Hacking PLCs and Causing Havoc on Critical Infrastructures - TIB AV-Portal

Hacking PLCs and Causing Havoc on Critical Infrastructures

00:00

121

Formal Metadata

Title

Hacking PLCs and Causing Havoc on Critical Infrastructures

Title of Series

Number of Parts

322

Author

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/39750 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Programmable Logic Controllers (PLCs) are devices used on a variety of industrial plants, from small factories to critical infrastructures like nuclear power plants, dams and wastewater systems. Although PLCs were made robust to sustain tough environments, little care was taken to raise defenses against potential cyber threats. As a consequence, threats started pouring in and causing havoc. During this presentation I will talk about the architecture of a PLC and how it can be p0wned. There will be some live demonstration attacks against 3 different brands of PLCs (if the demo demons allow it, if not I will just show a video). Additionally, I will demonstrate two vulnerabilities I recently discovered, affecting the Rockwell MicroLogix 1400 series and the Schneider Modicon M221 controllers.

Speech

Text

Image

00:00

CausalityComputer fontDigital signalLogarithmControl flowComputer programInformationModule (mathematics)Process (computing)outputBitFunction (mathematics)Game controllerOpen setLogicProjective planeCybersexComputer fontComputer programmingStudent's t-testFlash memoryInformation securityPhysical systemReal numberComputerMultiplication signBefehlsprozessorVideo gameWater vaporDemo (music)Vector spaceRight angleDisk read-and-write headUniverse (mathematics)DemonExpected value

04:17

Game controllerComputer programLogicPhysicalismDifferent (Kate Ryan album)Video gamePhysical systemInsertion lossComputer animation

04:51

Line (geometry)Electric currentSource codeGame controllerText editorGraphical user interfaceRun time (program lifecycle phase)Component-based software engineeringFormal languageWaveFreewareComputing platformComputer programmingGraphical user interfaceStandard deviationComputing platformOpen setExistencePatch (Unix)Text editorMultiplication signInternetworkingWorkstation <Musikinstrument>CodeCommunications protocolRun time (program lifecycle phase)Internet forumConnectivity (graph theory)QuicksortInstallation artTouchscreenVirtual machineSource codeWindowProjective planeRight angleGraphics tabletSoftwarePiPhysical systemNeuroinformatikComputer animation

08:13

Text editorSimulationGraph (mathematics)Communications protocolElectric currentSide channel attackRight angleStandard deviationTouchscreenWater vaporFormal languageProgramming languageText editorGame controllerCommunications protocolBitField (computer science)INTEGRALMessage passingHookingSoftwareFehlererkennungSerial portAuthenticationBus (computing)Mechanism designFigurate numberComputer animation

09:48

Communications protocolCodeCommunications protocolFunctional (mathematics)Different (Kate Ryan album)Serial portSoftwareStandard deviationRight angleCodecComputer animation

10:44

Function (mathematics)CodeFrame problemFunctional (mathematics)Message passingFehlererkennungCodeMathematicsFormal verificationError messageFrame problemINTEGRALSoftwareAreaData transmissionRight angleAddress spaceSemiconductor memory

11:42

Function (mathematics)Codierung <Programmierung>Digital signalFrame problemAuthenticationFunctional (mathematics)Semiconductor memoryCodeRight angleFunction (mathematics)outputField (computer science)Serial portFrame problemCommunications protocolLengthDependent and independent variablesArithmetic meanSoftwareTrailDatabase transactionRandom number generationDifferent (Kate Ryan album)Query languageSubsetMessage passingComputer animation

13:43

Denial-of-service attackInjektivitätMessage passingFrame problemSinc functionDemo (music)QuicksortSpherical capContent (media)Different (Kate Ryan album)CausalityTelecommunicationEncryptionComputer animation

14:36

InjektivitätDemo (music)CausalityMultiplication signComputing platformTable (information)Source codeProjective planeOpen setSeries (mathematics)Goodness of fitComputer animation

15:50

Asynchronous Transfer ModeWater vaporControl flowElectric currentMenu (computing)Wechselseitige InformationTouchscreenPhysical systemElement (mathematics)LogicWater vaporComputer architectureLogic programmingConfiguration spaceCodecAsynchronous Transfer ModeDiagramIdentity managementCASE <Informatik>Virtual machineBinary codeSinc functionControl flowOpen setProgram flowchartComputer animation

17:10

Menu (computing)Water vaporControl flowControl flowDegree (graph theory)Asynchronous Transfer ModeProcess (computing)CodecXMLComputer animation

17:42

Menu (computing)Water vaporControl flowProcess (computing)Frame problemSoftwareVirtual machineComputer animation

18:16

Continuum hypothesisAsynchronous Transfer Mode2 (number)Open setFrequencyMessage passingInjektivitätParameter (computer programming)Default (computer science)Operator (mathematics)Game controllerNumberSoftwareRight angleRadical (chemistry)Computer animation

19:23

Menu (computing)Asynchronous Transfer ModeControl flowWater vaporFrame problemAsynchronous Transfer ModeOperator (mathematics)Right angleSemiconductor memoryAreaComputer animation

20:19

Water vaporControl flowInclusion mapMenu (computing)Asynchronous Transfer ModeCase moddingWater vaporAsynchronous Transfer ModeNumberBoom (sailing)Communications protocolDifferent (Kate Ryan album)Right angleMultiplication signComputer animation

21:03

Menu (computing)Control flowWater vaporAsynchronous Transfer ModeAsynchronous Transfer ModeMusical ensembleComputer animation

21:34

Demo (music)InjektivitätSeries (mathematics)Inclusion mapReal-time operating systemLogicProcess (computing)MereologyVulnerability (computing)Hand fanInjektivitätRight angleComputer animationUML

22:57

Execution unitPointer (computer programming)Address spaceLengthDatabase transactionBuffer overflowLengthExecution unitRight angleSemiconductor memoryMemory managementField (computer science)Communications protocolAlgorithmAreaLogicPhysical systemMessage passingDiagram

24:05

Demo (music)Menu (computing)Convex hullControl flowWater vaporCase moddingRight angleAsynchronous Transfer ModeType theoryComputer animation

24:37

Menu (computing)Control flowWater vaporAsynchronous Transfer ModeCase moddingCone penetration testPower (physics)Parameter (computer programming)Point (geometry)Type theoryExploit (computer security)IP addressLogicCartesian coordinate systemAsynchronous Transfer ModeDefault (computer science)BootingPresentation of a groupRight angleKreisprozessComputer animation

26:33

Demo (music)Inclusion mapSeries (mathematics)Field (computer science)Factory (trading post)Expert systemCommunications protocolVulnerability (computing)Information securityPatch (Unix)QuicksortSoftwareFirewall (computing)FirmwareMaxima and minimaComputer animationUML

28:19

Communications protocol1 (number)Codierung <Programmierung>Convex hullRight angleCodeMessage passingCommunications protocolReverse engineeringInformationTotal S.A.Medical imagingOperating systemMereologyFunctional (mathematics)Level (video gaming)Field (computer science)DecimalCore dumpOpen set1 (number)Projective planeCodeTelecommunicationBookmark (World Wide Web)Multiplication signSemiconductor memoryBlock (periodic table)BitFrame problemNormal (geometry)Database transactionFamilySystem callMusical ensembleLatent heatFerry CorstenAsynchronous Transfer ModeBlogConstraint (mathematics)Computer animation

32:01

Insertion lossIP addressCommunications protocolFunctional (mathematics)Code1 (number)Function (mathematics)Workstation <Musikinstrument>NumberData managementFrame problemMessage passingTelecommunicationReverse engineeringComputer virusSoftwareSoftware testingRight angleCASE <Informatik>

34:38

Control flowWater vaporDegree (graph theory)Message passingAsynchronous Transfer ModeGame controllerVirtual machineCommunications protocol2 (number)Computer animation

35:40

Type theoryCartesian coordinate systemPassword1 (number)Software testingComputer animation

36:20

Right angleSoftware testingProcess (computing)PasswordProjective plane1 (number)EmailFunctional (mathematics)InformationCodeMessage passingType theorySource code

37:21

Type theoryComputer programmingInheritance (object-oriented programming)PasswordBoom (sailing)Game controllerDifferent (Kate Ryan album)SoftwareComputer animation

37:54

Coma BerenicesCodeFunction (mathematics)Codierung <Programmierung>Maxima and minimaComputer programmingWater vaporPhysical systemProjective planeComputer filePasswordBitVulnerability (computing)Dependent and independent variablesSet (mathematics)EncryptionInformation security1 (number)Right angleCommunications protocolXMLProgram flowchartSource codeComputer animation

39:21

Water vaporControl flowMaxima and minimaBlogRun time (program lifecycle phase)IRIS-TComputer programComputer hardwareExecution unitSimulationComputer programmingInterface (computing)CodeUser interfaceComputer hardwareRun time (program lifecycle phase)HypothesisInformation securityType theoryRevision controlOpen setComputer animationSource codeXML

40:04

Physical lawUMLComputer animation

Transcript: English(auto-generated)

00:00

Alright, it's about that time to get the show on the road, so everyone please give a very warm welcome to Chiago, who will be talking about hacking PLCs.

00:21

I have a little experiment, sorry I have a little experiment here, and it took a little longer to set up than I was expecting. But I am very very happy to be here at DEFCON today, and I was honestly expecting like 50 maybe 100 people.

00:42

So thank you guys for taking the time to be here on Saturday morning and listen to me. I am Chiago Alves, and a little bit about me. I am a PhD student at UAH, and I also work at the Center for Cybersecurity Research and

01:02

Education, it's called CCRE, at the university. And yes, this is what I do. I love to hack stuff, and I try to break as many things as I can. And I'm also the creator of the Open PLC project, if you guys haven't heard of it,

01:21

you'll hear about it a little bit today. Heads up if somebody has heard about Open PLC before. Wow, thank you, that's great, that's great, thank you. Also today, it's a very important day for me, because this trip to Vegas marks our 9th

01:42

year anniversary, me and my wife are together for 90 years, and yeah, I used to have more hair back then, but she's still pretty, the same way, right, so I'm a lucky guy. And she always complained about being like, slowing me down because now we have kids

02:04

and I have other things to focus on, but I keep telling her that if you want to go fast, you go alone. Life is not about speed, but if you want to go further, if you want to go far, you go together. That's why I'm here, that's because of you, right?

02:22

And I'm very happy I invited her to be here at my talk, thank you. And she has a very important job actually, because I have really bad jokes, and she laughs of all of them, so if you hear her laughing, just please laugh as well. So we have a nice presentation, okay?

02:43

So a little outline about today, I'm going to start with a background info, you know a little bit about PLCs, if you guys know about PLCs, I'll try to go fast, if you don't know about PLCs, please pay attention because I will go fast. Then we'll go and talk about a little attack vectors, some stuff we can do to break those

03:03

things, and finally we'll demo, if the demo demons haven't gotten me, because I didn't have enough time to set up, so hopefully things will go out fine. So what is a PLC, after all? It is, that's what it looks like, right? It's a brick, and it stands for Programmable Logic Controller, and basically it's a digital

03:26

computer, right? It's used on automation since 1970, so it's a long time ago, and basically it is an embedded system with a CPU, some RAM, some ROM, some flash nowadays, and you put your program in there, you run your program, and your program decides what to do with the input

03:45

data it senses from the input modules the PLC has. So PLC has a bunch of inputs, a bunch of outputs, I have three PLCs set up here, trying to heat water, and they're doing a poor job doing that.

04:02

But then you program those devices to any logic you want, and it has output modules to control real life stuff, right? So for example, in this setup, it's controlling the heater based on the temperature sensor that is attached to the input module. And you will see PLCs in many different places.

04:21

So here I have like a dam, a substation, a gas distribution system, and a petrochemical facility, PLCs are there. And you imagine what happens if you hack into those PLCs and make a crash, right? Or change a setting. So for all those situations, a disaster will follow if you break into a PLC.

04:44

Because they are controlling large, huge stuff that can cause even physical damage and life loss, right? So what is the problem with the current PLCs we have? First of all, they are freaking expensive. You know, if you're building an embedded system, it shouldn't cost that much.

05:04

Nowadays there are some companies selling what they call cheapo PLCs, you can buy one for like $100 or $200, but then they get you on software. There are companies selling software, programming software, for PLCs that are up to $5,000 per station.

05:21

And that is ridiculous, right? That is ridiculous. And also they rely on very legacy technology. PLCs were built like 40 years ago. And that's also a major problem because this legacy technology was created at a time that internet didn't exist. So they use unsecure protocols to communicate.

05:42

Most companies rather patch their devices instead of redesign. We are in a situation where we need redesign and they're closed source. So this is a problem if you're a researcher and trying to figure out how they work. So I came up with a solution. If you guys know about it, open PLC, that's my thing, right?

06:03

Open PLC is the world's first and only one PLC available with the full source code. There are other approaches that people try to develop their own PLCs, but it is not close to what a PLC should look like. PLC, there are many standards that define what a PLC should do and how it should behave.

06:24

And I try to follow those standards close so that it will look like a real PLC and behave as much as possible to a real PLC. And I make the source code available. Anyone can go take a look at the code and use it. It is free, right? And basically, open PLC has three main components.

06:42

The runtime, that is the big thing that I'm creating, is the thing that goes into the embedded system, embedded device. And initially, I started creating my own hardware, but then I gave up and started using Raspberry Pis, Arduinos, and stuff that everybody have. So you can load the runtime on your embedded system

07:01

and have it read your PLC programs. You create your PLC programs on the editor. That's supposed to run on your computer, on your Windows, Linux machine. Some folks have ported it to Mac OS as well. And the third portion of it is KWR, which is a GUI builder that allows you to create nice animated graphical screens for your PLC programs.

07:29

So for the open PLC runtime, it runs on many different platforms. These are the platforms that are currently supported, officially supported. Like I said, Raspberry Pi, Arduinos. But also, there are some industrial devices that people created

07:44

that also runs open PLC, like UniPi and PiExtend. This is really cool. You can go and buy those devices and install open PLC today, if you want. There are other devices that are not here. They're not officially supported. They were created by the community. So I have a forum with lots of people in there,

08:01

and they make all sorts of questions. And they also contribute to the project, and they created unofficial patches that make open PLC run on, like, Orange Pi and other platforms that basically run Linux. This is the editor, what it looks like. It supports five programming languages. These are all the five languages defined on the standard.

08:23

And this is KWR. This is a real nice graphical screen created on KWR. So it can create many things. This is the water temperature control you're going to see today. So let's go to talk about PLC protocols for a bit.

08:40

I don't know if you touched on SCADA protocols before, but what it looks like. There are problems with those protocols. Basically, most protocols today are derived from legacy serial networks. So if you're old enough, you might remember those RS-485 networks

09:02

where you hook up a bunch of devices on a serial cable, and all the devices receive the same message, and they decide if they want to accept it or not. This is great for hacking, right? You just listen to the bus, and you get everything. There is no authentication, of course. There is no integrity.

09:20

And when I mean integrity, I'm not talking about error correction. I'm talking about if somebody tempers the message, is that going to be figured out at the other end or not? So they don't have any integrity mechanisms, and there is no confidentiality. So the message goes on the field with no confidentiality,

09:45

which means it goes in plain text, right? So the most popular SCADA protocol is Modbus. It's about 90% of the PLCs support that. Actually, I haven't found any PLC that does not support Modbus. They usually support their own protocol,

10:01

plus something else, plus Modbus, right? Everybody talks Modbus. And in essence, Modbus is very simple. There's nothing very complicated with that. It is, of course, based on serial networks. And the commands, basically how it works is that the commands for the protocol are encoded into function codes.

10:22

So you have different function codes for different things you want to do. And it's open. That's probably why everybody supports Modbus, because it doesn't require any licensing. You can go and pay Modbus Foundation to have your device certified so that they make sure that your device is actually following the full standard, but you don't have to do that to support the protocol.

10:43

There's no licensing, right? Licensing fee. And this is the Modbus frame. That's what it looks like. Basically, the first byte is a slave ID. And the slave ID is a unique address, because it was based on serial networks. So you have to have a way to address a device.

11:02

The function code is what I was talking about. It tells the slave device what to do. It's like the command it should obey, right? And the function code varies from reading or writing to memory areas. Data, well, data is data, right? It depends on the function code you're using.

11:21

And finally, CRC, it's just error correction verification. Again, this is not checking integrity of the message itself. It's just checking if there are any physical errors that happened on the transmission, right? If somebody can tamper this frame, change the data, recalculate CRC and send it through, it will go, right?

11:40

It will be accepted by the PLC. So those are the most used function codes. There is function codes to read digital outputs, to reach digital inputs, and also to read and write registers. Basically, all it is is working with memory. So Modbus gives you free access to the PLC memory.

12:03

You can read whatever you want. You can write whatever you want with no authentication. Who loves that, right? So they updated Modbus to make it compatible with TCP IP networks. What it mean is that they added a frame on top of the Modbus frame.

12:23

So basically, it has a transaction ID to keep track of all the transactions you're making. So if the host makes a transaction, it makes a random number on that transaction ID. So when it receives a response, it might receive a bunch of response from the same slave device. And it will match the transaction ID to make sure that that response

12:41

is related to that query it was making. Protocol ID, it seems that originally, Modbus on TCP was meant to work with other protocols as well. So they created this field so that different values on that field will mean different protocols. I've never seen anybody using anything different than 00.

13:00

And 00 stands for Modbus, so I think they failed on this. Length is length, right? How many bytes there are after it. And after that, it's just plain serial Modbus frame as it was before. They kept the slave ID byte on that frame because some people will just convert between TCP IP networks and serial networks.

13:24

So you have old devices talking serial and new devices talking TCP. So keeping that byte over there means that serial devices will also be able to receive that message, right, even though if they are addressed on TCP. For TCP only PLCs usually that byte means nothing, they will accept anything.

13:44

Attack scenarios, what can we do with this? So you can create a few different attacks on that. Because the message is so simple, you can just interrupt the communication and cause a denial of service. There are many ways to do that. You can intercept the message and

14:02

read the contents because there's no encryption, no confidentiality at all. You can also modify the message. You get the message, you get a bump in the wire or some sort of eater cap or poisoning hack. And you get the message since it's plain text, you modify the contents,

14:21

send it back, yeah, that is pretty disastrous. And my favorite, injection. You can only just send a freaking frame. The PLC will accept you, right? It accepts everybody. So let's demo it. Hopefully it will work.

14:43

So I have here SCADA-BR, and let me start the last PLC. I didn't have the time to do it. Hopefully I will now. Let me get back to SCADA-BR.

15:02

So this is SCADA-BR, for you to get familiar with it. It's an old tool, but it works very well. And I incorporated it into the open PLC project so that we can update it and renovate it over time. So here I have all my data sources.

15:20

These are all my PLCs. So here on the table I have three different PLCs. The first one here is open PLC running on a UniPi platform. This is an industrial platform. The second one is an Allen Bradley MicroLogix 1400 series. And the third one is a Schneider Modicon M221.

15:43

So let me go ahead and try to turn them all on. Hopefully they're good. OK. So let me start this PLC as well. In the meantime, while this thing is starting, let me show you the graphical screen and see how it looks like.

16:01

So this screen shows my system, my setup here. So what I have, as I said before, I have a cup filled with water, and a water heater element inside it, and a temperature sensor. The temperature sensor is connected to the PLC.

16:22

So I have three identical setups. And since PLC solves ladder logic, I just created the same ladder logic for all the three PLCs. So they are running identical logic programs. Of course, each architecture will just interpret that logic differently internally. Some will compile that to binary code.

16:41

That's in case for open PLC. Some will just convert that to a virtual machine that will just run interpreted instructions. So it varies by vendor. But they all, in essence, doing the same logic. I just copy paste the same ladder diagram to make sure they are all running the same thing. And on that configuration, I have a flexibility here

17:02

that I can set the PLC for manual mode, turn on the heater if I want manually. So you can see the heater going up here. Just a little break to turn on the PLC, sorry. And I can turn the heater off. I can put in auto mode. So the auto mode will try to keep the temperature around 40

17:23

degrees Celsius. And temperature is a slow thing. So it might go up slowly and go down slowly. But in essence, all the PLCs are trying to keep that around 40, except this third little one, because it's not on yet. Sorry about that. Let me just log in here.

17:40

And in one second, I will turn it on. So my job here is try to attack these PLCs. Once I am in the network, I will show you how easy it is to create a Modbus frame and attack it. Last click. Not yet.

18:01

OK, should be good to go. Let me start it. Yes, I want. By the way, this is so machine basic. This is the software used to program the Schneider Modicon M221. We'll have a lot of fun with that software today. OK, so let me start my terminal here.

18:24

So I have an injection attack ready. What this injection attack does, it tries to send Modbus packets that will switch the PLCs in manual mode and keep the heater on. And this message will be sent over and over and over again

18:41

so that the operator will lose control of the PLC and will not be able to turn it off. So I'll start the attack. And now this little attack has two parameters. I created this software. By the way, everything is available on my GitHub. So if you want to get those tools, go ahead.

19:01

You have it. So it has two parameters. The first one is the host. So the host is 100, 100, 100, 100. Because I'm really bad with numbers, I had to choose a good one. And the other parameter is frequency. I won't use it. The default frequency is 1,000 messages per second. So let's try that on Open PLC.

19:22

All right, cool. Heater is on. Let's turn it off. Well, it doesn't work. So let's put it in auto mode. It doesn't work either. I'm screwed.

19:41

So that's probably what the operator will be thinking. You see the temperature going up, and you can't do anything about it. And all it takes is sending freaking Modbus frames. That's all it takes. What I'm doing here is writing to a portion of the memory of the PLC that I know it's storing the setting for manual or auto mode

20:03

and the other area that is storing the setting for the heater if it's on or off. That's all it takes. And I can guarantee you that this kind of attack works with 100% of the PLC that I know of. So OK, let's stop this because I have boiling water already.

20:24

Let me put back on auto mode. We'll shut off the heater. Now let's try the same thing with our friend, Alan Bradley. It is at the same IP except 101. I know. I'm bad with numbers. So let's try that again. Boom.

20:40

Oh, gosh, no. It's on. Doesn't work. Auto mode also does not work. Temperature will go up, and yeah, it works the same way. You see different brand of PLC, freaking same Modbus protocol. That's the culprit.

21:02

Let me stop this. Auto mode again. Last attack. Let's try that on the Schneider Modicon. Please misbehave. OK, it's on. Even though the temperature is also over the set point, it does not work either.

21:23

So that's how simple it is. You can today start creating your own PLC attacks. OK, let me stop this. Now this was pretty fun.

21:42

And I had a lot of fun creating this, but I have one more thing. For those of you who are a fan of Steve Jobs, this is where the best part happens, right? So let's talk about Micrologix. Micrologix is a PLC from Alan Bradley and Rocko Automation.

22:02

I don't know the history of who bought who, but they keep both names in, so I just say both names. But what are the fun facts about Micrologix 1400 series? You should be buying one today to hack. It's a pretty fun device. So first of all, it runs VxWorks. VxWorks is one of the most popular real-time operating

22:22

systems on the industry. It's on everything, including PLCs. And there are a bunch of vulnerabilities reported for that device. Guess what? I bet most of those works with Alan Bradley as well. Right? It is one of the most popular Alan Bradley PLC.

22:40

You see that everywhere. And it supports Modbus TCP. That's why the injection attack worked. This is my favorite feature. It can be killed remotely by sending a bad Modbus packet. This is great. So let me talk about this, what I call Micrologix Deadly Packets.

23:01

Basically, all it takes, it's to trick the memory allocation algorithm of the Micrologix PLC. So what I do is I start a new transaction ID. Protocol, of course, is Modbus 00.

23:21

And on the length field, I say I will need 20, 256 bytes. But I only have six. So it might try to allocate that much memory, but it's only receiving less than that. And right immediately after, I start a new transaction ID

23:41

where the length is the length of the previous packet. And it's incomplete. It stops at the unit ID. So it makes the PLC confused with this memory management system. And I cause a buffer overflow writing that message on a different area of the device, crashing the device, and making it unrecoverable.

24:02

So let's try to do that. All right. So just to check here, I should have everybody running. Wow, I left that PLC on for too long. All right.

24:20

So we're targeting Allen Bradley now. It should be working fine. So I'll just put in manual mode to prove the heater is on, heater is off. Everything should work beautifully. Auto mode should keep the heater off. Let me just keep that on heater on, so that will be more fun. Let me go.

24:40

It's hard to type when your hands are shaking. It should be Allen Bradley exploit. This is also available on my GitHub. So the only argument it takes is the IP address of the PLC. So all it does is send those two deadly packets,

25:02

and let's see what happens when I do it. Dead. So you'll see right now that the PLC is not communicating anymore. You see there's an exclamation point all around? Ha, dead. How cool is that, right?

25:26

You can even try to press the buttons over there. It's completely dead. And you know the fun fact of it is if you power cycle, it's still dead. I'll prove it.

25:44

I just power cycled it, and it will boot again. It managed to boot again, but default LED keeps on for some reason. So yeah, it is booting up, and you still see the exclamation points here. You will see it till the end of the presentation.

26:02

So the problem is that application got corrupted, so the PLC cannot launch it again. The fault mode is always on. The only way to make it work again is to reprogram it with the ladder logic. This is creepy, right? So if you lost the ladder logic, you screwed.

26:23

Please don't send it on the wild. There are too many micrologics PLCs out there. All right. Let's behave. OK, let me see if I have something else. This is a problem that affects all micrologics 1400 series.

26:45

I don't know about others, because I'm not rich to buy all the PLCs, but I bet it also affects some other related series like 1100 or so. I talked to Alan Bradley through ICS cert. We published his vulnerability, and they

27:00

are really nice. They responded back and tried to work with me to create a patch. So they released recently, about a few months ago, a firmware update. This firmware update fixes this vulnerability, although it's a pain to update it. I spent like half an hour trying to do that, and I'm supposed to be a security expert.

27:22

Imagine people all in the field, what they will do to try to update this thing, they won't. They won't stop their factory to update their PLC firmwares. Hopefully the new PLCs that will be sold now will have this new update already built in.

27:40

There are other mitigations where, please disable Modbus TCP. This is not a fix. Dude, if you're disabling the protocol, you're not fixing it. You're just disabling it. So this mentality is common for all the PLC vendors that I usually talk to. Minimize network exposure.

28:02

Put PLCs behind a firewall. So basically what they're telling you is, the security is on you. We don't provide security. You're freaking alone. So try to do your best. These are good practices, but I honestly believe that a PLC, the device itself, should provide any sort of security.

28:21

And one last thing. All right. Schneider. There is a special reason why I brought the Schneider PLC with me. The Schneider has a protocol that is common to all the Modicon family. I think other families also use this.

28:40

It's called Unity Protocol. At least me and some other researchers that are working with this call it Unity, or UMass. You might hear both names. And this protocol is obscure. It is undocumented. It runs on top of Modbus TCP, so you have a normal Modbus transaction. But when you have a function code 0x58,

29:02

this is x a decimal for 58, this triggers the sub-protocol that runs on the data field of the Modbus frame. For the Modbus documentation, 58 is a reserved function code for vendor-specific functions.

29:21

And this is the nice part. This protocol is used to configure and monitor the PLC down to the operating system level. You can do a total memory dump using this protocol. You can get the freaking operating system image using that.

29:41

So this is crazy. It's proprietary and undocumented, so they try to make secure by obscurity, but that won't prevent us from figuring that out how it works. So basically, Unity have a bunch of function codes. So it's a function code inside a function code.

30:02

You have the Modbus frame, and then you have the Unity frame. And these are the function codes you can play with. And I have to thank Luis Lidas. He is a researcher on the same field. We started talking and communicating one year ago because I figured out he was working on the Unity devices as well, and we started contributing to each other.

30:21

And he has a very nice blog, LidasEnlared.xyz. If you want, you can go and check it out. He has a step-by-step how he managed to get those function codes and reverse-engineer the DLLs for the So Machine Basic and get that information. So this is pretty cool.

30:41

And basically, you can take a look at some messages here. They are pretty cool, like read memory block. This is my favorite. Okay, so, but today, given the time constraint, we'll only play with a few of those. So basically, we'll start a communication,

31:03

init communication. We'll read a project info to read some data about the project. This is also cool, take PLC reservation. It means that the PLC needs to be connected to someone. Someone needs to reserve the PLC. If you take the PLC reservation, you're taking the other party down.

31:21

This is DOS built in the protocol, dudes. This is what, right? So you just keep sending this take PLC reservation and I think nobody else can connect. So release PLC reservation and you're releasing it because you just don't want to communicate anymore.

31:43

And start PLC and stop PLC will, basic main functions to start and stop the PLC. All right, so let's play with it. I'll just keep this slide open so we can play a little bit with how it works.

32:07

Is that up? Okay. So I created also a little software modicon tester. I don't remember the name of the executable.

32:22

Okay. So this software was created in C sharp in a hurry. Please don't look at the code. It's messy, but the good thing is it works. And all I did was to create this thing to help me reverse engineer the protocol. So it basically encapsulates my messages on the modbus frame with the function code five eight.

32:43

So I can send anything and it will be accepted as unity messages, right? So all you do, you connect to the PLC. It's already set up with a M221 IP address. I connect, and then it gives me the hexadecimal output and the ASCII related to that.

33:01

So let's start by starting our communication. So every function code has two bytes, zero, zero, zero, one, and I'll end it with zero, zero. So it just gave me back a hi. I'm here. That's fine. Hello. So let's go ahead and release PLC reservation.

33:22

If somebody was talking to it, sorry. And then I'll take the reservation, 10, zero, zero. And now the take reservation is an interesting thing. I don't know if you can see it. Sorry, I should have make it bigger. But I'll promise I'll read it right.

33:42

The message is sending me back with the take PLC reservation. It ends with a magic byte. In this case, it's 8E, right? It's even smaller for me. So 8E, I mean, it's this magic byte that I need to send before any message

34:00

that I want to send now on. Now that I have a session, I have a reservation, I have reserved the PLC for me, I'll have to use this magic byte. That means that before, people were trying to do replay attacks. So the replay attacks would be successful just because they didn't have any session management.

34:21

So you could just get messages that the main station was sending and just replay that and it would work. Now you need the session number, but that won't prevent us from sending stuff, right? So now let's play with this. I have 8E as my session number. You can see here, oh, urgent.

34:41

Alan Bradley is not talking still, sorry. Sorry, dude. You can see that the Modicon is still working fine. Temperature is 40 degrees Celsius. I can turn the heater on manually and off, right? It works. So what I'll do here, I will send a stop PLC command.

35:02

So I need to start with my 8E, and then the stop message is 41. It ends with FF00, and let's see. Stopped. Now the PLC can still communicate, but the heater is off.

35:20

I cannot turn it on. I cannot turn it off. I cannot put it in auto or manual mode. It's off. How cool is that? So just by sending a few messages, I can have full control of the PLC, but here comes my favorite feature of this protocol. This is really interesting.

35:40

So I'm gonna use So Machine Basic here for a second. Let me just create something new. So I'm just using their application to talk to this PLC over here, right? And when I click here, it already identified my PLC. I try to log in, and it's trying to log in,

36:00

but this application is password protected. How come? So I cannot access my PLC without the password. If I try to type anything, it won't give me access, right? All right, what can we do about it? Okay, let me get back to my Unity tester here.

36:24

So remember that message, read project info? For some reason, that thing doesn't even require a session. So I'll go ahead and send this, 00, no session. 03 is the function code for that, and 00. 00 will just get the header.

36:42

So let's see what comes out of it. My header for the project that is stored on the PLC. And this is the name of the project. What is this? Yes, the freaking password, right?

37:04

So if I were Steve Jobs and I was working at Schneider, I would say, this is not a bug, this is a feature. What if you forgot the password? The device needs to tell you that, right? So let's try it.

37:20

Defcon is my password. So when I type defcon, boom. I mean, super hard, right? Now I have full control of the PLC again, using their own software, just because I stole the password. And it works. I've tried with different, slightly different types

37:41

of Modicon, mm something serious, and the same thing works. So yeah, you can play with that. I can start the controller because I stopped it before, and I can see the programming on it. Yeah, I have full access. So this is pretty hilarious.

38:04

Now, that's to show you how secure your PLC is. And imagine that those things are controlling your nuclear power plants and your water filtration systems. I'll just go live in a jungle. So, Schneider also, they were really nice.

38:23

I submitted this through ICS cert, and they talk with me, and we try to come up with some mitigations. And they recommended the following things. Disable Unity Protocol. This is the best mitigation ever. So again, you see a different vendor

38:41

with the same mentality. Just turn that freaking thing off. It doesn't work, right? They also recommended, because of that password vulnerability and all of that, they recommended to store your project files in secure access restricted locations, and encrypt your project files

39:01

with reputable third party file encryption tools. Again, they're giving you the responsibility to fix stuff, to secure your settings. And this is pretty, it gets me worried, right? And a little bit about what I plan to do in the future.

39:21

By the way, I haven't showed you this. This is what Open PLC looks like. This is a web interface that is running on the device. So once you install the runtime, you have that interface up, and you can see your programs. You can see your hardware. You can even mess up with the code live, right?

39:41

So it's pretty cool. And this thing is also vulnerable and insecure. I created it to be like that, because I'm trying to mimic what other vendors are doing. So we can kind of research about it. But my PhD thesis is about creating a secure version of Open PLC that will try to prevent

40:01

those types of attacks from happening, okay? So it was really fun to be here at DEFCON today. It was really an honor to me to be here. And thank you very much for coming and staying with me this Saturday morning. If anybody have any questions.

40:20

Thanks.