Bestand wählen
Merken

SCADA - Gateway to (s)hell

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
it and this
is a bit of a kind of a and to it so on working on to Thomas erodes the years security researcher and is a special at C is exploiting techniques and reverse-engineering and industrial security and to know better talk today will be about scattered out in the gateway to stick to shall this you can have those on 1 of notice this talk will be in English and will be translated in German as well thank you choose use this doesn't thank you thank yeah welcome to my talk gave way to shell from where my he already introduced me but still my name is Thomas of acute the researcher I I do a lot of followers of the securities of armor reverse-engineering cold fire and so on and yet you can find me on Twitter or if you want to write many men feel free to send me I want to Thomas at St expression of before we start
with a short introduction to the background of this talk so this year I did finds scholar penetration tests and I found that well the appeals seasons a pretty well covered in this security research area found that all the small devices that surrounds Scott environments are not really will cover so recently river because Siemens peel seas and so on and there's a lot of research going on about them but they're also a ton of rather small Ethernet devices involved in industrial networks that are not really research very and all devices that we're going to talk about our running their latest respective from where some unfortunately there will be 0 days and these are not theoretical attacks that if you go to show them more similar to our search engine you can find tens of thousands of these devices will nerable and opened so let me
give you a quick introduction into the terminology terminology in in Scott have binary in the title I say scholar but actually it should be ICS which sense botanist control systems because
basically of ICS is describes the whole system from the supervision of the big room with all the big screen is up to you kill the of the sound source the actors and so on that you will find installation and the terms
garden just describes the supervision and control centers for the big screens that you might know from the sense on where when the bad guy comes suddenly all the lights turn then there's something called appeals scene
which is a programmable logic controller it's basically like another we know just for industrial applications and they're really easy to program and you can get them from Siemens or Schneider and so on and so forth then there is something called an
RTU remote terminal unit which is a small device that generally or rolled back in the day was only used for monitoring but today you can actually program a lot of art you so it's kind of a mix between appeals C and not to so it's basically appeal the in a remote location
all right bound to the actual topic in us to control the trees so you when you look at this and thus for control network you'll find that there are a lot of different sensors and actors and a lot of them speak different protocols so for example some might be serial some might be a key some might be more fast and so on and so you can buy the small gateways that
connect all these different from calls to an IP network so for example the even at or even read you carriers wife by 1 that's seen them in it are almost any industrial installation that I've seen so for example the use of power and they used in what and control systems they use that to control the power grid pencils and the security
concept this pay but these devices are active so it doesn't matter really they're vulnerable or not fully up to date and so on but it's not really true because a lot of these devices why that might be active they also on tennis and they are interconnected by so that some of the friends wireless protocols such as Wi-Fi Laura or GSM or even proprietary our radio links so yeah and
even the the case studies show that basically in this case you would have a monitoring network that's collected uh the the Salonika to control the water mains and on and check the pressure or even worse
they even recommend that you connect actors like adults and what other cultures and swung over GPS which we know is not a secure protocol to do anything that could be critical or you've stuff like
like water storage tanks that controlled the Wi-Fi and so on were even public and so yeah but
these devices I get note so
attacking in that field our mentioned if you go to show that in you you will find a ton of different devices which will be the internet and you can be a GPS here if you look close to for example a dam or something it's it's kind of interesting to look at and st our or similar radio command to see what's going on the airwaves because you'll find a ton of interesting stuff and sometimes and you can you can very trivially get physical access to the in devices because they might just be in a white box somewhere hidden and if you break into it you can plot the some cards and will put you directly into the Scott and that if you are lucky don't that but with so let's let's
hacks it to the crewmen you will need
to know and everything in this talk was done on this test just using these devices you really you just need a laptop you need an oscilloscope or similar measurement equipment that just to ensure that you don't produce logic analyser in the logic analyser a sobering irony multimedia in the power supply and that's a really basically it is you can have almost any embedded device that's using these devices and to find potential targets by of
factors kind of map where 1st try to understand how can I get the from well the device of or do we have to somehow make some views J. take to get it out of the device can I'm actually by devices that a sensible price because some of these devices cost like 600 euros also and if you buy 10 of them that gets expensive very quickly and so I need I need to check the eBay and and see what devices can actually buy and they should be a half what current because if you look at all the devices like 10 years older so they're completely broken you don't even have to look to start to look at the security so yeah and the 1st device that is that I choose to really look at
what's the MOX of W 2 1 5 0 8 and which is the small device which is also mounted on the board of right here I mainly case so I found to from was available and it looked like an interesting device because it has Wi-Fi and so I mention break into it I can jump and market potential and the
W 2 1 5 0 AD is of just a simple device so that you can connect any serial device and any can have for this Paris 45 device simply true then it will be posted on the Ethernet or even where Wi-Fi and you can't alter from where publicly and it's available on eBay for a relatively cheap so like 150 bucks or something so I
don't know that the from and I looked at the entropy of the from where they immediately saw that the entropy is very high which means either it's very compressed or it's encrypted unfortunately using a tool called in walk which is really useful for looking into from where I saw that this no compression detected and so it was very likely that this firmware images encryptor
that I noticed on the page that before you upgrade to version 2 . 1 0 0 0 2 . 1 of the from where you must operate to vary from worsening 1 . 11 of and the 14 that's interesting let's look at the release notes for version 1 . 11 and it turns out that 1 point 11 that's the support for the lucrative from where so I don't the 1 . 11 from where and sure enough it's unencrypted and if you've ever done anything with before if you just look into from where text and you can immediately recognize whether it's far more not the 1st 4 bits of each instructions are the are the conditions and those almost always use PCX them and roughly every 4th byte isn't he you know this is arm from where and it's are not incremented by anything else and so yeah sure enough by a random walk on this image this time we see this huge truck and in entropy which is the boot-loader and so on and then high entropy which is basically the all the compressed file systems and so on and then what was able to detect the squash affairs file system and extracted from me very very slow and so my goal was to extracted from where find the from our greatcoat and somehow try to decipher the new form and yet so I and II was frozen from the 5 not from the fire that was hopefully called the lives upgrade from where don't shared objects uh and if we look into the symbols which they likely didn't remove for anything that's a beautiful thing called from where the crypt the so we note that the whole thing into disassembler and we see some of that there's some fancy things of but there's some fancy Arctic soaring going on in the bottom left corner and I'm gonna walk you through what's what exactly is happening in this in this cold so basically 1st there's the variable called password loaded into the register um and then a 2nd call the variable is basically set and it starts looking and increasing always by 4 and goes through this whole and books sorry in screens so the and and goes through this whole achieve on and it turns out that this is the obfuscation methods for the so In password in memory we have an office Contiki and we can cascaded by just implementing called we see here in conceal where in the and later and sure enough eventually this will be used as the key into the use 128 various decryption and so I implemented the whole thing in the uh was almost a copy paste from the decompilers you can protested at 5 copy the C code that have been fixed in memory of sets and so on and you have the whole key obfuscation methods basically reverse-engineered almost automatically and so i compiler chain of marks the key destruction and and so the key is to 88 7 columns 7 5 6 4 enablers for the script to decrease the 2 . 1 from
work and this time been 1
finds all the files and can and we can solve the lesson here in this problem with the cell phone is available on my talk all push the actual the stuff after the talk this is the 1st time of the systems and software was at this point I knew that the from where it is like the the from where I can look into it whether it's not signs or anything the only verification method this 32 and so at this point in your OK I can I can bias device and something so I went to you by
what 1 on I got it I screwed it open and sure enough there's an arm processor and there is an Freescale I'm at 625 which is just a regular on process so it's like 400 megahertz or something and and and I saw all the all small pins inside of the device to to try to find them J. accuracy 0 and say I actually hooked up my power supply to foot pedals so they can program just press with my food to reset the device and sure enough I found that there a full serial console available instead of the device on these things and if you put the device even tells you please press and trajectory this consul and so you do that and you route on the device and so that's kind of cool but that means that you will require physical access it's not really a vulnerability but it's very nice to have when doing security researchers me you can suddenly divide all the code on the interview right and exploiting just touch to the binary installed very very simply uh when can exploit so this when was trying to look at the real services on the device so some for example is about interface there's a proprietary configuration protocol there's no what's best SNP this 0 driver for protocol and so on a sigh starting at the interface and that there was a a cross-site scripting and there was cross-site request forgery but wasn't secure authentication where they basically Hashim declined so they have some JavaScript that hashes your password and then not oxygen then there's a command injection which lets you execute code through their stack overflows and just a week ago there was a 0 there released for the depths of about so yeah don't so just let me a
prompt the monks of pictures here and so this 1 is authenticated soul just enter the default password which by the way in the field will 90 per cent of the time these devices will be configured with default credentials but that's still so if we just start browsing through this kind of thing thank you to the basic settings we can start with a simple way of crossing thing just in the device name such the the company just page and some JavaScript submit the whole thing and Hello 34 see through the thinking about cross that scripting come on that's not the vulnerability that's there's nothing so let's look at the at the that's into it in this device and finally at different devices from Oxford that runs entirely different from where I had the same vulnerability in the past but if I just paste and my Ping so my IP address this cynical and then for example uh cut it is the possible testability and activate eventually you can can offend that the intended the right but I know what
you're thinking right they dissolve indicated parts that interface so we need something on unauthenticated we want something that's like cool and really exploit and so I decided to look at the this constant TCP protocol which runs on port 4 thousand 900 megawatts to reviewers reverse-engineer the whole protocol and build a father for it to find vulnerabilities that turned out not to be necessary so I'm doing some testing I just send
a lot of bytes onto this thing and enabled crashed dividing various 0 consul and sure enough it crashed and put my program counter right 2 4 1 4 1 4 1 4 wonderful thank you most of them so I don't have time yeah so
that's increase the size of disability so I built turn a small script just called looks upon aberrant just supplied the IP address to the scene opening a 2nd child to how to collected in the you you will lose jobs and as you so that was
the marks have W 2 1 5 0 8 basically rolls off the tongue and so the next device I decided to look at Ross so the advantage he
KI 15 which you can find the right here and its again just a
simple serial device over this time with all 4 I find and they are available with Wi-Fi comes with 2 Ethernet ports 2 serial ports and so on and basically follow the same steps again so I looked at the that to from where I looked at the and
it using been walk this time we see almost no entropy so that this this guy is basically completely unencrypted and again results on 32 bit it runs on Linux kernel 2 . 6 31 and the all whatsoever of where the last updated was in 2005 In the from was used in 2017 so these are kind of kind of outdated and I found during the initial analyzes just of from where the the mind binary click will be dispatched so the binary and so I loaded into pro and looked at the different armed things that calls in the world of calls to functions like string called me to system to sprint events on the general it kind of considered unsecured and sure enough by enduring static analysis I found and there's some called for sending an e-mail as added for example when the when the system reboots and the for the full command invocation is matrix such blood of and we have control over some parts in the string his we can configure the address in your eyes and if we did if we look at what's happening here is basically just sets up this this mastering then it goes to include the subject and then it gets some arguments from the stack and and basically calls into systems and so there's no filtering going on and also we have unknown filter part of the system locations could execution and this was before I had a device in my hand and this is kind of a funny story his I 1st politics it was just 40 bucks at what this device which in the form where it has the same but but the main functionalities broken so contestants I say it to go to the very end by another 1 in Star by the bigger ones and sigh or the bigger 1 on the day it looks like this it comes with a cadmium CNS service CPU it has Gtech exposing the on the bottom there and 0 counselors is available again without any authentication so beautiful just connect your your bot pirate or you are adapted to it and you have fall through consul so again what we have to look at finding vulnerabilities for this device and there again of a ton of different services the side of the interface available there's a proprietary conservation protocol the space and the key there is a town that there's SNP vs. 0 driver protocol and so on and so again looked at the site and again cross-site scripting cross-site request forgery command injection broken authentication which basically if you look in from 1 computer use a 2nd HTTP digest authentication you can connect from a completely different computer and it does not for profit I don't know why this up yeah what I was thinking I was doing something wrong but it turned out it was just broken here and there's again this cycle flow in another tropical so know I guess again demo time
and its 1st look at the device itself so good you know the password physically fit 3 of them a
nice device description yeah this is just a basic interface for and we can now again just copy and some some basic JavaScript so I hit the Save button reloaded and there we go
across a script and yet again talking from they are not really interesting right
so let's look at the 2nd again I have a small script of what advantage of upon what for the key there and we have the natural true revealed that's so rude on the advantage was again
the the thank you the it yeah so 3 devices
basically broken already so let's look at the next 1 the this 1 was the Lantronix EDS 2 thousand 100 than this 1 is kind of interesting because it's it's not comment I normally I almost exclusively to answer this 1 was was kind of interesting in
this device which is mounted somewhere right here and I'm this device comes with as as you would need to use that security rights over and it has 2 serial ports to have different and you can buy it in 2 variants 1 comes with line and 1 is effusion OS which is I guess a proprietary operating system from Plantronics the and I'm using the evolution of less variance in this talk in looking at the from where consultants unencrypted it's cold fire architecture which I've never done really anything with before and and there are no obvious external softer components if you go through this through the from where you find there's an SSH implementation there's necessary implementation but it's not open as the cell and it's not anything very well known and the same is true for the observance on that's not really anything that's the that's well known and this time while I was probing the device the I did
not really find any anything interesting in terms of serial console also but just on a potential debugger part that even have efficient about fortunately the CQ from an expedient runs at 1 1 160 megahertz or something so yeah this
time we we actually have a better interface with telnet-ssl and even has them file system CF like active P and T a T P which allows you to download the configuration of the configurations on and it's kind of hard to secure correctly because there are so many protocols and it's not really clear what's by default but you have to give the the and this and the development of phase was surprisingly secure so there was no cross-site scripting there was no or no command injection weaknesses in Pozna? really show that you could execute commands into and but I still found some stuff 1 is a configuration injection which allows you to is fully um to change the format of the conjuration using a different field and I found in authentication by so I was able to write on a small piece of code that takes a while and then were completely removes a passage from the device I don't the so if we connect
to the 2 Lantronix devices will currently ask for password which you
really don't have in the yeah
it yeah no no no it's just and let's run Lantronix upon of that was part of that worked
and the tumor deposited possibilities on
and also have to as they didn't expect the most to go so smoothly so I put in an
all for the torque for this went very well so far that was be so before we finish majority of some other devices
or even worse so for example of time as I mentioned what some other devices with something disadvantage devised and this marks the device and this electronics device which are basically the predecessors of the other devices and those guys are a really interesting to look at what we could say so some of those are running the course which is embedded in the notes so platform which was last released in 2009 and some devices running Linux kernel with the 2 . 4 version and you see the notes without any memory protection whatsoever so even if the best even a small spectral flow in 1 of the use of space applications gives you full root access to the vise because you can directly exploit the kernel and the conflicts public motor abilities so in the 1st penetration test that I did have been included actually this device mock sigh import a small 1 I found that using SNP what it gives you back the administration password we estimate the and so I went online I tried to report it and it turns out it's well known there's a Metasploit mode you for this I and is on fixed from and these Joyce's softly support so I don't know why the vendor small patches so in the
summary and with true vulnerabilities in most devices so at least all that I've looked at and there is no security mitigations whatsoever so they don't even enabled like the compiler flexibly that just south and then you have at least some kind of off of stack protection expect properties and what not and some analysts are really bad responding to vulnerability reports so now I'm not going name the vendor about that not even on on the asked them to please give me instituted contact and they responded use or contact form inside it 3 times I send you emails in responding to me and so they stop responding to that to that and
so how to mitigate well known the only way that I would
see to mitigate against this and I'm on the deconstructed side of the story is said defense-in-depth so never directly links any of these devices to the and even if they say they support you can even if they say there is secure device whatever just on to get a real you way and make sure that you never rely on a single level of of for example encryption so for example WPA 2 was broken by the crack attacked and they actually released a patch for it after 2 months and the size of the cells still 2 monthly you're exposed to water ability on your potentially a mission critical system but also never use GPS for these devices without you can because it just it will go wrong thank you thank you you know with time for a for a Cunard of thank you all for coming from the thank and you will not have more than to we have very much time for Q and a set of please line up to the microphones and we have someone at microphones for already this allows for a lot of things were talk about this is obviously this is a problem so this is a part of a bigger problem of security that in T. right in in anything related to any kind of that knowledge and this is only going to go worse with time right Internet of shit at etc. things uh and so and so on so forth so my question is have you you value gave some idea ideas help to mitigate this in this very specific area that used against the trade such would my question is so how the community is not very and that's a Our interesting regulation right when when we see when we see a government trying to do something with technology that usually goes from bad and we have this idea in their head that OK this can only go like this can only go back right but so my question is do you think that perhaps there is some space regulation here right so that definitely space for regulation but I think regulation does not us all the underlying technical issues yeah so these devices 2017 in these devices using C code and that's just asking for trouble basically and so we really need to see the shift even Embedded World to switch to a memory-safe languages for example Russell something similar and we need to stop using the in this kind of context I don't think there's anyone who handled who invented the space for regulation since there was a question from the internet have no OK yeah into wants to know why you are not naming the bat when no because that looks like it's the only option basically because they don't respond to you so and that's ask them on Twitter and might is right there and if you click on Twitter is because it was assumed that just close to we see and I did not name them just for the record the who say we have a question from like phone number 2 so um you show unexploited for the last device that disabled authentication and what did he used to achieve that so this 1 was on Apache and not yet fixed so I would rather not disclose the details of a case of this at microphone number 1 begins and I wonder if you also been looking at a bit automation systems and control systems are just industrial permissible processes so do you can use these devices basically wherever you want and I think some of the marks the ones are used in the home automation um but I feel that I describe strong that's called but not in a lot of details and more on the industrial sector at the moment thank you microphone 3 hi on unease field experience or even just of opinions on using industrial-strength roster reply hardware with communities supported Linux distributions or something like that and B. C. whatever on them yeah so I guess the big trouble there's support right there are some some German companies informed that provide support for industrial rustly pies and even like casing and so on but I'm not sure if if really risk-free pious story to go here I think there are what the boards that our then the problem is not the underlying stock price that multihop really that situates the software and you will have the same issues on on the expiry pi and we have I guess you could buy these devices which are like industrial-grade shockproof proof and what not end you put some you know some of them do it better but I don't think that the the hardware platform will change anything at the moment is another question from microphone number 4 by no more social question did you get in contact with and development teams of the development team and any of these companies that might be that there is no 1 behind the e-mails that everything I this whole um I I guess some of these companies are really is so big that they don't reply to you don't have a
support contract with them but for example the support of all the ones that are not my trigger had uh is kind of decent comes to to secure the reports and so my next steps will be to go via the ICS search but to report them so yes there are development teams that will you get in contact with you just got from all vendors sink here we have another question from the intended yeah I don't get on the internet wants to know what to do about because that 1 of all devices in the field how do you propose a vendor should deal with legacy devices not states that so keeping legacy devices support is very expensive to kiss for example if you buy a Qualcomm chip they will eventually dropped support for for the units of weight and so on but if you buy it like a Freescale automotive should they guarantee you a certain time of support and then you actually have to invest the money to regularly provide the updates ensure that you devices for secure and the problem is that the lifetime of industrial installations currently is much larger than the lifetime of the of processor supports and so on so I guess we'll have to use to upgrading our hardware regularly or switch to be on or off you got a different way of 2 . secures onto them by relieving the underlying problem is that we are still using memory unsafe languages and I guess the fact that there's process that can just shows that there is no security when it's really at those vendors whatsoever but some of the nodes so my phone number to printer so I was wondering you mention that some of these facilities use gdrs that you know if they have mostly their own close infrastructure words that using general consumer telecom stuff and so they they will use commercial networks mostly and then there have custom-made cans which have an IP 2nd something similar to the premises but it's also known is also a company that sells industrial controls and cards which give you a public IP and I in you don't want to search on children for that and or thank you Is there a sequential former from numbers we but there is an economics and sold some of these problems were not took about dirty devices have um Chile at 300 bucks you should better hot someone who's red security wanna problem before lunch organization gets resulted this security audit and goes to the aforementioned vendors and says ploy something that's not true group the hackable otherwise we stop on your rubbish although I mean it's the same in all of t right so everything else will abilities and yes there should be a market pressure but that's why I'm trying to raise awareness for the the issues of these devices have and there's another question from the intended if the Senate wants to know and how and if it's a good idea to raise awareness awareness of public because they think it's a good I approach to make people serve the public know that they have well infrastructure in the cities is quiz uh so you repeat the 1st part of the question yeah that the they want to know how to raise awareness for this is in the public good question like this we need some news articles or something about this in regular paper but I personally think it's just an accident waiting to happen and so eventually someone will turn off the lights in a city or wherever I will open the flat of or something and that's when the when school starts the similar question for microphone number for but uh for what kind of industrial processes are at these devices you just amount use so I citizens in power utility and I know there used in water on what and control systems they use in in C a connecting a CNC machine to the network fair use in collecting all kinds of stuff is if you have big can you have a ton of different sensors that might you might need a water little sense aligned more for whatever reason you only can get it with them with a model class and then you need to convert the model us to TCP in 1 of these great waves and so I've seen in 1 cabinet 20 of them so their release the lock that is the figure just retweeted you Tweet 2 story lines but I think you can that there's another question from the internet yeah but and they did want to know what I'm hi if you did any EU research on named QTT for example from the like of users and I actually talked to someone who recommended me to look at the back of history but I have not looked at them what's yeah and there's another question for microphones free they could do the show that mocks so fun because I would like to would double check 3 weeks process OK here and they you would like you'll go to see they want by each and uh I think this browser isn't very secure the became the year and undergo would have to
observe this small bring that to a point the thank you to all these you in the name of questions any questions on the maintenance the the how you look at it them bit and wants to know how a memory of a safe language would prevent the authentication bypass so no 1 would not be and protected against the protects against a ton of other stuff that's just 1 example of where the industry needs to change we need to stop using memory unsafe languages we need to start really thinking about stituting designed from the start and we must not allow In in 2017 there's no excuse having cross-site scripting or anything of that page that's
also a if we in the in the Lantronix of website if you keep a lookout tells you look out is not supported in your browser what probably because I'm not using Internet Explorer 5 so there's another question from microphone number 3 indeed the about part of the where you um that also for overflow of things that um what I'm wondering is foreign isn't it like very standard roughly is along these devices to I know that it should be but it isn't but eventually of those pretty much the questions it is there another question from the Internet's doesn't seem like it so this is the last jump 1 just came in that if if you want to start with a I it is I I want a note In those are you aware of all of that allows you to get few to be is that
and the the demand if the the cut cut cut here the big at bit too at
Arithmetischer Ausdruck
Bit
Reverse Engineering
Computersicherheit
Fokalpunkt
Computersicherheit
Gateway
Gateway
E-Mail
Twitter <Softwareplattform>
Information
Nabel <Mathematik>
Softwaretest
Internetworking
Zehn
Flächeninhalt
Datennetz
Suchmaschine
Computersicherheit
Regelkreis
Förderverein International Co-Operative Studies
Firmware
Programmierumgebung
Packet Loss Concealment
Programm
Demoszene <Programmierung>
Geschlossenes System
Mathematische Logik
Geschlossenes System
Gamecontroller
Gamecontroller
Förderverein International Co-Operative Studies
Quellcode
Optimierung
Term
Touchscreen
Subtraktion
Kontrollstruktur
Protokoll <Datenverarbeitungssystem>
Datennetz
Packet Loss Concealment
Netzwerktopologie
Einheit <Mathematik>
RPC
Einheit <Mathematik>
Radikal <Mathematik>
Mixed Reality
Gateway
Gamecontroller
URL
Schlüsselverwaltung
Kontrollstruktur
Freier Ladungsträger
Datennetz
Protokoll <Datenverarbeitungssystem>
Installation <Informatik>
Computersicherheit
Systemaufruf
Binder <Informatik>
Systemprogrammierung
Datennetz
Softwarewerkzeug
Regelkreis
Protokoll <Datenverarbeitungssystem>
Netz <Graphische Darstellung>
Leistung <Physik>
Drahtloses lokales Netz
Leistung <Physik>
Beobachtungsstudie
Schreiben <Datenverarbeitung>
Druckverlauf
Protokoll <Datenverarbeitungssystem>
Datennetz
Wasserdampftafel
Eichtheorie
Internetworking
Subtraktion
Datenfeld
Quader
Ähnlichkeitsgeometrie
Satellitensystem
Chipkarte
Internetworking
Softwaretest
Multimedia
Logikanalysator
Notebook-Computer
Ähnlichkeitsgeometrie
Hacker
Einflussgröße
Mapping <Computergraphik>
Sichtenkonzept
Rechter Winkel
Computersicherheit
Kontrollstruktur
Firmware
Strom <Mathematik>
Whiteboard
Teilbarkeit
Server
Meter
Firmware
Firmware
Entropie
Sichtenkonzept
Quellencodierung
Bildgebendes Verfahren
Dechiffrierung
Bit
Punkt
Compiler
Versionsverwaltung
Gebäude <Mathematik>
Information
Homepage
Chiffrierung
Bildschirmmaske
Vier
Keilförmige Anordnung
Fahne <Mathematik>
Kryptologie
Irrfahrtsproblem
Minimum
Skript <Programm>
Dateiverwaltung
Passwort
Passwort
Bildgebendes Verfahren
Touchscreen
Tabelle <Informatik>
Kryptologie
Default
Systemaufruf
Firmware
Symboltabelle
Codierung
Office-Paket
Objekt <Kategorie>
Disassembler
Reihe
Verkettung <Informatik>
Menge
Festspeicher
Konditionszahl
Codierung
Programmbibliothek
Versionsverwaltung
Schlüsselverwaltung
Prozess <Physik>
Punkt
Extrempunkt
Freeware
Cross-site scripting
Geschlossenes System
Maßstab
Vorzeichen <Mathematik>
Serielle Schnittstelle
Protokoll <Datenverarbeitungssystem>
Telnet
Spielkonsole
Schnittstelle
Computersicherheit
Pufferüberlauf
Quellencodierung
Firmware
Web Site
Dienst <Informatik>
Injektivität
Rechter Winkel
Client
Versionsverwaltung
Maschinenschreiben
Schnittstelle
Server
Dienst <Informatik>
Trajektorie <Mathematik>
Chiffrierung
Authentifikation
Software
Passwort
Skript <Programm>
Coprozessor
Konfigurationsraum
Hardware
Algorithmus
Protokoll <Datenverarbeitungssystem>
Konfigurationsraum
Programmverifikation
Routing
Elektronische Publikation
Coprozessor
Softwareschwachstelle
Pufferüberlauf
Injektivität
Codierung
Dezimalsystem
Authentifikation
Serielle Schnittstelle
Subtraktion
URN
Netzadresse
Homepage
Datenfeld
Menge
Softwareschwachstelle
Rechter Winkel
Einheit <Mathematik>
Passwort
Default
Chi-Quadrat-Verteilung
Demo <Programm>
Softwaretest
Konstante
Protokoll <Datenverarbeitungssystem>
Softwareschwachstelle
Reverse Engineering
Mereologie
Protokoll <Datenverarbeitungssystem>
Optimierung
Demoszene <Programmierung>
Skript <Programm>
Gleitendes Mittel
Netzadresse
Resultante
Matrizenrechnung
Kernel <Informatik>
Bit
Adressraum
Computer
Computer
Binärcode
Raum-Zeit
Eins
Kernel <Informatik>
Cross-site scripting
Geschlossenes System
Serielle Schnittstelle
Minimum
Protokoll <Datenverarbeitungssystem>
Telnet
Rootkit
E-Mail
Schnittstelle
Lineares Funktional
Parametersystem
Geschlossenes System
Systemaufruf
Web Site
Firmware
Codierung
Ereignishorizont
Dienst <Informatik>
Injektivität
Rechter Winkel
URL
Schlüsselverwaltung
Zentraleinheit
Zeichenkette
Schnittstelle
Web Site
Subtraktion
Server
Kontrollstruktur
Spielkonsole
Dienst <Informatik>
E-Mail
Zentraleinheit
Bildschirmmaske
Erhaltungssatz
Authentifikation
Adressraum
Passwort
Analysis
Binärcode
Protokoll <Datenverarbeitungssystem>
Booten
Konfigurationsraum
Softwarepiraterie
Datenfluss
Softwareschwachstelle
Dreiecksfreier Graph
Mereologie
Injektivität
Gamecontroller
Authentifikation
Serielle Schnittstelle
Deskriptive Statistik
Einheit <Mathematik>
Rechter Winkel
Primzahlzwillinge
Hochvakuum
Skript <Programm>
Passwort
HMS <Fertigung>
Demo <Programm>
Skript <Programm>
Schlüsselverwaltung
Server
Zeitabhängigkeit
Computersicherheit
Zellularer Automat
EDV-Beratung
Implementierung
Firmware
Unternehmensarchitektur
Komponente <Software>
Komponente <Software>
Rechter Winkel
Serielle Schnittstelle
Netzbetriebssystem
Evolute
Luenberger-Beobachter
Serielle Schnittstelle
Unternehmensarchitektur
Gerade
Varianz
Demo <Programm>
Schnittstelle
Vektorpotenzial
Spielkonsole
Dienst <Informatik>
Term
Cross-site scripting
Authentifikation
Proxy Server
Telnet
Dateiverwaltung
Spielkonsole
Softwareentwickler
Default
Konfigurationsraum
Phasenumwandlung
Schnittstelle
Hardware
Protokoll <Datenverarbeitungssystem>
Konfigurationsraum
Web Site
Debugging
Vektorpotenzial
Filetransferprotokoll
Datenfeld
Injektivität
Softwareschwachstelle
Injektivität
Debugging
Mereologie
Codierung
Authentifikation
Dateiformat
Serielle Schnittstelle
Zeitabhängigkeit
Mereologie
Impuls
Passwort
Evolute
Demo <Programm>
Softwaretest
Kernel <Informatik>
ATM
Speicherschutz
Rootkit
Speicherschutz
Systemverwaltung
Versionsverwaltung
Kartesische Koordinaten
Punktspektrum
Systemplattform
Datenfluss
Raum-Zeit
Kernel <Informatik>
Moment <Stochastik>
Patch <Software>
Passwort
Passwort
Demo <Programm>
Bildschirmmaske
Kategorie <Mathematik>
Softwareschwachstelle
Compiler
Computersicherheit
Softwareschwachstelle
Keller <Informatik>
Verkehrsinformation
Distributionstheorie
Bit
Prozess <Physik>
Momentenproblem
Browser
Formale Sprache
Gruppenkeim
Twitter <Softwareplattform>
Raum-Zeit
Eins
Internetworking
Einheit <Mathematik>
Geschlossenes System
Regelkreis
Figurierte Zahl
E-Mail
Gerade
Regulator <Mathematik>
Verschiebungsoperator
Internetworking
Hardware
Datennetz
Computersicherheit
Prozessautomation
Ähnlichkeitsgeometrie
Störungstheorie
Kontextbezogenes System
Konfiguration <Informatik>
Druckverlauf
Chiffrierung
Datenfeld
Twitter <Softwareplattform>
Menge
Rechter Winkel
Festspeicher
Beweistheorie
Telekommunikation
Subtraktion
Selbst organisierendes System
Wellenlehre
Wasserdampftafel
Klasse <Mathematik>
Zahlenbereich
Zellularer Automat
Abgeschlossene Menge
Systemplattform
Netzadresse
Whiteboard
Virtuelles privates Netzwerk
Chiffrierung
Systemprogrammierung
Virtuelle Maschine
Knotenmenge
Datensatz
Software
Endogene Variable
Pi <Zahl>
Installation <Informatik>
Coprozessor
Modelltheorie
Softwareentwickler
Leistung <Physik>
Softwarewerkzeug
Binder <Informatik>
Design by Contract
Chipkarte
Patch <Software>
Flächeninhalt
Mereologie
Codierung
Authentifikation
Wort <Informatik>
Verkehrsinformation
Proxy Server
Web Site
Punkt
Browser
Formale Sprache
Zahlenbereich
Dienst <Informatik>
Internetworking
Homepage
Font
Wechselsprung
Last
Cross-site scripting
Faktor <Algebra>
Primzahlzwillinge
Passwort
Geschlossenes System
Zeitabhängigkeit
Default
Applet
Bildauflösung
Mathematisierung
Softwarewartung
Einheit <Mathematik>
Pufferüberlauf
Festspeicher
Login
Mereologie
Authentifikation
Hill-Differentialgleichung
Digitales Zertifikat
Viewer
Hypermedia
Medianwert
Systemprogrammierung
Bit
Schnitt <Graphentheorie>

Metadaten

Formale Metadaten

Titel SCADA - Gateway to (s)hell
Untertitel Hacking industrial control gateways
Serientitel 34th Chaos Communication Congress
Autor Roth, Thomas
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34823
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Small gateways connect all kinds of fieldbusses to IP systems. This talk will look at the (in)security of those gateways, starting with simple vulnerabilities, and then deep diving into reverse-engineering the firmware and breaking the encryption of firmware upgrades. The found vulnerabilities will then be demonstrated live on a portable SCADA system.
Schlagwörter Security

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback