How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Thursday, July 9, 2015

Hot Cyberwar. Hackers and Missile Launchers


The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object.

General

A missile launcher on a turret rotating about two axes, and a target were presented on a stand. The contest's participants must gain control over the industrial system, turn the missile to the target and hit it (breaking down the equipment wouldn't count).

According to the contest's scenario, a hacker bypassed the external perimeter and had access to the office's network segment. Those who connected to the network received the operator's login and password and could watch the system in operation. IP addresses of all the set devices were listed in a table on the stand.

This year's format combined various competitions and capture the flag contests (for more information see our blog). About 40 PHDays attendees and several CTF teams took part in the contest.

Technical details

The SCADA system was deployed on the panel PC Advantech TPC-1840WP and was running on Windows 7 Ultimate without any additional protection systems.

The operating system's updates were installed, Windows firewall was up. The SCADA system was implemented on Advantech WebAccess 8.0.

Since the software could contain unpatched vulnerabilities, the operator's access was limited to visualization of the processes that go on in the controller. The controller's tags were read-only, and rewriting them didn't affect the equipment's operation. With administrator privileges, the attacker could access the page containing description of the system's structure and intrinsic addressing.


Interconnection between the SCADA system and the PLC was maintained via Modbus TCP with the use of pseudoregisters (reading not from I/O modules, but from the controller's program memory ).

In standard mode, client and administrator web access to the SCADA system is available via Internet Explorer through HTML4 using IIS, which is part of a standard Windows distribution kit. By default, authentication is performed by the SCADA system itself.

The physical connection between the SCADA system and the PLC was provided by the L2 managed switch Advantech EKI-7659C with the use of common Fast Ethernet. The connection for contestants was performed through the same switch, via the wire through EKI-4654R or via Wi-Fi through EKI-6351. The switch was not used for VLAN or as a filter for MAC addresses, though it could be used in that way. In addition, the laptop used for managing the stand was connected to the subnetwork.


PLC functions were implemented via the PAC controller Advantech APAX-5620KW, a device based on an ARM processor under WinCE 5. The controller turned the missile launcher due to the timer (for our purpose: it controlled the technological program of the process). For this purpose, the softlogic kernel ProConOs (written by KW Software) was used as a task at the kernel level. The movement program was implemented by the developer in ladder logic by using KW Multiprog. The cycle was 50 msec.


The controller had three standard connection methods: via VGA and USB (unavailable for contestants); via remote desktop (password-protected); via a development system in IEC 61131: it allowed controlling the softlogic subsystem and debug it.

The controller supported two LAN ports, one of which was connected to the SCADA system (the office subnetwork); and the other one, to the input/output modules (the field subnetwork). Network ports had addresses in different subnetworks. This solved the problem of load balancing and separation of access.

For input/output, ADAM-6050 modules (for discrete input from the axes final position sensor) and ADAM-6260 modules were used (for relay control). These modules have the ability of distributed programming in GCL, due to which emergency protection was provided. In particular, when riding into a fin, the DI module reports it to the DO module, and the DO module reversed the appropriate motor for 3 sec. Watchdog that disabled all outputs was installed, in case of communication interruption. The missile actuator control unit's block could be bypassed by recording a logical 1 in a separate internal variable (for which it was necessary to perform a recording function in the Modbus register within the internal subnet).

The physical connection between the modules was performed without the use of an external switch, by using the daisy chain technology in ADAM-6260.
The launcher's turret was supplied by a separate 5 VDC unit and was equipped with three motors (rotation around the vertical and horizontal axis and rocket launch). A relay circuit was used to reverse rotary engines and as zero-level protection against short-circuit in the power unit. In addition, the rocket launcher was equipped with five ground-pressure final position sensors (left, right, up, down, volley performed).

Almost all the components of the system contained non-dictionary (generated) passwords of 8—10 characters that included Latin uppercase and lowercase letters, numbers, punctuation marks.

The battle

The contest lasted for two days during Positive Hack Days.

Day 1

During the first day, contestants mostly examined the external subnet's structure and tried to attack the system via SCADA. The hackers disabled operating system services, including the firewall, managed to foist a new user (without administrator privileges though), restarted the PC twice.


Several participants managed to obtain administrator access to WebAccess by using Windows and SCADA exploits, looked through tag descriptions and had the opportunity to stop the system's kernel. However, the system didn't react to the efforts of rewriting tags; the kernel started automatically via Windows Scheduler. At the end of the day the hackers, exhausted, left an autograph on a page of the system and postponed further efforts till the next morning

Day 2

During the first half of the second day, the contest's participants searched for the source of control signals. One of the participants detected an exploit in WinCE 5, but wasn't able to use it.

At 2 p.m. a hint was given: the controller's external segment is read-only and you could try to "pass" the controller.


At this point RDot (a CTF team) joined. In an hour and a half the team managed to access the remote desktop APAX-5620, gained the opportunity to "kill" and launch the softlogic task and manipulate network adapters.

One of the contestants claimed to have received the opportunity to unidirectional forwarding from LAN1 to LAN2 without receiving return packages. However, Modbus did not allowed using this opportunity for destructive purposes.

At 3 p.m. some mechanical problems occurred on the stand. The contestants gained the opportunity to intercept packages between KW Multiprog and the controller (stop and restart of the controller, enabling the debug mode, the use of the force function with respect to controller memory cells). However, the contestants didn't use this information.

At 4 p.m. participants were provided with program source codes of the APAX and ADAM modules, which could contribute to discovering ways of exploiting regular programs. RDot was noted for the successful attempt of backward reading the program from the controller (this function in KW Software was not password-protected), turning on the debug mode, and monitoring the controller's registers.

At 5 p.m. users were admitted to the internal network; they launched a DDoS attack against the emergency protection system and tried to disable it.


The contest ended at 6 p.m. No one managed to stop the GCL program or to gain control over the outputs, although there were signs of impact on the modules' firmware.

Prize-winning participants were determined due to the points they gained:
  • 1st place: Artur G. from the team Rdot (for hacking the APAX remote desktop, successful work with the source code in IEC61131),
  • 2nd place: Pavel I. (the first one to gain administrator access to the SCADA system's interface),
  • 3rd place: Alexander Y. (for sending packages between the APAX controller's ports and for applied efforts).
Consolation prize: Alexey P. (for using social engineering methods: detecting SCADA project backup from the administrator's laptop and obtaining the administrator password).

The contest's organizers concluded that:
  • Most intruders do not know much about ICS specifics. Participants mainly performed attacks (against ports) or used methods that did not comply with the system's features (monitoring Modbus traffic via Wireshark). However, it is possible to study the system's structure and its standard operation.
  • The most vulnerable are those components that are the closest to the operator interface: SCADA client input, remote desktops. For systems based on Windows, additional software is required to protect both computers (firewalls) and communication channels (encryption).
  • An enterprise bus and fieldbus must be physically isolated from each other at least by a device with two network cards. Using VLAN is not always effective because of vulnerabilities in web interfaces pf switches.

74 comments:

  1. Hi, I log on to your weblogs daily. Your humorist design is witty, keep it up!

    ReplyDelete
  2. That was very interesting article, thank you for posting it! As for me, rather curious architecture was used.
    Thank you again and lots of luck.

    ReplyDelete
  3. You just need to read this highster mobile review, to not get in trouble with hacker attacking your phone.

    ReplyDelete
  4. buy assignment help
    Thanx for sharing such useful post keep it up.

    ReplyDelete
  5. MBA Report Writing
    Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.

    ReplyDelete
  6. Biology Assignment Help Service
    I’m really impressed with your article, such great & usefull knowledge you mentioned here

    ReplyDelete
  7. Pretty helpful material, much thanks for this article
    C Programming Project Help

    ReplyDelete
  8. Content Creation Service
    by visiting this site I found cool stuff here keep it up.

    ReplyDelete
  9. Finance Project Assignment Help
    only professional writers can make this kind of material, cheers

    ReplyDelete
  10. java programming help
    The leading assignment help UK firm offers state of the art services to its clients with a promise of delivering all the required work well within the deadline.

    ReplyDelete
  11. Do My Law Projects
    This is really great work. Thank you for sharing such a good and useful information here in the blog for students.

    ReplyDelete
  12. Help With Psychology Projects
    I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that's at the other blogs.

    ReplyDelete
  13. It is a well-maintained site where people can learn about various topics. I am looking forward to read more blogs from here. Students finding it tough to write an assignment can try our online assignment help and can get their coursework written by assignment experts. Assignment Help

    ReplyDelete
  14. Thanks a lot for sharing it, that’s truly has added a lot to our knowledge about this topic. Have a more successful day.
    Online service of Assignment Help Melbourne

    ReplyDelete
  15. Very Informative Post, would love to read more, keep writing.
    I would like share some links, useful to students

    Assignment Help

    Essay Help

    Homework Help

    ReplyDelete
  16. This really helps me to find the answers to my question. Hoping that you will continue posting an article having a useful information. Thanks a lot ! this is useful article i like it.
    Canada Assignment Help

    ReplyDelete
  17. After reading the great post I want to say that you have shared the top quality stuff in the content of the post. Keep doing the great job.
    home tuition singapore

    ReplyDelete
  18. It is a nice post. I always read this kind of information. I also want to share some helpful information regarding essay help and assignment help.

    homework help
    write my paper
    best paper writing service
    writing service

    ReplyDelete
  19. Loved this post, point of discussion need to be more effective.
    I am an Academic Writer in UK at MyAssignmethelp.co.uk providing
    Law Assignment Help UK ,

    Mathematics Assignment Help uk ,

    Science Assignment help UK to all students in UK

    ReplyDelete
  20. This is a very well written post, my compliments. I’m glad to find your post. Keep sharing this type of stuff.
    Online Assignment Help Melbourne

    ReplyDelete
  21. The idea of some spotty kid having access to the big button is utterly horrible.

    ReplyDelete
  22. Good idea about cyberwar hackers and missiles and I have read in a research paper published by a dissertation writing service that Russia is expanding its cyber hackers group and making a part of its army.

    ReplyDelete
  23. Nice Post . Thanks For Sharing!
    Are You looking for Physics homework help? Myassignmenthelp provide best Physics Homework help to the student at cheapest cost.

    ReplyDelete
  24. Your website is really cool and this is a great inspiring article. Thank you so much.
    essay writing service singapore

    ReplyDelete
  25. The presentation and details of mobile launcher features are interesting. The article helpful for research students to understand that technology.

    ReplyDelete
  26. This is an unrealistically cool presentation. Now everything is clear on how dangerous is hacker interference in security

    ReplyDelete
  27. Nice knowledge gaining article. This post is really the best on this valuable topic. dissertation help ireland

    ReplyDelete
  28. Many thanks for the exciting blog posting! Simply put your blog post to my favorite blog list and will look forward for additional updates.
    Assignment Help SG

    ReplyDelete
  29. I am very happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this best posting. candid photographers | Freelance jobs | freelance web designer |

    ReplyDelete
  30. Great site and a great topic as well I really get amazed to read this. It’s really good. I like viewing web sites which comprehend the price of delivering the excellent useful resource free of charge. Assignment help | Assignment Expert | Marketing Assignment help | Law Assignment help

    ReplyDelete
  31. Well done! It is one of the very informative blogs I have come across. You have a flair for writing and have fine knowledge of the topic as well. Students finding it tough to write their academic assignments could use our Assignment Help and can get a first class coursework written from us.

    ReplyDelete
  32. The Student Room has the best writer for you in Australia to provide my assignment help.Contact us today for instant writing services & get delivery before the submission date.

    ReplyDelete
  33. Visit our website to know the reviews of different assignment writing service provider.

    ReplyDelete
  34. It is good to see such a helpful website! It has informative as well as interesting articles. I look forward to visit this site again and again. Students with the assignment writing problem could visit our site and can opt for our assignment writing service .

    ReplyDelete
  35. Your article has provoked a considerable measure of positive hobby. I can see why since you have made such a decent showing of making it fascinating. assignment help ireland

    ReplyDelete
  36. Visit our website to get best online assignment help. We have a team of experts with exceptional experience. check out our website for more details.

    ReplyDelete
  37. Hello everyone, was interesting to read your article. Usually i'm reading New York Times , but now i will read you too! (https://www.nytimes.com)

    ReplyDelete
  38. If you need quick loans with no credit check , no guarantor, no fees and no hassles, Oyster Loan is the destination. We are dedicated loan brokers who provide complete support to borrowers online.

    ReplyDelete
  39. Students could often find it tough to write their academic tasks. It could lead to they not getting desired grades in the academics. Opting for our Assignment Help could be ideal for such students and they can get a complete assignment solution from us.

    ReplyDelete
  40. As we know everyone wants to read useful information, likewise you share this excellent information here along with i am glad to share assignment service which is providing by "Take Assignment Help" company. Company is already working for needy students who are really looking such source.

    ReplyDelete
  41. This comment has been removed by the author.

    ReplyDelete
  42. I really enjoyed reading your post. very informative blog and very exciting to know more on this topic.We also provide My Assignment Help Australia.

    ReplyDelete
  43. Thanks, great article I really like your article you can also visit airtel data balance check Thanks

    ReplyDelete
  44. Hey...
    Amazing work you have done in your interesting post.
    Thanks for sharing...
    --
    My new Article on What is Virus facebook

    ReplyDelete
  45. Very good article thanks for sharing.I visit this website every day.
    farsiha
    tekrariha

    ReplyDelete
  46. Hello, I am interested and happy to read your blog post. then I get good information about it. Thanks

    ReplyDelete
  47. I am glad to have visited this site. It is a well-designed site and also contains useful information for the visitors. We are a web portal where students check & write reviews for assignments related websites. Here you can check Allassignmenthelp.co.uk reviews.

    ReplyDelete
  48. Congrats on having such well managed site! It has good looks and contains informative content as well. We are an online platform where students check & write reviews for assignments related websites. Here you can check Allassignmenthelp reviews..

    ReplyDelete
  49. Thanks for this web portal. It contains the information i was searching for and you have also explained it well. We are a website where students check & write reviews for assignments related websites. Here you can check Allassignmenthelp.com reviews. .

    ReplyDelete
  50. Do visit our website to get buy essay online service from our experts.

    ReplyDelete
  51. Very Nice Post
    Thanks for sharing such an informative information on your blog,
    Kindly watch my work and get free antivirus in India, the top rated antivirus that provides free real protection from trojan viruses. I will definitely share this on social media platforms.

    ReplyDelete
  52. Couldn't be written any better. Reading this post reminds me of my old roommate! He always kept talking about this Literature Review Assignment help


    Assignment help| Need Assignment help

    ReplyDelete
  53. TNBSE is mainly referred to as Tamil Nadu Board of Secondary Education and it was developed in the year of 1911. For your information, TNBSE is mainly trying to develop the learning and education system in the state of Tamil Nadu with the scheduled classes.

    www.dge.tn.nic.in

    dge.tn.nic.in 2018

    ReplyDelete
  54. This is amazing! I have read such good work only on mpanchang - provider of the amazing topic Are You Manglik in various verticals. I would urge you to keep up the good work.

    ReplyDelete
  55. Awesome Content written.
    I guess writer has done good research on this topic and has written it very well.
    Have you ever thought on buying a good antivirus for your computer?
    download malware crusher.
    Also in order to clear the IAS exam join the best IAS coaching institute jaipur.

    ReplyDelete
  56. All Assignment Help review
    A superior all assignment Help reviews offered by this website with the advantage of online support with high proficiency level based on its latest research and information by professional reviews writers. Wide ranges of subjects are covered with separate writers for each subject.

    ReplyDelete
  57. Hugely appealing text. I have learnt quite a lot on the topic. Can’t wait to share it with my friends online.

    Also, take out some time and share your thoughts on Falcon Super Cleaner. It is my work on a free Phone Cleaner & Cache Cleaner – Fast Speed Booster app available on the Play Store. The application features a Junk Cleaner, Phone Booster, Battery Saver, Duplicate Photos Cleaner, Antivirus for Android etc. all blended into one.

    ReplyDelete
  58. This comment has been removed by the author.

    ReplyDelete
  59. Assignment Help
    All Assignment Help is an online Assignment Help and assignment writing service offering expert assignment help.Hire Australian,US assignment writing experts.

    ReplyDelete
  60. AllAssignmentHelp Provider is helping students especially in usa in getting brilliant quality reviews writing USA, essays and dissertations.We at Top Quality Assignment believe that there is no shortcut to success and to attain success, hard work, dedication, and commitment must be present.AllassignmentHelp.co.uk Reviews best in writing unique Assignment.

    ReplyDelete
  61. A superior allassignmenthelp Reviews offered by this website with the advantage of online support with high proficiency level based on its latest research and information by professional reviews writers to get best all assignment help.

    ReplyDelete
  62. I really happy found this website eventually.. Really informative and inspirative !!Thanks for the post and effort ! Please keep sharing more such article.
    visit here: online Assignment help

    ReplyDelete
  63. All Assignment Help online is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.

    ReplyDelete
  64. Interesting and well detailed blog
    Thanks for sharing

    ReplyDelete
  65. Interesting investigation, glad I found it.
    Thanks for sharing!

    ReplyDelete
  66. I really happy found this website eventually.. Really informative and inspirative !!Thanks for the post and effort ! Please keep sharing more such article.
    visit here https://topacademictutors.com

    ReplyDelete