How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Thursday, July 9, 2015

Hot Cyberwar. Hackers and Missile Launchers

The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object.


A missile launcher on a turret rotating about two axes, and a target were presented on a stand. The contest's participants must gain control over the industrial system, turn the missile to the target and hit it (breaking down the equipment wouldn't count).

According to the contest's scenario, a hacker bypassed the external perimeter and had access to the office's network segment. Those who connected to the network received the operator's login and password and could watch the system in operation. IP addresses of all the set devices were listed in a table on the stand.

This year's format combined various competitions and capture the flag contests (for more information see our blog). About 40 PHDays attendees and several CTF teams took part in the contest.

Technical details

The SCADA system was deployed on the panel PC Advantech TPC-1840WP and was running on Windows 7 Ultimate without any additional protection systems.

The operating system's updates were installed, Windows firewall was up. The SCADA system was implemented on Advantech WebAccess 8.0.

Since the software could contain unpatched vulnerabilities, the operator's access was limited to visualization of the processes that go on in the controller. The controller's tags were read-only, and rewriting them didn't affect the equipment's operation. With administrator privileges, the attacker could access the page containing description of the system's structure and intrinsic addressing.

Interconnection between the SCADA system and the PLC was maintained via Modbus TCP with the use of pseudoregisters (reading not from I/O modules, but from the controller's program memory ).

In standard mode, client and administrator web access to the SCADA system is available via Internet Explorer through HTML4 using IIS, which is part of a standard Windows distribution kit. By default, authentication is performed by the SCADA system itself.

The physical connection between the SCADA system and the PLC was provided by the L2 managed switch Advantech EKI-7659C with the use of common Fast Ethernet. The connection for contestants was performed through the same switch, via the wire through EKI-4654R or via Wi-Fi through EKI-6351. The switch was not used for VLAN or as a filter for MAC addresses, though it could be used in that way. In addition, the laptop used for managing the stand was connected to the subnetwork.

PLC functions were implemented via the PAC controller Advantech APAX-5620KW, a device based on an ARM processor under WinCE 5. The controller turned the missile launcher due to the timer (for our purpose: it controlled the technological program of the process). For this purpose, the softlogic kernel ProConOs (written by KW Software) was used as a task at the kernel level. The movement program was implemented by the developer in ladder logic by using KW Multiprog. The cycle was 50 msec.

The controller had three standard connection methods: via VGA and USB (unavailable for contestants); via remote desktop (password-protected); via a development system in IEC 61131: it allowed controlling the softlogic subsystem and debug it.

The controller supported two LAN ports, one of which was connected to the SCADA system (the office subnetwork); and the other one, to the input/output modules (the field subnetwork). Network ports had addresses in different subnetworks. This solved the problem of load balancing and separation of access.

For input/output, ADAM-6050 modules (for discrete input from the axes final position sensor) and ADAM-6260 modules were used (for relay control). These modules have the ability of distributed programming in GCL, due to which emergency protection was provided. In particular, when riding into a fin, the DI module reports it to the DO module, and the DO module reversed the appropriate motor for 3 sec. Watchdog that disabled all outputs was installed, in case of communication interruption. The missile actuator control unit's block could be bypassed by recording a logical 1 in a separate internal variable (for which it was necessary to perform a recording function in the Modbus register within the internal subnet).

The physical connection between the modules was performed without the use of an external switch, by using the daisy chain technology in ADAM-6260.
The launcher's turret was supplied by a separate 5 VDC unit and was equipped with three motors (rotation around the vertical and horizontal axis and rocket launch). A relay circuit was used to reverse rotary engines and as zero-level protection against short-circuit in the power unit. In addition, the rocket launcher was equipped with five ground-pressure final position sensors (left, right, up, down, volley performed).

Almost all the components of the system contained non-dictionary (generated) passwords of 8—10 characters that included Latin uppercase and lowercase letters, numbers, punctuation marks.

The battle

The contest lasted for two days during Positive Hack Days.

Day 1

During the first day, contestants mostly examined the external subnet's structure and tried to attack the system via SCADA. The hackers disabled operating system services, including the firewall, managed to foist a new user (without administrator privileges though), restarted the PC twice.

Several participants managed to obtain administrator access to WebAccess by using Windows and SCADA exploits, looked through tag descriptions and had the opportunity to stop the system's kernel. However, the system didn't react to the efforts of rewriting tags; the kernel started automatically via Windows Scheduler. At the end of the day the hackers, exhausted, left an autograph on a page of the system and postponed further efforts till the next morning

Day 2

During the first half of the second day, the contest's participants searched for the source of control signals. One of the participants detected an exploit in WinCE 5, but wasn't able to use it.

At 2 p.m. a hint was given: the controller's external segment is read-only and you could try to "pass" the controller.

At this point RDot (a CTF team) joined. In an hour and a half the team managed to access the remote desktop APAX-5620, gained the opportunity to "kill" and launch the softlogic task and manipulate network adapters.

One of the contestants claimed to have received the opportunity to unidirectional forwarding from LAN1 to LAN2 without receiving return packages. However, Modbus did not allowed using this opportunity for destructive purposes.

At 3 p.m. some mechanical problems occurred on the stand. The contestants gained the opportunity to intercept packages between KW Multiprog and the controller (stop and restart of the controller, enabling the debug mode, the use of the force function with respect to controller memory cells). However, the contestants didn't use this information.

At 4 p.m. participants were provided with program source codes of the APAX and ADAM modules, which could contribute to discovering ways of exploiting regular programs. RDot was noted for the successful attempt of backward reading the program from the controller (this function in KW Software was not password-protected), turning on the debug mode, and monitoring the controller's registers.

At 5 p.m. users were admitted to the internal network; they launched a DDoS attack against the emergency protection system and tried to disable it.

The contest ended at 6 p.m. No one managed to stop the GCL program or to gain control over the outputs, although there were signs of impact on the modules' firmware.

Prize-winning participants were determined due to the points they gained:
  • 1st place: Artur G. from the team Rdot (for hacking the APAX remote desktop, successful work with the source code in IEC61131),
  • 2nd place: Pavel I. (the first one to gain administrator access to the SCADA system's interface),
  • 3rd place: Alexander Y. (for sending packages between the APAX controller's ports and for applied efforts).
Consolation prize: Alexey P. (for using social engineering methods: detecting SCADA project backup from the administrator's laptop and obtaining the administrator password).

The contest's organizers concluded that:
  • Most intruders do not know much about ICS specifics. Participants mainly performed attacks (against ports) or used methods that did not comply with the system's features (monitoring Modbus traffic via Wireshark). However, it is possible to study the system's structure and its standard operation.
  • The most vulnerable are those components that are the closest to the operator interface: SCADA client input, remote desktops. For systems based on Windows, additional software is required to protect both computers (firewalls) and communication channels (encryption).
  • An enterprise bus and fieldbus must be physically isolated from each other at least by a device with two network cards. Using VLAN is not always effective because of vulnerabilities in web interfaces pf switches.


  1. Hi, I log on to your weblogs daily. Your humorist design is witty, keep it up!

  2. That was very interesting article, thank you for posting it! As for me, rather curious architecture was used.
    Thank you again and lots of luck.

  3. You just need to read this highster mobile review, to not get in trouble with hacker attacking your phone.

  4. buy assignment help
    Thanx for sharing such useful post keep it up.

  5. MBA Report Writing
    Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.

  6. Biology Assignment Help Service
    I’m really impressed with your article, such great & usefull knowledge you mentioned here

  7. Pretty helpful material, much thanks for this article
    C Programming Project Help

  8. Content Creation Service
    by visiting this site I found cool stuff here keep it up.

  9. Finance Project Assignment Help
    only professional writers can make this kind of material, cheers

  10. java programming help
    The leading assignment help UK firm offers state of the art services to its clients with a promise of delivering all the required work well within the deadline.

  11. Do My Law Projects
    This is really great work. Thank you for sharing such a good and useful information here in the blog for students.

  12. Help With Psychology Projects
    I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that's at the other blogs.

  13. It is a well-maintained site where people can learn about various topics. I am looking forward to read more blogs from here. Students finding it tough to write an assignment can try our online assignment help and can get their coursework written by assignment experts. Assignment Help

  14. Thanks a lot for sharing it, that’s truly has added a lot to our knowledge about this topic. Have a more successful day.
    Online service of Assignment Help Melbourne

  15. Very Informative Post, would love to read more, keep writing.
    I would like share some links, useful to students

    Assignment Help

    Essay Help

    Homework Help

  16. This really helps me to find the answers to my question. Hoping that you will continue posting an article having a useful information. Thanks a lot ! this is useful article i like it.
    Canada Assignment Help

  17. After reading the great post I want to say that you have shared the top quality stuff in the content of the post. Keep doing the great job.
    home tuition singapore

  18. It is a nice post. I always read this kind of information. I also want to share some helpful information regarding essay help and assignment help.

    homework help
    write my paper
    best paper writing service
    writing service

  19. Loved this post, point of discussion need to be more effective.
    I am an Academic Writer in UK at providing
    Law Assignment Help UK ,

    Mathematics Assignment Help uk ,

    Science Assignment help UK to all students in UK

  20. This is a very well written post, my compliments. I’m glad to find your post. Keep sharing this type of stuff.
    Online Assignment Help Melbourne

  21. The idea of some spotty kid having access to the big button is utterly horrible.

  22. Good idea about cyberwar hackers and missiles and I have read in a research paper published by a dissertation writing service that Russia is expanding its cyber hackers group and making a part of its army.

  23. Nice Post . Thanks For Sharing!
    Are You looking for Physics homework help? Myassignmenthelp provide best Physics Homework help to the student at cheapest cost.

  24. Your website is really cool and this is a great inspiring article. Thank you so much.
    essay writing service singapore

  25. The presentation and details of mobile launcher features are interesting. The article helpful for research students to understand that technology.

  26. This is an unrealistically cool presentation. Now everything is clear on how dangerous is hacker interference in security

  27. Nice knowledge gaining article. This post is really the best on this valuable topic. dissertation help ireland

  28. Many thanks for the exciting blog posting! Simply put your blog post to my favorite blog list and will look forward for additional updates.
    Assignment Help SG

  29. I am very happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this best posting. candid photographers | Freelance jobs | freelance web designer |

  30. Great site and a great topic as well I really get amazed to read this. It’s really good. I like viewing web sites which comprehend the price of delivering the excellent useful resource free of charge. Assignment help | Assignment Expert | Marketing Assignment help | Law Assignment help

  31. Well done! It is one of the very informative blogs I have come across. You have a flair for writing and have fine knowledge of the topic as well. Students finding it tough to write their academic assignments could use our Assignment Help and can get a first class coursework written from us.

  32. The Student Room has the best writer for you in Australia to provide my assignment help.Contact us today for instant writing services & get delivery before the submission date.

  33. Visit our website to know the reviews of different assignment writing service provider.

  34. It is good to see such a helpful website! It has informative as well as interesting articles. I look forward to visit this site again and again. Students with the assignment writing problem could visit our site and can opt for our assignment writing service .

  35. Your article has provoked a considerable measure of positive hobby. I can see why since you have made such a decent showing of making it fascinating. assignment help ireland

  36. Visit our website to get best online assignment help. We have a team of experts with exceptional experience. check out our website for more details.

  37. Hello everyone, was interesting to read your article. Usually i'm reading New York Times , but now i will read you too! (

  38. If you need quick loans with no credit check , no guarantor, no fees and no hassles, Oyster Loan is the destination. We are dedicated loan brokers who provide complete support to borrowers online.

  39. Students could often find it tough to write their academic tasks. It could lead to they not getting desired grades in the academics. Opting for our Assignment Help could be ideal for such students and they can get a complete assignment solution from us.

  40. As we know everyone wants to read useful information, likewise you share this excellent information here along with i am glad to share assignment service which is providing by "Take Assignment Help" company. Company is already working for needy students who are really looking such source.

  41. This comment has been removed by the author.

  42. I really enjoyed reading your post. very informative blog and very exciting to know more on this topic.We also provide My Assignment Help Australia.

  43. Thanks, great article I really like your article you can also visit airtel data balance check Thanks

  44. Hey...
    Amazing work you have done in your interesting post.
    Thanks for sharing...
    My new Article on What is Virus facebook

  45. Very good article thanks for sharing.I visit this website every day.

  46. Hello, I am interested and happy to read your blog post. then I get good information about it. Thanks

  47. I am glad to have visited this site. It is a well-designed site and also contains useful information for the visitors. We are a web portal where students check & write reviews for assignments related websites. Here you can check reviews.

  48. Congrats on having such well managed site! It has good looks and contains informative content as well. We are an online platform where students check & write reviews for assignments related websites. Here you can check Allassignmenthelp reviews..

  49. Thanks for this web portal. It contains the information i was searching for and you have also explained it well. We are a website where students check & write reviews for assignments related websites. Here you can check reviews. .

  50. Do visit our website to get buy essay online service from our experts.

  51. Very Nice Post
    Thanks for sharing such an informative information on your blog,
    Kindly watch my work and get free antivirus in India, the top rated antivirus that provides free real protection from trojan viruses. I will definitely share this on social media platforms.

  52. Couldn't be written any better. Reading this post reminds me of my old roommate! He always kept talking about this Literature Review Assignment help

    Assignment help| Need Assignment help

  53. TNBSE is mainly referred to as Tamil Nadu Board of Secondary Education and it was developed in the year of 1911. For your information, TNBSE is mainly trying to develop the learning and education system in the state of Tamil Nadu with the scheduled classes. 2018

  54. This is amazing! I have read such good work only on mpanchang - provider of the amazing topic Are You Manglik in various verticals. I would urge you to keep up the good work.

  55. Awesome Content written.
    I guess writer has done good research on this topic and has written it very well.
    Have you ever thought on buying a good antivirus for your computer?
    download malware crusher.
    Also in order to clear the IAS exam join the best IAS coaching institute jaipur.

  56. All Assignment Help review
    A superior all assignment Help reviews offered by this website with the advantage of online support with high proficiency level based on its latest research and information by professional reviews writers. Wide ranges of subjects are covered with separate writers for each subject.

  57. Hugely appealing text. I have learnt quite a lot on the topic. Can’t wait to share it with my friends online.

    Also, take out some time and share your thoughts on Falcon Super Cleaner. It is my work on a free Phone Cleaner & Cache Cleaner – Fast Speed Booster app available on the Play Store. The application features a Junk Cleaner, Phone Booster, Battery Saver, Duplicate Photos Cleaner, Antivirus for Android etc. all blended into one.

  58. This comment has been removed by the author.

  59. Assignment Help
    All Assignment Help is an online Assignment Help and assignment writing service offering expert assignment help.Hire Australian,US assignment writing experts.

  60. AllAssignmentHelp Provider is helping students especially in usa in getting brilliant quality reviews writing USA, essays and dissertations.We at Top Quality Assignment believe that there is no shortcut to success and to attain success, hard work, dedication, and commitment must be Reviews best in writing unique Assignment.

  61. A superior allassignmenthelp Reviews offered by this website with the advantage of online support with high proficiency level based on its latest research and information by professional reviews writers to get best all assignment help.

  62. I really happy found this website eventually.. Really informative and inspirative !!Thanks for the post and effort ! Please keep sharing more such article.
    visit here: online Assignment help

  63. All Assignment Help online is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.

  64. Interesting and well detailed blog
    Thanks for sharing

  65. Interesting investigation, glad I found it.
    Thanks for sharing!

  66. I really happy found this website eventually.. Really informative and inspirative !!Thanks for the post and effort ! Please keep sharing more such article.
    visit here