COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY
Lucas Apa Carlos Mario Penagos
About Us
Vulnerability Research Exploita<on Cryptography
Reverse Engineering ICS/SCADA
2
Lucas Apa Carlos Penagos
Argen<na Colombia
Security Consultants and Researchers
Agenda § Mo<va<on § Industries and Applica<ons § Wireless Standards § Journey of Radio Encryp<on Keys § Vendor1 Wireless Devices § Vendor2 Wireless Devices § Vendor3 Wireless Devices
3
Mo<va<on
4
§ Cri<cal Infrastructures becoming targets § Insider aLacks (Lately) § Devices connected to Internet § 0days to reach the PLC, RTU, HMI…
§ Stealth and precise aLacks § Incident response at hazardous sites § ALack families of devices (+ reliable)
Industrial Wireless Automa<on
5
§ Copper wires are used to monitor and control § Corrosion, Duc<lity, Thermal Conduc<vity § Cost of wires, trenching, moun<ng and installa<on § Industrial Wireless Solu<ons § Eliminate cost of hardwiring, logis<cs, installa<on § Heavy machinery involved § Remote control and administra<on (Geography) § Minimize Safety Risk & Dangerous Boxes § Adds durability
Industries and Applica<ons
6
Oil & Gas
Refined Petroleum Petrochemicals
§ Plunger li_/ar<ficial li_ op<miza<on § Well-‐head automa<on § RTU/EFM I/O extensions § Cathodic protec<on monitoring § Hydrogen sulfide (H2S) monitoring
§ Tank level monitoring § Pipeline cathodic protec<on § Rec<fier voltage monitoring § Gas/liquid flow measurement § Pipeline pressure and valve
monitoring
Industries and Applica<ons (2)
7
Energy -‐ U<li<es
Waste & Waste Water
§ Transformer temperature § Natural gas flow § Power outage repor<ng § Capacitor bank control § kV, Amp, MW, MVAR reading
§ Remote pumping sta<ons § Water treatment plants § Water distribu<on systems § Wastewater/sewer collec<on systems § Water irriga<on systems/agriculture
Industrial Wireless Challenges
8
§ Defeat electromagne<c interference (EMI) § Handle signal aLenua<on and reflec<ons § Reliability is far more important than Speed § Higher transmiLer power levels § Site surveys to assess the consistency and
reliability of the plant § Mainly using 2.4Ghz or 900Mhz (ISM Band) § No “business” protocols
Cryptographic Key Distribu<on (WSN)
9
§ Distribute secrets on a large number of nodes § Base sta<ons with clusters surrounding § Limita<ons: § Deployment in public or hos<le loca<ons § Post-‐deployment knowledge § Limited bandwidth and transmission power
§ Methods for crypto key distribu<on: § Out-‐of-‐band § In-‐band § Factory pre-‐loaded
IEEE 802.15.4 Standard
§ Wireless Radios (Low Power/Speed) § Set the encryp<on algorithm and AES Key § Upper Layer Responsibility § Each node can have an ACL § MAC for upper layers:
§ ZigBee § WirelessHart § ISA SP100 § IETF IPv6 -‐ LoWPAN
10
ZigBee 2007 (Standard Security Mode) § Goal: Understand Key Schemes § Suite of high level communica<on protocols § Based on IEEE 802.15.4 (Low level layers) § ISM radio bands § Trust Center introduced in 2007
11
Two Key Distribu<on Mechanisms:
1. Pre-‐Installa<on 2. Over the air
§ Network Key (AES 128-‐bit) § Pre-‐installed (Factory Installed) § Individually Commissioned
(Commissioning tool) § Managed by the Trust Center
A
Trust Center
B
ZigBee Pro 2007 (High Security Mode) § Many enhancements § More memory requirements § New keys introduced
12
A B MasterKey_TA LinkKey TA NetworkKey MasterKey_AB LinkKey AB
MasterKey_TB LinkKey TB NetworkKey MasterKey_AB LinkKey AB
MasterKey_TA LinkKey TA NetworkKey MasterKey_TB LinkKey TB
Trust Center
① Master Key § Unsecured Transport L § Out-‐of-‐band Technique J § Secure other keys
② Link Key § Unicast § Unique between nodes
③ Network Key • Regenerated at Intervals • Needed to join the NWK
End User
Device
DeviceVendorID Key in Firmware
Per-‐Client Encryp<on Key
Change Encryp<on
Key
Per-‐Client Encryp<on
Key
Device Company Encryp<on Key
Device Company Encryp<on
Key
Change Encryp<on
Key
No Encryp<on Key
Set Encryp<on
Key
No Encryp<on
key
No Encryp<on Key
The Journey of Radio Encryp<on Keys
13
Radio
Reusing Radio Keys
§ Device Company Key aLack 1. Buy same Device (Buy same Key) 2. Remove Radio Module 3. Connect to USB Interface 4. Interact: API & AT Command Mode 5. Send frames using the unknown key
Warning: Not possible if exists a Per-‐Client Encryp<on Key
14
§ End-‐User Node Key Storage § Shared Secret § Same Firmware or Same Radio Key
Exploi<ng Vendor1 Devices § Company Profile (+1990) § Frequency Hopping Wireless Devices § Great for long or short range wireless
SCADA applica<ons § Secure proprietary FHSS with 128 bit AES
encryp<on § Hazardous loca<on approvals, Perfect for
outdoor Ethernet SCADA or indoor PLC messaging
§ 30+ miles point to point with high gain antennas
15
Vendor1 Key Distribu<on “<Vendor1 Tool> is easy to use and intuiBve. Default values built into the so0ware work well for ini4al installa4on and tesBng making it easy for first-‐Bme users. <Vendor1 Tool> manages all important
se8ngs to ensure that the network performs correctly.” (User Guide)
16
§ RF Encryp<on: A 128-‐bit encryp<on level key is suggested for the user.
§ Blank: No encrypted packets
§ 5-‐7 Chars: Field is translated into a 40-‐bit encryp<on level.
§ 15-‐24 Chars: Field is translated into a 128-‐bit encryp<on level.
Reversing Passphrase Genera<on
Compiled C++ Binary: § srand seeds PRNG § <me returns epoch § srand(<me(NULL)) § Low Entropy Seed § Same algorithm § rand() § Bad ANSI C func<on
17
ALacking Weak PRNG
18
C:\>passgen.exe 2013-‐04-‐04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0
The Oldest Passphrase Help File
19
C:\>passgen.exe 2013-‐04-‐04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0 2013-‐04-‐04 21:39:07 => 1365136747 => nir3f1a0dm2sdt41q91c06nt … 2008-‐04-‐17 15:20:47 => 1208470847 => re84q92vssgd671pd2smj8ig
Comissioning Tool Audit
§ Easily breakable by an outsider § Further Research with the Devices § Comissioning Tools needs deep tes<ng
20
Bruteforce Passphrase 2570 Passphrases
Mixed lower case alphabet plus numbers and common symbols
Impossible to calculate all passphrases
Need to derive AES 128-‐bit key on real<me
Weak PRNG ALack ~156 Million Passphrases
Every second passed, one more key
Only a few seconds to calculate all passphrases
Calculate once and create a database with all possible AES 128-‐bit key deriva<ons
vs
Vendor2 Wireless Devices § Market leadership: Oil & Gas § Wireless and wired solu<ons for the digital oil field
automa<on § Trusted by top companies in different industries § Family System (Point to Mul<point):
§ Wireless Gateways § Wireless TransmiLers § I/O Expansion Modules § Hardwire Sensors
21
22
An Extended Family of Devices
23
§ Applica<ons § Oil & Gas
§ Refining / Petro Chemicals
§ Water & Waste Water
§ U<li<es
§ Industrial Process Monitoring
§ TransmiLers § RTD Temperature TransmiLer
§ Analog/Discrete TransmiLer
§ Flow Totalizer TransmiLer
§ Pressure TransmiLer
§ Hydrosta<c Level TransmiLer
§ Many more..
24
SCADA
PLC
RTU
EFM
HMI
DCS
RF Modem
Secure Communica<ons
25
§ How the devices access the wireless informa<on? § “Enhanced Site Security Key”
§ Security Key == Encryp<on Key ??? § Legacy Devices Without Encryp<on???
The Enhanced Site Security feature designed to provide an addiBonal level of protec4on for RF packets sent and received between <Vendor2> devices and minimizes the possibility of interference from other devices in this area. This feature is not available on some older versions of legacy devices.
Key Genera<on and Distribu<on
26
§ Comissioning Tool § Create a “Project File” and update all Nodes § From documenta<on:
This Key MUST be somewhere on the Project File
“If the project file name is changed, a new Site Security Key will be assigned”
Possible Scheme: Per-‐Site Encryp4on
File Name Change => New Key
27
Project File Binary Diffing
28
ProjectA
\x17\x58\x4f\x51
1364154391
Sun, 24 Mar 2013 19:46:31 GMT
ProjectB
\x51\x58\x4f\x51
1364154449
Sun, 24 Mar 2013 19:47:29 GMT
29
§ Support Center § Firmware Images & Documenta<on § Radio Modules, Architectures & Processors
Component IdenSficaSon
RISC
Understanding Firmware Image (RISC)
CrossWorks for MSP430
§ Industry Standard Format § @Address and content § Incomplete Image (Update)
§ Only compiler strings
Component IdenSficaSon (MSP430)
430F149
32
YouTube (XT09 and 802.15.4)
No Per-‐Client Key Dear <<Reseller Sales Eng>>,
We are going to borrow a used “Analog Transmider” from one of our partners,
We are going to test it for a few weeks and let you know if we decide to buy a new one.
Are there any specific concern we might take into account when deploying this device to connect it with our <Device>? Or just upgrade all project configuraBon files?
Thank you
33
Lucas,
You just need to upgrade the configuraBon files.
Thanks.
Finding Embedded Keys
34
§ Two kind of Firmwares (ARM and MSP430) § One possible hardcoded key in both firmwares § “Binary Equaling”
Acquiring the Devices
35
§ Wireless Gateway § Gateways are responsible for receiving/
collec<ng data from wireless end nodes § The collected data can be communicated
with third-‐party Modbus device such as a RTU, PLC, EFM, HMI, or DCS
§ RTD Temperature TransmiLer § Integrates Pla<num 100 ohm RTD Sensor § Ideal for use in various mission-‐cri<cal
industrial applica<ons.
§ Ideal for Monitoring Air, Gas, Water, or Liquid Temperatures
§ Steal and extract § Site Security Key § Project File
Resilience and Node Capture
36
Stolen Node
Gateway
Tx
Tx Tx Serial
Capture
FF 41 06 00 0A 00 00 00 33 2E 1D CC
FF 41 0A 00 0A 00 00 00 04 00 AB D0 9A 51 B0 ...
A crypto aLack disappointment § Protocol Reverse Engineering § Device has a debug interface § Developed a custom tool to receive and send 802.15.4 data
§ 2.4ghz Transceiver (Modified Firmware and Reflashed by JTAG) § PyUsb, IPython § Scapy Dissectors, etc.
§ Against the perfect scheme: Per-‐Site EncrypSon Key
37
§ Key not really used for data encrypSon § Key only used to ”authenScate” devices (capture SiteSecurityKey) § No integrity and confidenSality § No protecSon for RF Packets L (vendor lied) § Predict IEEE 802.15.4 next seqnums to inject
A crypto aLack
Temperature Injec<on Live Demo
§ Designed an HMI Project § Developed an OPC based
driver for the HMI § Developed an exploita<on
framework (Map/Inject) § Chemical Safety Board (US)
background video § Cost of the aLack: $40 USD § Live Demo
38
KEEP CALM AND
GET TO THE CHOPPA!
Remote Memory Corrup<on § Iden<fy all the protocol fields § Memory corrup<on bug using unhandled values on
a parsing func<on § Remotely exploitable over the air
§ Plant Killer =>
§ We recorded a demo (no leak today)
40
41
SCADA
PLC
RTU
EFM
HMI
DCS
RF Modem
Vendor3 Devices
42
§ Company Profile § Self-‐proclaimed leader in process and industrial
automa<on, “Undisputed leader in sensors” § Clients: Nearly all manufacturing companies from
Fortune 500
§ 22.000 different products across 40 industries
§ Wireless System (Family) § Wireless Gateway
§ Master device used to control network <ming and comm traffic
§ Nodes § Collect data -‐> TX Gateway
Research
44
§ Wireless Family Technical Note:
“Mul<-‐layer security protocol protects your data”
§ Network Security § Data Security § Data Integrity and Control Reliability “The wireless I/O systems provide a level of security, data integrity, and reliability far exceeding most wireless systems on the market today”
Quotes (Network Security)
“This family is designed to completely eliminate all
Internet Protocol (IP) based security threats. Wi-‐Fi access points have the
poten<al to route any and all data packets, which is why these systems use
encryp<on”
45
Route packets => Use encrypSon
§ One model => Ethernet Data Radio
§ Uses AES-‐256 key J
§ Other? No encryp<on
Quotes (Data Security)
“The protocol only carries sensor data values. Only I/O data is transmiLed in
the wireless layer.” “A hacker, if they managed to receive wireless data, would only see the actual sensor data, not what the
sensor was reading or what role the sensor played within the wireless I/O
network."
46
§ Insecure I/O data § Sensor Readings § Binding codes
Quotes (Comm Protocols) “Widely used open protocols such as Wi-‐Fi have serious security issues. Even a high degree of
encryp<on may not protect your data. It is common for new
encryp<on schemes to be hacked within months of
implementa<on. Proprietary systems are more difficult to hack
than an open standard.”
47
§ Encryp<on is useless
§ Open standards are easier to hack
Quotes (Comm Protocols)
“Vendor achieves data security by using a proprietary
protocol, pseudo-‐random frequency hopping, and generic data transfer. The
protocol only carries I/O data, making it impossible for a
malicious executable file to be transmiLed.”
48
§ FHSS to avoid sniffing
§ The family is malware safe
Quotes (Integrity)
“When the data is transmiLed, a CRC algorithm ensures that the data arrives intact. If the CRC
algorithm fails, the corrupt data packet is discarded and the data is automa<cally retransmiLed using a new frequency during the next
communica<on cycle.”
49
§ Cyclic Redundancy Check
§ No integrity § No security § Only for network
errors
Quotes (Comm Protocols)
“This protocol does not operate like an open
protocol such as Wi-‐Fi and is not subject to the risks of an open protocol.”
50
Disclosure and Coordina<on
§ 8 vulnerabili<es reported (today’s vendors) § 1 patched => PRNG Vulnerability (ICSA-‐13-‐248-‐01) § Are vendors responsible? § Did they no<fy their customers? § Is documenta<on truly aligned? § Is firmware upgrade easy?
Conclusions (Securing the scheme)
52
§ Out of bands methods § Pre-‐share a strong secret for the ini<al link (eg: serial comm) § Also 802.15.4 AES Encryp<on at lower layers (MAC)
§ Secure the Node Physical Access (Mainly KDC) § Use hardware An<-‐tamper mechanisms § Audit Source Code // Audit Site regularly § ICS-‐CERT Hardening Guides § Don’t trust vendor’s documenta<on, go further.
Conclusions
53
§ Problem space has always been an open topic § The journey of keys allows prac<cal aLacks § WSN’s standards maturity is growing § Vendors can fail when implemen<ng them § No evidence of previous security reviews § Tes<ng the field loca<on is possible with the proper
Hardware and open source So_ware
CC1111 RZUSB TelosB HackRF
Aknowledgements
54
§ ICS/CERT – US/CERT § References: Piotr Szcezechowiak, Haowen Chan, A.
Perrig, Seyit A. Camtepe, Bulent Yener, Rob Havelt, Travis Goodspeed, Joshua Wright…
§ All IOAc<ve, Inc.
THANK YOU ! Lucas Apa (lucas.apa@ioac<ve.com)
Carlos Penagos (carlos.hollman@ioac<ve.com)
@lucasapa @binaryman<s