My Law Projects
    This is really great work. Thank you for sharing such a good and useful information here in the blog for students.

    ReplyDelete
  12. Help With Psychology Projects
    I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that's at the other blogs.

    ReplyDelete
  13. It is a well-maintained site where people can learn about various topics. I am looking forward to read more blogs from here. Students finding it tough to write an assignment can try our online assignment help and can get their coursework written by assignment experts. Assignment Help

    ReplyDelete
  14. Thanks a lot for sharing it, that’s truly has added a lot to our knowledge about this topic. Have a more successful day.
    Online service of Assignment Help Melbourne

    ReplyDelete
  15. Very Informative Post, would love to read more, keep writing.
    I would like share some links, useful to students

    Assignment Help

    Essay Help

    Homework Help

    ReplyDelete
  16. This really helps me to find the answers to my question. Hoping that you will continue posting an article having a useful information. Thanks a lot ! this is useful article i like it.
    Canada Assignment Help

    ReplyDelete
  17. After reading the great post I want to say that you have shared the top quality stuff in the content of the post. Keep doing the great job.
    home tuition singapore

    ReplyDelete
  18. It is a nice post. I always read this kind of information. I also want to share some helpful information regarding essay help and assignment help.

    homework help
    write my paper
    best paper writing service
    writing service

    ReplyDelete
  19. Loved this post, point of discussion need to be more effective.
    I am an Academic Writer in UK at MyAssignmethelp.co.uk providing
    Law Assignment Help UK ,

    Mathematics Assignment Help uk ,

    Science Assignment help UK to all students in UK

    ReplyDelete
  20. This is a very well written post, my compliments. I’m glad to find your post. Keep sharing this type of stuff.
    Online Assignment Help Melbourne

    ReplyDelete
  21. The idea of some spotty kid having access to the big button is utterly horrible.

    ReplyDelete
  22. Good idea about cyberwar hackers and missiles and I have read in a research paper published by a dissertation writing service that Russia is expanding its cyber hackers group and making a part of its army.

    ReplyDelete
  23. Nice Post . Thanks For Sharing!
    Are You looking for Physics homework help? Myassignmenthelp provide best Physics Homework help to the student at cheapest cost.

    ReplyDelete
  24. Your website is really cool and this is a great inspiring article. Thank you so much.
    essay writing service singapore

    ReplyDelete
  25. The presentation and details of mobile launcher features are interesting. The article helpful for research students to understand that technology.

    ReplyDelete
  26. This is an unrealistically cool presentation. Now everything is clear on how dangerous is hacker interference in security

    ReplyDelete
  27. Nice knowledge gaining article. This post is really the best on this valuable topic. dissertation help ireland

    ReplyDelete
  28. Many thanks for the exciting blog posting! Simply put your blog post to my favorite blog list and will look forward for additional updates.
    Assignment Help SG

    ReplyDelete