Exploiting seismological networks..Remotely
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 93 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36220 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2485 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
GruppenoperationVektorraumExploitSoftwareschwachstelleOrdnung <Mathematik>AnalysisMathematische LogikMinkowski-MetrikMailing-ListeSoftwareBitUnrundheitGruppenoperationResultanteComputervirusRPCFirmwareTopologieJSON
02:22
Framework <Informatik>Projektive EbeneSuchmaschinesinc-FunktionDatenbanksystemNetzwerkdatenbanksystem
03:20
RechnernetzMittelwertRFIDSolitonSoftwareDatenfeldProgrammierumgebungZeichenketteLeistung <Physik>Mathematische LogikRPCSharewareExploitComputersicherheitNeuroinformatikPhysikalisches SystemUmwandlungsenthalpieFlächeninhaltBestimmtheitsmaßOpen SourceOrdnung <Mathematik>SuchmaschineJSON
05:14
FokalpunktBenutzerbeteiligungKonfiguration <Informatik>Persönliche IdentifikationsnummerGraphische BenutzeroberflächeURLGewicht <Ausgleichsrechnung>Digitales ZertifikatAbfrageWeb-ApplikationKartesische KoordinatenComputeranimation
05:49
NetzadresseAutomatische IndexierungUmwandlungsenthalpieDigitales ZertifikatSuchmaschineServerComputeranimation
06:24
Prozess <Informatik>InternetworkingResultanteStrategisches SpielE-MailComputeranimation
07:00
Elektronischer FingerabdruckSharewareSuchmaschineProgramm/QuellcodeXMLComputeranimation
07:39
SharewareGruppenoperationZeichenketteStreaming <Kommunikationstechnik>E-MailServerNetzadresseElektronischer FingerabdruckComputeranimation
08:13
ServerBenutzerbeteiligungComputerspielInternetworkingZweiWellenformKonfiguration <Informatik>Lesen <Datenverarbeitung>ZeichenketteLeistung <Physik>Computeranimation
09:21
SharewareFinite-Elemente-MethodeMatrizenrechnungSoftwareStandardabweichungElektronischer FingerabdruckSelbst organisierendes SystemURLInternetworkingData MiningFlächeninhaltKonfiguration <Informatik>Physikalisches SystemEntscheidungstheorieGraphEindeutigkeitSchlussregelProtokoll <Datenverarbeitungssystem>Gewicht <Ausgleichsrechnung>BenutzerbeteiligungDigitalisierungOrdnung <Mathematik>InformationServerGraphische StatikLesen <Datenverarbeitung>Kartesische KoordinatenDifferenteOpen SourceMultiplikationsoperatorSharewareWellenlehreComputeranimationJSON
12:57
SharewareProdukt <Mathematik>Reelle ZahlURLPhysikalisches SystemFlächeninhaltGraphComputeranimation
13:38
Data MiningLokales MinimumURLComputeranimation
14:12
BenutzeroberflächeRechnernetzPermanenteLokales MinimumURLOrdnung <Mathematik>NetzadresseZweiAbfrageDatenbanksystemIn-System-ProgrammierungGoogolComputersicherheitDatenfeldZeitzoneHilfesystemSharewareKategorie <Mathematik>Güte der AnpassungKartesische KoordinatenDatensatzDoS-AttackeHoaxWeb-ApplikationSoftwareServerInformationEnergiedichteKomponente <Software>FlächeninhaltPhysikalismusPhysikalisches SystemMathematikSoftwareschwachstelleBenutzerbeteiligungProgrammfehlerSelbst organisierendes SystemGoogle Street ViewMathematische LogikReelle ZahlWiederherstellung <Informatik>ComputeranimationXML
18:41
SharewareOrdnung <Mathematik>Open SourcePunktProgramm/QuellcodeXMLComputeranimation
19:16
Ordnung <Mathematik>SoftwareKonfigurationsraumComputeranimation
19:49
ATMSoftwareInterface <Schaltung>ServerStreaming <Kommunikationstechnik>AdressraumDean-ZahlEreignishorizontDatenverwaltungPolstelleFrequenzAdressierungEinfach zusammenhängender RaumATMOrdnung <Mathematik>ServerSoftwareMatrizenrechnungProtokoll <Datenverarbeitungssystem>Turm <Mathematik>CASE <Informatik>GraphElement <Gruppentheorie>DigitalisierungGrenzschichtablösungMobiles EndgerätKonfiguration <Informatik>KonfigurationsraumKomponente <Software>MinimumBildgebendes VerfahrenForcingBenutzerbeteiligungTelekommunikationDifferenteTopologieProzess <Informatik>TabelleFlächentheorieNichtlinearer OperatorGewicht <Ausgleichsrechnung>Workstation <Musikinstrument>Office-PaketTypentheorieDigitalsignalBetriebssystemPhysikalisches SystemFunktionalRPCGraphische BenutzeroberflächeOpen SourceURLEindringerkennungZählenBitKnotenmengeMultiplikationsoperatorWort <Informatik>UnschärferelationTelnetDienst <Informatik>DatenverwaltungFokalpunktProxy ServerEndliche ModelltheorieSchwebungVideokonferenzComputeranimation
25:24
MinimumVideokonferenzSharewareProgramm/QuellcodeComputeranimation
25:58
Ordnung <Mathematik>Wort <Informatik>Kreiszylinder
26:38
Nichtlinearer OperatorLeistung <Physik>CASE <Informatik>Zellularer AutomatTermBesprechung/InterviewComputeranimation
27:15
OISCMoment <Mathematik>InternetworkingFirmwareOrdnung <Mathematik>SoftwareschwachstelleZahlenbereichMultiplikationsoperatorDatenbanksystemServerNabel <Mathematik>Selbst organisierendes SystemE-MailInformationInternetworkingTurm <Mathematik>TelnetPasswortElektronischer FingerabdruckOpen SourceBenutzerbeteiligungGoogolSchlüsselverwaltungWurzel <Mathematik>StapeldateiSkriptspracheElektronische PublikationSoftwareATMDienst <Informatik>InjektivitätSystemaufrufMaskierung <Informatik>FirmwareKoroutineSharewareRichtungMinimumFiletransferprotokollComputeranimation
31:53
PasswortDefaultNabel <Mathematik>Wurzel <Mathematik>Dämon <Informatik>Physikalisches SystemExploitComputeranimationProgramm/QuellcodeXML
32:35
Wurzel <Mathematik>ServerTemplateProfil <Aerodynamik>PasswortNabel <Mathematik>DefaultNotepad-ComputerPhysikalisches SystemFaktor <Algebra>QuaderComputeranimationProgramm/Quellcode
33:34
Faktor <Algebra>PasswortZentralisatorHintertür <Informatik>Web-ApplikationUmwandlungsenthalpieSchnitt <Mathematik>Elektronische PublikationPhysikalisches SystemProgramm/Quellcode
34:17
Elektronische PublikationPasswortSoftwareschwachstelleProgrammfehlerMetrisches SystemPhysikalisches SystemServerSystemaufrufSoftwaretestOrdnung <Mathematik>RPCVideokonferenzDatenfeldProgramm/QuellcodeXMLComputeranimation
35:53
Hill-DifferentialgleichungVideokonferenzProgrammfehlerInterface <Schaltung>FehlermeldungNabel <Mathematik>Programm/QuellcodeFlussdiagrammComputeranimation
36:36
Dichte <Stochastik>DateiformatStandardabweichungFormale GrammatikRechnernetzStichprobeCodeCodierung <Programmierung>DatenstromSchnittmengeFormation <Mathematik>Workstation <Musikinstrument>Protokoll <Datenverarbeitungssystem>VerschlingungProxy ServerZeichenketteSystemplattformProgrammfehlerFokalpunktRelativitätstheorieMathematische LogikMathematikTelekommunikationOrdnung <Mathematik>Formation <Mathematik>DifferenteDateiformatURLWorkstation <Musikinstrument>SoftwareKomponente <Software>Physikalisches SystemServerOrientierung <Mathematik>TypentheorieQuantenzustandOrtsoperatorInelastischer StoßGrenzschichtablösungDatenstromZeitreihenanalyseTouchscreenDigitales ZertifikatWeb-SeiteCodeInternetworkingE-MailChiffrierungp-BlockRahmenproblemInformationMessage-PassingElektronische PublikationAblaufverfolgungDoS-AttackeHalbleiterspeicherSystemzusammenbruchNabel <Mathematik>Wurzel <Mathematik>MetadatenMetropolitan area networkKanalcodierungEntscheidungstheorieSharewareAbfrageProgramm/QuellcodeFlussdiagrammJSON
40:48
KontrollstrukturRechnernetzSoftwareSharewareQuarkmodellKonfiguration <Informatik>MultiplikationsoperatorUmwandlungsenthalpieAutonomic ComputingTelekommunikationSystemaufrufStreaming <Kommunikationstechnik>NetzadresseProfil <Aerodynamik>Programm/QuellcodeJSONXMLComputeranimation
41:27
Ordnung <Mathematik>RoutingProfil <Aerodynamik>SpeicherabzugInformationBeweistheorieNetzadresseGraphProxy ServerDatenstromComputeranimation
42:16
ComputermusikNetzadresseProxy ServerCASE <Informatik>Folge <Mathematik>Mechanismus-Design-TheorieOrtsoperatorSoftwarewartungComputeranimation
42:57
SoftwareCodeKontrollstrukturRechnernetzSoftwareGamecontrollerCASE <Informatik>ComputersicherheitTelekommunikation
Transkript: Englisch(automatisch erzeugt)
00:00
let's get this show rolling! Woo! Woo! So please give a warm round of applause to our two speakers James and Burton who will be adding one more thing to my list of worrying about which is hacking seismological networks so please. Um now can you hear me? Oh
00:27
awesome. Ok guys uh welcome to our talk um this is called exploiting and attacking seismological networks remotely. Um my name is Burton uh this is my colleague James Hara we are from Costa Rica and we are here to share uh to share uh the the results of uh
00:45
our last research. So ok um this is our disclaimer first of all this is not a typical talk of course this is a technical talk. Uh probably it is the first research of this kind. All vulnerabilities that we found has been correctly reported to the US earth and they
01:05
contacted the vendor affected. Um we are not responsible of the actions that someone can take after attend this talk. Ok. So hello guys. Hello. This is ok ready. So who we
01:23
are. Uh the agenda for today is this one so who we are we don't really know. Uh the motivation behind this research um how we get into these devices um how we find it. Um we will talk also about the risks and the impact um who is getting affected by um
01:41
attacking these devices. Also we will talk a little bit about the seismological instrumentations in order to understand better um this research. Also about the internals um deployment um deployments on the earth and ocean as well. About uh network topology also how we get into vulnerabilities phase uh also about the
02:05
firmware analysis um attack vectors um post exploitation and finally we get into some conclusions. And recommendations. Ok so my name is Bertin as I mentioned at the beginning my colleague James we are from Costa Rica San Jose. Uh we are the co-founders of the
02:25
NetDB project the network database project which is a search engine for IOT devices. Um it's a project that I started uh 5 years ago and then um James joined into into my idea
02:40
and we started working um very hard uh from 2 years ago and the framework and the tool. Um as I mentioned before from San Jose probably many of you know our country. Uh because. Thanks. Because uh it's a nice place to to live and visit. You are
03:02
welcome anytime you want to visit us. We had a lot of bitches not bitches. So you're welcome. It's a very very nice place to live. Um we don't have armies so everything is pretty much cool and relaxed. Ok the motivation for this talk um why are we interested in
03:25
seismological networks? Well an Amelash attacker is not interested for this uh for attack these devices because um we haven't seen our research previously in this field. Um it's pretty weird. Actually if you take a look in the Snowden docs if you look for the um
03:45
string seismological seismic uh Snowden doesn't mention anything about it. And and that was pretty pretty pretty much interesting for me. Um who could be interested? Uh I think governments you know in order to sabotage other countries seismological networks. Um this
04:06
is a new cool and attack scenario because um these devices are placed in string environments like uh in the middle of the ocean or um in the underground around volcanoes and specific areas. Uh you're playing with devices that measure um natural
04:26
disasters. So it's it's very risky. Uh this could lead to a financial a fin a financial sabotage to a specific company or country. The vendor of these instruments doesn't have
04:40
any sense of computer security at all. I'm going to show you. Remote access, remote exploitation. So all all the things that I mentioned um power power power of this this research to to continue until today. Okay how we discovered these these these devices.
05:03
So um how we discovered these devices. We have as we told you before um IOT search engine. So let's see a demo about how we get into this uh device. Okay let me show you guys very quickly because it's not the main focus of the talk. This is the NetDB uh web
05:23
application. Um you can perform queries regarding our uh query builder on tools. You can search in HTML, IP, ports, URL, uh HTTP headers, countries, SSL certificates as well,
05:41
finger pins, um and so on. There are there are a lot of options. So in this particular uh what happened here? Sorry. Sorry. Okay sorry. Okay in this particular example we are asking to NetDB for a specific IP address. Um we are indexing come on we
06:05
are indexing from this IP 3 ports in this example LDAP SSL with with the with the respective um certificate and uh HTTP server and HTTP and the port 80. If you take a
06:20
look and the same IP address and other search engine very well known for you as children. It doesn't have any results. So I'm not saying that we are doing a better job scanning the internet but we are doing something um something that uh they are not doing. We are using another strategy to get into the results so we are focusing on
06:45
getting as many data as possible. Yeah well basically that is NetDB and this is how we will be able to get into the seismograph. Um just looking into the HTTP headers labels.
07:00
Okay. So um as you can see we have a lot of fingerprints of the many devices so one day um we have done a lot of research and thanks to uh this search engine we see um a keyword, very um curious keyword. So we have another demo when in which we will see how we get
07:23
into this um particular device. Okay. So. So let's see the demo. So this is NetDB in
07:42
action. As you can see I'm asking NetDB for a particular string which is Taurus. Um that string is available in the server label and the HTTP header of these two IP addresses. So
08:02
you can see the fingerprint JD 5.1X Linux 2.4.24 NMX Taurus. Uh that was uh very pretty much um new for us and I noticed when you connect directly to the to the web server
08:24
running in the port 80 you will you will get into this dashboard and you are saying something very unusual. I have seen many researches uh about VNCs opening the internet and many other servers but I haven't seen this before in my life. Um I I have I have seen many
08:44
many servers but this one was pretty much different because it's giving you readings, it's giving you um voltage on readings, power and waveforms. You can see how the way the waveforms um there is uh an option called waveforms and you can refresh these
09:06
waveforms each by seconds. So uh at the beginning I was not sure about exactly what was this thing. So for the reason I started the research. Okay. For some string
09:37
reason you when you you find a unique fingerprint and millions of fingerprints that we
09:42
have and we are currently collecting with NetDB in the public internet. So what is Taurus? That's the question now. So we have the web server, we have the readings, we have everything, we have access and we can track them. So we know the finger we know already the fingerprints so we can start tracking them on the internet. But what it
10:04
is? Okay. Um what is Taurus? It's a portable digital seismograph. It's a developed by Nanometrics. Uh it's a company based on Canada. And when you take a look
10:23
in the official documentation you will know is that it's pretty much connected to the directly to the broadband broadband seismometer which is called trillion 240. And then all the data coming from the broadband seismometer is um routed to the portable
10:41
digital seismograph and then that decision center. Also it could be connected to a geophone. Um these geophones um are devices that are placed in the middle of the oceans in order to understand better the sounds of the seismic waves in the middle of the of the ocean. So um which is a seismometer. A seismometer are instruments that
11:08
measure the motion of the ground. Um they are reading the wave movements from earthquakes, volcanic eruptions, um or different source. Um from Wikipedia we read um
11:22
there are different common application like earthquake, detention, um fracking, dealing, also mine safety, uh structural analysis. So uh continue with the reading of the research. So uh we ask we ask so for example uh which is the organization to keep the
11:47
standards um protocols and and all the rules to to get these devices properly working um globally and the and the world. So I found the International Federation of Digital
12:03
Seismograph Networks um this organization keeps up keeps up to date the seed reference manual which is the standard protocol for earthquake information exchange um and all the digital seismograph uh worldwide network. So um these devices um provides the
12:31
real location just connecting directly to the uh web server. Uh as you can see you can go to the timing option and and you will notice that and the location area is
12:44
providing to you the latitude and the logitude and altitude uh according the their exact um location somewhere in the world. So there is a uh um a demo showing you
13:01
how we can how we were able to find a seismograph in the middle of the ocean. So let's take let's take this this this data from this um real production seismograph and let's uh ask to google uh for this uh location and you will notice that it's placed in a very
13:26
cool area. So let's go to google, to the exact location and and there you go. This place
13:43
in the middle of the ocean in Europe um between UK and Norwega and Denmark. So so we said well this is cool because uh this device is is running in an autonomous way in the
14:00
middle of the ocean so uh let's attack this thing. So it's pretty cool because I haven't seen someone exploiting something in the middle of the ocean so let's do it. No? Ok uh NetDB is giving us uh not their exact location because we are using the max mine uh databases in order to um query uh the exact location of all IP address that we found
14:24
every second. But it's pretty much accurate because it's telling us well your device is located in some ISP in the UK. So uh this is another example of how you can use um google
14:46
street view in order to query the same information and we found this seismograph located in Marlowe Oklahoma. Is this the same one here? This is the the the coordinate and asking to google so it's telling us well it's inside that property but uh google uh street
15:07
view doesn't have access to property so you're not be able to to get into into more inside the property but it's in there. So it's pretty cool. So which is the impact? I was looking for the real impact in the real world um so first all um no one else has ever
15:26
done as we told before uh research security about this uh field. So we know that we know this that we can perform a denial of service. Also we can take advantage of the web server
15:42
applications um and then we get into the web application vulnerabilities. We see that there are several uh bugs um this information disclosure in the web application that using as we said a JETI server. Also there can be leads um economic impact for oil and
16:03
gas research of a specific company. Um there are other fields like a military industry and unknown areas. Yeah. Okay um another company which is called PGS um they sell these
16:21
components or these networks in order to perform guy gas and oil recovery. Um so this catch my this catch my attention because uh you can see that uh there are lower applications for for this technology. Uh just not uh for earthquake detection or um
16:44
earth understanding. So vendors found in this research uh good old systems uh g-well instruments Zara uh also there are lower vendors but the most affected is the
17:02
nanometrics which uh claims that there are the world leader in the system logical instrument and networks. Uh also you can take a look and google for wait papers regarding instrumentation and earthquakes in order to understand better how these devices works. Because it's pretty much uh science a science field. So no one it's not
17:27
very familiar for us as security researchers. So it was pretty much difficult to me to understand exactly how these devices work. So I had to request some help to our um organization in my country which is called Opsicory. Uh and they provide to me some
17:44
information regarding how they works and I explained to them exactly well I got a nutshell here in this thing so they told me well bro we are screwed basically. A lot of mathematics a lot of physics so if you're interested you can you can take a look.
18:05
This is an example about the others is uh seismological instrumentation. Um this is an example about how to use uh geophones and um what is their hydrophones hydrophones
18:20
in order to catch up uh the sounds from the ocean and to catch up the the movements from the earth. But in the first example um uh they are producing a fake movement in order to get into the gas and oil. So uh I found a demo from a company
18:45
doing this. And let's take a look at how they are being deployed and how they are producing the fake movement in the earth in order to to get into the gas and oil um sources. So as you can see each point represents uh a little uh sensor that is
19:08
a sensor. But you notice that they have a big trucks and they in some way stimulate the earth in order to get the response and check well uh there is gas and oil so let's dig
19:24
into it. This uh truck is collecting all the data from the network and then um is sent to the acquisition main center. So this is where we are attacking. Each of these uh
19:40
little uh devices. So um let's take a look at how they look at typical configurations. Um
20:06
as we can see we have the sensor and we have um a key um the port table digital seismograph. So basically um the port table um is the small piece on the left uh top of the image. Um we have the broadband small mirror uh the bottom which is called
20:24
towers. Um which are the internals of these devices? Um they are liners basic uh operating system. They have a remote management system. They have a several service like um SSH, telnet, HTTP, um the web servers jetty. Um they have a really
20:45
accurate GPS that can be um used in fewer to get um you know exactly location of the device. Also they basically are made for ocean bottom deployment. In this case the trillium. Um they have a battery that can make the device uh be long time I mean
21:07
years in the ocean. Um in this case we have uh sophisticated uh image with in which we can see a horizontal sensor um vertical sensor. We have a celer a celeron
21:23
thermometers. Yeah sorry. Um and other layer for seismological and electronic stuff. Um in this image um this is a pretty expensive device so we are not uh available to get one. So this is a HD photography in which we can see the several components of this
21:43
device. So um what about the deployment options? We have two cases. The first one is for the air deployment and the second one is for the ocean bottom deployment. For the first one as uh stand alone um deployment um is typical uh typically running above
22:03
third mode um is not require a network connection. For the second one it will work as a network element. So in this case um the user must configure the Taurus with the acquisition server IP. So the Taurus will be streaming the data to the acquisition
22:24
server using the MP protocol. That means nanometrics protocol. Okay um geophysics depend on seismometers to monitor earthquakes generated by the motion of the tectonic plates uh that forms the air crust. In order to function the instrument needs to
22:43
be uh leveled prior to operation. Uh that's easy enough for a device deployed on uh dry land but when it comes to seismometer place in the ocean floor thousands of feet below to to the surface uh the process gets beat and more challenging. As you can
23:02
see in the air deployment is pretty simple. Um you know it's a small device and it's um simple to deployment. But um now let's see a topology of this seismological network. Um before jumping into the ocean deployment um this is how it looks as a
23:20
seismological network. Um in this scenario we have three different communications type. Um the first one is a BSAT the second one is a ADSL and the third one is a GPRS model. So basically the data comes from the sensor is sent by the towers to the acquisition server. Well um this is uh typical ocean bottom deployment. Uh
23:50
they're using uh autonomous underwater vehicles uh as known as uh AUADs. Uh this is uh pretty much expensive um deployment because you need uh several um chips and several
24:06
UAVs. And each of these um sensors and digital seismograph has a cost around uh $30,000 each. So it's pretty much inexpensive infrastructure. Uh this is uh an example about
24:25
how it looks like uh the the dashboard which receive all the data coming from the remote stations in this case the seismograph. Uh this is software provided also by nanometrics which is called antenna. Um and it it it can provide to you the exact location
24:43
and a nice web GUI. But it's not the focus of the talk today. There is uh also an open source um web server that can collects also the data coming from this station which is called um Syscom tree. If you are interested to take a look in the open source
25:02
um seismological technology. Okay the challenge as I mentioned is pretty much uh high. In order to function um these instruments need to be leveled prior to operation. It's not it's not easy when it's a thousand feet on the through the ocean floor. So um I
25:24
would like to share share uh share with you uh a video about how this uh how this works. Actually we have sound, no sound. Well this is a quick demo. Well not a demo,
25:59
it's just in order to take a look at how these engineers uh works in the ocean
26:07
deploying uh these devices. You can see this is the UAV and that antenna that you can see is the the GPS antenna. Inside that uh glass bowl is the cylinder with the sensor. So
26:50
this device has an autonomy of uh 8 months. Also they can be powered by a solar cell. Uh also in some cases they can be um provided with a long term battery because these
27:09
power for their operation. So there you go. This is going straight to the to the to the to
27:21
the ocean. Okay. Um okay seismometers capture a transient a transient phenomenon. If an
27:41
instrument malfunctions, whether it is at the bottom of the ocean or at the top of a ice cap, the data is lost forever. So it's telling us okay if you can deny the service this thing, you will lose a lot of data. And what happen if you do the same with uh one thousand or two thousand of these devices at the same time? So this could impact a
28:05
lot the research that these engineers are doing. You need to be absolutely sure that the direction of marketing of nanometrics says. So what about the vulnerability research? Um
28:25
we are start looking for to get a shell of the device. So we are start looking first for the firmware um in Google and other service. But what is uh pretty difficult to get it. So what I did was uh look with my friend um for the firmware using other techniques. So
28:44
let's explain about that. Okay so the the firmware was not was not very easy to find in the internet when I started looking at it. So I decided to send an email directly to the support, nanometric support. And they reply me back um 10 minutes 10 minutes later. And
29:07
they told me uh welcome yo welcome routine voila. So I'm going to give to you a username and a password in order to get all the all the documentation and all the firmware in front of us and all the software. Okay so I said well pretty cool. And the
29:24
same day I started downloading everything the firmware and all the stuff available. Um because they they gave me access I I haven't done anything illegal here or something weird. It's just was a simple email requesting access to to the firmware and and they
29:41
were very gently to provide access to me to that database. Okay so there's the firmware finally. Um is a that TGC file which contains a lot of scripts and batch. So basically you don't need to use a bingwok bingwok tool or a bingwok modkey in order to
30:04
take a look into the firmware like only like other fingers available in the IOT devices. So I I thought well uh you probably you're kidding me because uh there is an script called Taurus install that is edge which is pretty much uh a lot of bunch of um batch
30:25
commands. So imagine that you could uh inject uh batch command inside that script and then upload it to the to the sensor to the to the Taurus and you will probably get a back door running always so nothing complicated for us. Okay um after 3 days uh they sent
30:51
to me an email. Uh there were 10 nanometric software and firmware can only be provided to registered customers and I I do not see your organization registered in
31:03
your customer database. So what is the serial number of the Taurus you wish to upgrade? So they cut me off all the access to the database but it was too late for them because I already have all the documentation and all the fingers. So starting digging into the finger I was able to get all the passwords, the root passwords of the SSH daemon, uh the
31:26
password of the web server, uh the password of the telnet, ftp and everything. And also I found several back doors that are not well documented in the official documentation. So
31:41
too much talk I know uh it's pretty uh it's pretty hard for you all this information I know is pretty heavy. So let's take a look in the in the demo. So this is the shell um
32:04
with the default password and the SSH daemon. So who I am, I'm root of course. Um let's uh as to the system that you name and you know it's NMS and NMX Taurus. Um and after that
32:22
what happened in the middle of the ocean is the following. That's it. Well exploit. Um
32:50
let's take a look here again. So basically uh now we have a root shell, we have the highest privilege on the system. We can do whatever we want. Uh we have uh busy box shells
33:06
also. Uh we have access uh to all the system components, to all the uh threads, everything. Everything is completely compromised after after you get the the default password for the SSH server. So you can see there are a lot of profiles. So you can
33:25
go straight to users txt template and which are all the users and plain text. And you will notice uh that there is something called factory which is not documented and then central tech and user. And the password is the same for for all the users. Uh central
33:46
central tech tech and user user. And the factory back door which is not in the official documentation. Um these these users are from the web application specifically. So
34:03
let's continue taking a look into the system file. You get the PSW file. So let's do a cut. Um more users. You notice that uh the SSH password is not um is not in here.
34:26
Was uh in in other file. But was only available um unpacking the the the finger. So
34:49
so the password uh was uh dolphin 18 for the SSH server. I don't know why they choose uh that um uh pretty much uh innocent password. I don't know. Nothing
35:01
related to the system or the or the field. Dolphin 18. So now we have access to uh user um a back door user. A lot of vulnerabilities. Um let's test some vulnerabilities. And I wouldn't call this uh zero day. Uh but no one else uh
35:22
previously uh found this uh bug before in the system until I reported to the US cert. And actually nanometrics um confirms the issue. But they told me well um yeah the bug is in there. Um you win. But uh I think that there is no way to exploit this um
35:43
remotely. But it's in there. So well uh I think that an attacker with a lot of um um creativity um can exploit this um remotely. So let's take a look in the video. In order to show you how the bug uh works perfectly. Let me rewind this. Okay. There you go.
36:16
Also you notice that we have access to all the interfaces. So we can turn off or turn
36:24
on turn turn turn on the interfaces. So this is the bug. The shellshot bug. Uh it's completely vulnerable. And that's it. So more bugs and errors. You can see traces.
36:47
So here is an example about um when we was trying to put it down the server jetty. Um we noticed that um it's pretty easy to crash crash it out. Um with just uh pushing technique
37:03
sending randomly data over this jetty server. Because uh they have uh they don't have enough memory. Yeah you can actually send um crafted uh URLs in order to get these traces. So you will get a lot of disclosure information and messages. Okay. So
37:25
another vendor affected that um we notice is Google systems. Specifically in the SSL protocol. Uh these devices are running HTTP as server. Um with uh full herby block uh
37:42
herby bug enable. And also using our platform NetDB you can um query the SSL certificate uh for the string Google systems. And you will get directly into the Google seismometers. So um let's talk about a little let's talk about uh protocol and
38:03
communication stuff. Um these devices are using SEAT. SEAT is the protocol the um data format internally primarily for a change of seismological time series data and related metadata. So the format of the nomenclature of the SEAT format is four components. Um the
38:26
first one is the network code. It's one to two characters to identify the owner of the data. The second one is the station code. Um one to five characters for the station recording the data. Because could be several stations. Um location ID uh identify the
38:44
different data streams for a single station. And the last one channel code that is most important will contains the band sample rate type and orientation of the sensor. So um if you want to know more about the SEAT protocol you can get into the reference manual
39:04
that you can see on the web page. Well this is an example about uh Google systems and employees the networking using a screen server or something like that. Well our attack now we were we have a root shell but we need to do something more. We are not just
39:23
happy having a root shell and a seismograph in the middle of the ocean so we need to do something else. So I thought well I have access to the protocol I have access to the device so let's do a man in the middle attack. Um from all the data um coming from there and being streamed directly to that decision center. So my position now would be um
39:43
in the middle of the station and that decision center. Because these packets are not being sent using any type of um encryption. There is no SSL there is no PP tunnel there is nothing. These these packets are being um routed to the public internet without any
40:01
protection. Uh this is an example about how it looks the packet header and the uh the excuse me packet. This is pretty much representative it's not the exact packet and I did just for for you uh in order to understand better how the packet looks like. Um basically it's an XML file which uh contains all the information regarding the latitude
40:25
and longitude and this is the main focus of the man in the middle attack. Uh because we can modify in our proxy the latitude and longitude and this is going to be injected directly to the main acquisition center as a false data or a false positive. So we can
40:43
plug the acquisition center with um false data. Um let me show you the demo of the man in the middle attack plug. Demo 6. So there's the same thing the same seismograph in
41:09
the middle of the ocean but this time um these devices has an option called communications. So they can stream in autonomous way packets to any specific IP address
41:24
that you provide to them. So let's take a look. Let's let's create a a new profile uh in order to route all the traffic to my proxy. You you need to go to data streaming. You
41:41
will notice that there are some profiles in this seismograph. Uh these three main profiles but we are not going to touch anything. We are going to create a new one just for the proof of concept. Okay. So let's provide uh our IP address. And after um press the
42:04
apply button this seismograph is going to start sending to me all the information coming from the earth. And you will see uh you're right the TCP dump um running. This is our proxy in this case. And you will see all the data coming straight to our proxy. And
42:27
what I'm going to do is modify the latitude and longitude and then replace uh our IP address to the original um main acquisition center IP address because it's using UDP. As as you know UDP packets uh doesn't use any um sequence um mechanism like TCP. Um
42:48
so you can spoof the IP address and that's it. So well um conclusions we are able to locate
43:03
these devices anywhere in the world. We are in control of the device, the network and the software running on it. Um there is no SSL in communications. Um these devices have engineers to save people that don't understand the earth. And vendors please go better and think in security about devices that help us to protect our people and the
43:22
world. Yup. So recommendations basically um think in security when you code um this equipment and and that's it. Uh in case you have any questions just let us know. Thanks. Thanks.