Hacking PLCs and Causing Havoc on Critical Infrastructures

Video thumbnail (Frame 0) Video thumbnail (Frame 6430) Video thumbnail (Frame 7278) Video thumbnail (Frame 12333) Video thumbnail (Frame 14701) Video thumbnail (Frame 16111) Video thumbnail (Frame 17542) Video thumbnail (Frame 20581) Video thumbnail (Frame 21892) Video thumbnail (Frame 23757) Video thumbnail (Frame 25747) Video thumbnail (Frame 26551) Video thumbnail (Frame 27409) Video thumbnail (Frame 29082) Video thumbnail (Frame 30472) Video thumbnail (Frame 31582) Video thumbnail (Frame 32358) Video thumbnail (Frame 34417) Video thumbnail (Frame 36120) Video thumbnail (Frame 36932) Video thumbnail (Frame 39830) Video thumbnail (Frame 42487) Video thumbnail (Frame 48023) Video thumbnail (Frame 51945) Video thumbnail (Frame 53511) Video thumbnail (Frame 54502) Video thumbnail (Frame 56037) Video thumbnail (Frame 56839) Video thumbnail (Frame 59015) Video thumbnail (Frame 60092)
Video in TIB AV-Portal: Hacking PLCs and Causing Havoc on Critical Infrastructures

Formal Metadata

Hacking PLCs and Causing Havoc on Critical Infrastructures
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Programmable Logic Controllers (PLCs) are devices used on a variety of industrial plants, from small factories to critical infrastructures like nuclear power plants, dams and wastewater systems. Although PLCs were made robust to sustain tough environments, little care was taken to raise defenses against potential cyber threats. As a consequence, threats started pouring in and causing havoc. During this presentation I will talk about the architecture of a PLC and how it can be p0wned. There will be some live demonstration attacks against 3 different brands of PLCs (if the demo demons allow it, if not I will just show a video). Additionally, I will demonstrate two vulnerabilities I recently discovered, affecting the Rockwell MicroLogix 1400 series and the Schneider Modicon M221 controllers.
Game controller Logarithm Multiplication sign Real number Flash memory Water vapor Function (mathematics) Open set Student's t-test Computer font Computer programming Information security Physical system Cybersex Module (mathematics) Computer font Demo (music) Information Projective plane Computer program Bit Digital signal Control flow Computer Causality Befehlsprozessor Process (computing) Vector space Logic output Video game Right angle
Freeware Run time (program lifecycle phase) Line (geometry) Patch (Unix) Multiplication sign Connectivity (graph theory) Source code Workstation <Musikinstrument> Virtual machine Insertion loss Open set Computer programming Neuroinformatik Wave Pi Graphical user interface Internet forum Internetworking Logic Text editor Computing platform Physical system Graphics tablet Game controller Source code Standard deviation Touchscreen Run time (program lifecycle phase) Projective plane Computer program Physicalism Formal language Component-based software engineering Graphical user interface Software Computing platform Video game Right angle Text editor Quicksort Communications protocol Window Electric current
Serial port INTEGRAL Graph (mathematics) Water vapor Field (computer science) Formal language Mechanism design Hooking Bus (computing) Text editor Communications protocol Authentication Programming language Standard deviation Touchscreen Bit Fehlererkennung Side channel attack Message passing Software Right angle Text editor Figurate number Simulation Communications protocol Electric current
Area Frame problem Functional (mathematics) Standard deviation Serial port INTEGRAL Code Code Fehlererkennung Code Data transmission Frame problem Message passing Software Different (Kate Ryan album) Semiconductor memory Function (mathematics) Formal verification Right angle Codec Communications protocol Communications protocol Error message Address space
Frame problem Trail Functional (mathematics) Random number generation Serial port Length Codierung <Programmierung> Function (mathematics) Code Field (computer science) Subset Semiconductor memory Different (Kate Ryan album) Authentication Dependent and independent variables Database transaction Digital signal Frame problem Message passing Software Query language Function (mathematics) output Right angle Communications protocol
Injektivität Injektivität Demo (music) Demo (music) Content (media) Denial-of-service attack Frame problem Message passing Causality Spherical cap Telecommunication Encryption Quicksort
Causality Multiplication sign Projective plane Source code Open set Table (information) Computing platform
Asynchronous Transfer Mode Wechselseitige Information Touchscreen Binary code Virtual machine Water vapor Menu (computing) Water vapor Control flow Element (mathematics) Logic Personal digital assistant Logic programming Configuration space Codec Diagram Sinc function Electric current Computer architecture Identity management Physical system Asynchronous Transfer Mode
Degree (graph theory) Process (computing) Water vapor Control flow Menu (computing) Codec Control flow Asynchronous Transfer Mode
Software Virtual machine Water vapor Menu (computing) Control flow Frame problem
Injektivität Default (computer science) Continuum hypothesis Asynchronous Transfer Mode Game controller Water vapor Menu (computing) Parameter (computer programming) Control flow 2 (number) Number Frequency Radical (chemistry) Message passing Software Operator (mathematics) Right angle Asynchronous Transfer Mode
Area Semiconductor memory Right angle Water vapor Frame problem Asynchronous Transfer Mode
Asynchronous Transfer Mode Multiplication sign Boom (sailing) Water vapor Menu (computing) Control flow Number Inclusion map Different (Kate Ryan album) Case modding Right angle Communications protocol Asynchronous Transfer Mode
Asynchronous Transfer Mode Water vapor Menu (computing) Musical ensemble Control flow
Injektivität Inclusion map Injektivität Process (computing) Logic Demo (music) Right angle Real-time operating system Mereology Vulnerability (computing) Hand fan Series (mathematics)
Area Execution unit Algorithm Length Demo (music) Execution unit Length Memory management Database transaction Field (computer science) Pointer (computer programming) Message passing Semiconductor memory Logic Right angle Communications protocol Buffer overflow Physical system Address space
Type theory Demo (music) Case modding Water vapor Menu (computing) Convex hull Control flow Asynchronous Transfer Mode
Point (geometry) Asynchronous Transfer Mode Presentation of a group Cone penetration test Kreisprozess Demo (music) Water vapor Menu (computing) Parameter (computer programming) Control flow Cartesian coordinate system IP address Power (physics) Logic Case modding Right angle Booting Asynchronous Transfer Mode
Firewall (computing) Patch (Unix) Demo (music) Expert system Field (computer science) Inclusion map Software Factory (trading post) Quicksort Series (mathematics) Information security Communications protocol Vulnerability (computing)
Functional (mathematics) Code Ferry Corsten Codierung <Programmierung> Multiplication sign 1 (number) Open set Mereology Code Field (computer science) Medical imaging Latent heat Semiconductor memory Core dump Operating system Energy level Communications protocol Constraint (mathematics) Information Block (periodic table) Projective plane Total S.A. Database transaction Bit System call 1 (number) Frame problem Message passing Blog Telecommunication Normal (geometry) Convex hull Right angle Musical ensemble Communications protocol Family Asynchronous Transfer Mode Reverse engineering
Functional (mathematics) Code Workstation <Musikinstrument> 1 (number) Function (mathematics) IP address Frame problem Number Data management Message passing Software Insertion loss Personal digital assistant Telecommunication Right angle Software testing Communications protocol Reverse engineering
Degree (graph theory) Message passing Game controller Virtual machine Water vapor Control flow Communications protocol Asynchronous Transfer Mode
Type theory Password Cartesian coordinate system
Functional (mathematics) Email Game controller Information Code Projective plane 1 (number) Boom (sailing) Type theory Message passing Process (computing) Software Different (Kate Ryan album) Password Software testing Right angle
Dependent and independent variables Computer file Codierung <Programmierung> Projective plane 1 (number) Code Maxima and minima Set (mathematics) Coma Berenices Water vapor Bit Computer programming Function (mathematics) Password Encryption Source code Right angle Communications protocol Information security Physical system Vulnerability (computing)
User interface Execution unit Run time (program lifecycle phase) Code Run time (program lifecycle phase) Interface (computing) Computer program Water vapor Maxima and minima Open set Control flow Computer programming Hypothesis Revision control Type theory Blog Computer hardware Computer hardware IRIS-T Simulation Information security
Physical law
all right it's about that time to get the show on the road so everyone please give a very warm welcome to Tiago he'll be talking about hacking PLC's sorry I have a little experience here and it took a little longer to set up than I was expecting but I am very very happy to be here at DEFCON today and I was honestly expecting like fifty maybe hundred people so thank you guys for taking the time to be here on Saturday morning and listen to me I am chaga Elvis and a little bit about my about me I am a PhD student at UAH and I also work at the Center for cyber security research and education it's called sea CRE at the University and yes this is what I do I love to hack stuff and I try to break as many things as I can and I'm also the creator of the open PLC project if you guys haven't heard of it you'll hear about it a little bit today heads up if somebody have heard about open PLC before Wow thank you that's great that's great thank you also today it's a very important date for me because this trip to Vegas marks our 9th year anniversary me and my wife were together for 90 years and yeah I used to have more hair back then but she is still pretty the same way right so I'm a lucky guy and she always complain about being like slowing me down because now we have kids and I have other things to focus on but I keep telling her that if you want to go fast you go alone well I fizz not about speed but if you want to go further if you want to go far you go together that's why I'm here that's because of you right and I'm very happy I invited her to be here at my talk thank you and she has a very important job actually because I have really bad jokes and she laughs of all of them so if you hear her laughing just please laugh as well so we have a nice presentation okay okay so a little outline about today I'll I'm gonna start with a with a background info you know a little bit about PLC's if you guys know about PLC's I'll try to go fast if you don't know about PLC's please pay attention because I will go fast okay then we'll go and talk about a little attack vectors some some stuff we can do to break those things and finally we'll demo if the demo daemons haven't gotten me because I didn't have enough time to set up so hopefully things will go out fine so what is a PLC after all it is that's what it looks like right it's a brick and it stands for a programmable logic controller and basically it's a digital computer right it's used on automation since 1970 so it's a long time ago and basically it is an embedded system with a CPU some RAM some ROM right some flash nowadays and you put your program in there you run your program and your program decides what to do with the input data it senses from the input input modules the PLC has so PLC has a bunch of inputs a bunch of outputs I have three plcs set it up here trying to heat water and they're doing a poor job doing that but then you program those devices to any logic you want and it has output modules to control real life stuff right so for example in this setup its controlling the heater based on the temperature sensor that is attached to the input module and you will see PLC's
in many different places so here I have like a dam a substation a gas distribution system in our petrochemical facility PLC's are there and you imagine what happens if you hack into those PLC's and make it crash right or change a setting so for all those situations a disaster will follow if you break into a PLC because they are controlling large huge stuff that can cause even physical damage and life loss right so what is
the problem with the current PLC's we have first of all they are freaking expensive you know if you're building an embedded system it shouldn't cost that much nowadays there are some companies selling what they call cheapo PLC's they can you can buy one for like a hundred or two hundred dollars but then they get you on software there are companies selling software programming software for PLC's or up to five thousand dollars per station and that is ridiculous right that is ridiculous and also they rely on very legacy technology PLC's were built like 40 years ago and that's also a major problem because this legacy technology it was created at a time that internet didn't exist so they use unsecure protocols to communicate most companies rather patch their devices instead of redesign we are in a situation where we need redesign and they're closed source so this is a problem if your researcher and trying to figure out how they work so I came up with a solution if you guys know about it Oh plc that's my thing right hoping PLC is the world's first and only one PLC available with the full source code there are other approaches that people try to develop their own PLC's but it is not close to what a PLC should look like PLC that there are many standards that define what a PLC should do and how it should behave and I tried to follow those standards close so that it will look like a real PLC and behave as much as possible to a real PLC and I make the source code available anyone can go take a look at the code and use it it is free right and basically open PLC has three main components the runtime that is the big thing that I'm creating is the thing that goes into the embedded system embedded device and initially I started creating my own harder but then I gave up and started using raspberry PI's or doing your nose and stuff that everybody have so you can load the runtime on your embedded system and have it read your PLC programs you create your PLC programs on the editor that's supposed to run on your computer right on your Windows Linux machine some folks have ported it to Mac OS as well and the third portion of it is kwr which is a GUI builder that allows you to create nice animated graphical screens for your PLC programs right so for the open PLC runtime it runs on many different platforms these are the platforms that are currently supported officially supported like I said Raspberry Pi Arduinos but also there are some industrial devices that people created that also runs open PLC like unify and PI extend this is really cool you can go and buy those devices and and install up in PLC today if you want there are other devices that are not here they're not officially supported they were created by the community so I have a forum with lots of people in there and they you know make all sorts of questions and they also contribute to the project and created unofficial pad patches that make open PLC run on like orange pie and other platforms that basically run
this is the editor what it looks like it supports five programming languages this is these are all the five languages defined on the standard and this is kwr right this is a real nice graphical screen created on skate of VR so it can create many things this is the water temperature cultural you're going to see today so let's go to talk about PLC
protocols for a bit I don't know if you touch on on SCADA protocols before but
what it looks like there are problems with those protocols basically most protocols today are derived from legacy serial networks so if you are old enough you might remember those are as 485 networks when you hook up a bunch of devices on a serial cable and all the devices receive the same message and they decide if they want to accept it or not this is great for hacking right you just listen to the bus and you get everything there is no authentication of course there is no integrity and when I mean integrity I'm not talking about error correction I'm talking about if somebody tempers the message is that gonna be figure it out at the other end or not so they don't have any integrity mechanisms and there's no confidentiality so the message goes on on the field with no no confidentiality which means it's go it goes in plaintext right so the most
popular SCADA protocol is Modbus it's about 90% of the PLC's support that actually I haven't found any PLC that does not support Modbus they usually support their own protocol but something else plus Modbus right everybody talks Modbus and in essence Modbus is very simple there's nothing very complicated with that it is of course based on serial networks and the commands basically how it works is that the commands for the the protocol are encoded into function codes so you have different function codes for different things you want to do and it's open that's probably why everybody supports Modbus because it doesn't require any licensing you can go and pay Modbus foundation to have your device certified so that they make sure that your device is actually following the full standard but you don't have to do that to support the protocol there's there's no licensing right licensing fee
and this is the Modbus frame that's how what it looks like basically it has the first byte is a slave ID and the slave ID is a unique address because it was based on serial network so you have to have a way to address a device the function code is what I've what I was talking about it tells the slave device what to do it's it's like the command it should obey right and the function code varies from reading or writing to more memory areas data while data is data right it depends on the function code you're using and finally CRC it's just error correction verification again this is not checking integrity of the message itself it's just checking if there are any physical errors that happen on the transmission right if somebody can tamper the strain change the data recalculate CRC and send it through it will go right it will be accepted by the PLC so those are the most used function
codes there is of function codes to read digital outputs to reach digital inputs and also to read and write registers basically all it is is working with memory so Modbus gives you free access to the plc memory you can read whatever you want you can write whatever you want with no authentication who loves that right they updated Modbus to make it
compatible with tcp/ip networks what it means is that they added a frame on top of the Modbus frame so basically it has a transaction ID to keep track of all the transactions you're making so if the host makes a transaction it makes a random number on that transaction ID so when it receives a response it might receive a bunch of response from the same slave device and it will match the transaction ID to make sure that that response is related to that query it was making protocol ID it seems that originally Modbus on TCP was meant to work with other protocols as well so they created this field so that different values on that field will mean different protocols I've never seen anybody using anything different than zero zero and zero zero stands for Modbus so I think they failed on this length is length right how many bytes there are after it and after that is just plain serial Modbus frame as it was before they kept the slave ID byte on that frame because some people will just convert between tcp/ip networks and serial networks so you have all devices talking serial and new devices talking TCP so keeping that that byte over there means that CEO devices will also be able to receive that message right even though if they are addressed on TCP for for TCP only PLC's usually that that byte means nothing they will accept anything attack scenarios what can we do
with this so you can create a few a few different attacks on that because the message is so simple you can just interrupt the communication cause a denial of service there are many ways to do that you can intercept the message and read the contents because there is no encryption no in confidentiality at all you can also modify the message you get the message you get a bump in the wire or some sort of either cap or poisoning hack and you you get the message since its plaintext you modify the contents send it back yeah that is pretty disastrous and my favorite injection you can only just send a freaking frame the PLC will accept you right it accepts everybody so let's demo
it hopefully it will work
so I have here SCADA BR and let me start
the last PLC I didn't have the time to do it hopefully I will now let me get
back to SCADA BR so this is a SCADA BR for you to get familiar with it it's it's an old tool but it works very well and I incorporated it into the open PLC project so so that we can update it and renovate it over time so here I have all my data sources these are all my plcs so here on the table I have three different PLC's the first one here is open PLC running on a unified platform this is an industrial platform the second one is an allen bradley micro logics 1400 series and the third one is a schneider Modica on em two to one so let me go ahead and try to turn them all on hopefully they they're good okay so let me start this
PLC as well in the meantime like this
thing is starting let me show you the graphical screen and see how it looks
like so
these this screen shows my my system I set up here so what I have as I said before I have a cup filled with water and a water heater element inside it and a temperature sensor right the temperature sensor is connected to the PLC so I have three identical setups and since PLC talks ladder logic I just created the same ladder logic for all the three PLC's so they re running identical logic programs of course each architecture will just interpret that logic differently internally right some will compile that to binary code that's in case for open PLC some will just convert that to virtual machine that will just run interpreted instructions so it varies by vendor but they all in essence doing the same logic I just copy-paste the same ladder diagram to make sure they are all running the same thing okay and on that configuration I have a flexibility here that I can set the PLC for manual mode turn on the heater if I want manually so you can see the heater going up here just a little
break to turn on the PLC sorry and I can
turn the heater off I can put in my auto mode so the outer mode will try to keep the temperature around 40 degrees Celsius and you know temperature is a slow thing so you might go up slowly and go down slowly but in essence all the PLC's are trying to keep that around 40 except this third little one because it's not on yet sorry about that let me just log in here and in one second I will turn it on so my job here
is try to attack these PLC's once I am in in the in the network I will show you how easy it is to create a Modbus frame and attack it right last click not yet okay it should be good to go let me start it
yes I want by the way this is so machine basic this is the software used to program the Schneider maricon em two to one will have a lot of fun with that with that software today okay
so let me start my terminal here so I have a injection attack ready what does inject injection attack does it it tries to send Modbus packets that will switch the PLC's in manual mode and keep the heater on right in this will this message will be sent over and over and over again so that the operator will lose control of the PLC and will not be able to turn it off right so I'll start the attack and now this literal attack I hate sound this little attack has two parameters I created this software by the way everything is available on my github so if you want to get those tools go ahead you have it so it has two parameters the first one is the host so the host is 100 100 100 100 because I'm really bad with numbers I had to choose a good one and the other parameter is frequency I won't use it the default frequency is a thousand messages per second so let's try that on open PLC go all right cool heater is on
let's turn it off well it doesn't work so let's budding out a mode it doesn't work either I'm screwed right so that's probably what the operator will be thinking you see the temperature going up and you can do anything about it and all it takes is
sending freaking Modbus frames right that's all it takes what I'm doing here is writing to a portion of the memory of the PLC that I know it's it's storing the setting for manual or auto mode and the other area that is storing the setting for the heater if it's on or off that's all it takes right and I can guarantee you that this kind of attack works with a hundred percent of the PLC that I know of right so okay let's stop this because I have Baldy
boiling water alrighty
let me put back on auto mode it will shut off the heater now let's start try the same thing with our friend allen bradley it is at the same IP except 101 I know I'm bad with numbers so let's try that again boom oh gosh no it's on doesn't work
right auto mode also does not work temperature will go up and yeah it it works the same way you see different brand of PLC freaking same Modbus protocol that's the culprit okay let me stop this Auto mode again last time less
attack let's try that on the Schneider
maricon please misbehave ok it's on even
though the temperature is also over the setpoint it does not work either right so that's how simple it is you can today start creating your own PLC attacks ok let me stop this now [Music]
this was this was pretty fun and I had a
lot of fun creating this but I have one
more thing but those of you are fan of Steve Jobs this is where the best part happens right so let's talk about micro logics micro logics is a PLC from Alan Bradley and Rocco automation I don't know the history who ball who but they keep both names and so I just say both names but what are the fun facts about micro logics 1,400 serious you should be buying one today to hack it's pretty fun device right so first of all Iran's VxWorks VxWorks is one of the most popular real-time operating systems on the industry on it's on everything right including PLC's and there are a bunch of vulnerabilities reported for that device guess what I bet most of those works with Allen Bradley as well right it is one of the most popular Allen Bradley PLC you see that everywhere and it supports Modbus TCP that's why the injection attack worked this is my favorite feature it can be killed remotely by sending a bad Modbus packet this is great so let me talk about this
what I call micro logics deadly packets basically all it takes it's a trick the memory memory allocation algorithm of the micro logics PLC so what I do is I start a new transaction ID protocol of course is Modbus 0 0 and on the length field I say I'm I will need 20 256 bytes right but I only have 6 all right so it might try to allocate that much memory but it's only receiving less than that and right immediately after I start a new transaction ID where the length is the length of the previous packet and it's incomplete it stops at the unit ID so it makes the PLC confused with this memory management system and I caused a buffer overflow writing that that message on a different area of the device crashing the device and making it unrecoverable so let's try to do that
okay all right so just to check here
I should have everybody running Wow
I laughed at PLC on for too long all right so we're targeting Allen Bradley now it should be working fine so I'll just but in manual mode to prove like the heater is on heater is off everything should work beautifully Auto mode should keep the heater off let me just keep that on heater on so that will be more fun let me go it's hard to type
when your your hands are shaking it should be Allen Bradley exploit this is also available on my github so all the only argument it takes is the IP address of the PLC so all it does is send those two deadly packets and let's see what happens when I do it dead so you'll see right now that the PLC is not communicating anymore you see there's an exclamation point all around dead how cool is that right you can even try to press the buttons over there it's completely dead and you know the fun fact of it is if you if you power cycle it's still dead I just power cycled it and you will boot again it manages to boot again but the fault led keeps on for some reason so yeah it is booting up and you still see the exclamation points here you will see it till the end of the presentation so the point the problem is that that application got corrupted so the plc cannot launch it again the fault mode is always on the only way to make it work again is to reprogram it with the latter logic this is creepy right so if you lost the ladder logic you screwed please don't send it on on the wild there are too many micro logics PLC's out there all right let's behave okay let me see if I have
something else this is a problem that
affects all micro logics 1,400 serious I don't know about others because I'm not rich to buy all the PLC's but I bet it also affects some other related series like 1100 and so I talked to Alan Bradley through ics-cert we published this vulnerability and they are really nice they responded back and tried to work with me to create a patch so they they released recently about a few months ago a firmer update this firmware update fixes this vulnerability although it's a pain to update it I spent like half an hour trying to do that and I'm supposed to be a security expert imagine people all in the field what they will do to try to update this thing they want right they won't stop their factory to update them their PLC firmers hopefully the new PLC's that will be sell sold now will have this new update already built in they are other mitigations were please disable modbus/tcp this is not a fix dude if you're disabled to protocol you're not fixing it you're just disabling it right so this mentality is common for all the PLC vendors that I usually talk to minimize network exposure but PLC's behind a firewall so basically what what they're telling you is the security is on you right we don't provide security you're freakin alone so try to do your best these are good practices but I honestly believe that a PLC the device itself should provide any sort of security and
one last thing all right
Schneider that's there is a special reason why I brought the Schneider PLC with me the Schneider has a protocol that is common to all the maric?n family I think other families also use this it's called unity protocol at least me and some other researchers are working with this call it unity or yuma's you might hear both names and this protocol is obscure it is undocumented it runs on top of Modbus TCP so you have a normal mode by transaction but one you have a function code zero x5a this is X exit decimal four five eight this triggers the sub protocol that runs on the data field of the Modbus frame and the for the Modbus documentation 5a is a reserved function code for specific vendor specific functions right and this is nice part this protocol is used to configure and monitor the PLC down to the operating system level you can do a total memory dump using this protocol right you can get the freaking operating system image using that so this is this is crazy right it's proprietary and undocumented so they try to make secure by obscurity but that won't prevent us from figuring that out how it works so basically you need to have a bunch of function code so it's a function code inside a function code right you have the Modbus frame and then you have the unity frame and these are the function codes you can play with and I have to thank Louie's leaders he is a researcher on the same field we started talking and communicating like one year ago because I figured out he was working on the unity devices as well and we started contributing to each other and he has a very nice blog lettuce and allotted dot XYZ you go if you want you can go and check it out he has a step-by-step how he managed to get those function codes and reverse-engineer the DLLs for the so machine basic and and get that information so this is pretty cool and basically you can take a look at some messages here they are pretty cool like read memory block this is my favorite okay so but today given the time constraint will only play with a few of those so basically we'll start a communication init communication will read a project info to read some data about the project this is also cool take PLC reservation it means that the PLC needs to be connected to someone someone needs to reserve the PLC if you take the PLC reservation you're taking the other party down this is do s built in the protocol dudes this is what right so you just keep sending the steak PLC reservation and I think nobody else can connect so release PLC reservation you're releasing it because you just don't want to communicate anymore and start PLC and stop PLC will basic main functions to start and stop the PLC all right so [Music] let's play with it I'll just keep this slide open so we can play a little bit
with how it works is that up okay
so I created also a little software maricon tester I don't remember the name of the executable okay so this software was created in c-sharp inna hurry please don't look at the code it's messy but the good thing is it works and all I did was to create this thing to help me reverse engineer the protocol so it basically encapsulates my messages on the Modbus frame with the function code 5a so I can send anything and will be accepted as unity messages right so all you do you connect to the plc it's already set up with the m2 to one IP address and I connect and then it gives me the hexadecimal output and the ASCII related to that so let's start by starting our communication so every functional code has two bytes zero zero zero one and I'll end it with zero zero so it just gave me back a hi I'm here that's fine hello so let's go ahead and release PLC reservation if somebody was talking to it sorry and then I'll take the reservation 1000 and now the take reservation is an interesting thing I don't know if you can see it sorry I should have make it bigger but I'll promise I will read it right the message is is sending me back with the take PLC reservation it ends with a magic byte in this case it's 8e right it's even smaller for me so 8e I mean it's this magic byte that I need to send before any message that I want to send now on now that I have a session I have a reservation I have reserved the plc for me I will have to use this magic byte that means that before people were trying to do replay attacks so the replay attacks would be successful just because they didn't have any session management so you could just get messages that the main station was sending and just replay that and it would work now you need the session number but that won't prevent us from sending stuff right so now let's let's play with this I have 80 as my session number you can see here oh argent
allen-bradley is not talking still sorry sorry dude you can see that modicon is still working fine temperatures 40 degrees Celsius I can turn the heater on manually and off right it works so what I'll do here I will send stop PLC command so I need
to start with my 8 E and then the stop message is 41 it ends with FF 0 0 and let's see stopped now the PLC can still communicate but the heater is off I cannot turn it on I cannot turn it off I cannot put an auto or manual mode it's off how cool is that so just by sending a few messages I can have full control of the PLC but here comes my favorite feature of this protocol this is really interesting so I'm gonna use so machine basic here for
a second let me just create something
new so I'm just using their application to talk that this PLC over here right and when I click here it already identified my PLC I try to log in and it's trying to log in but this application is password-protected how come so I cannot access my PLC without the password if I try to type anything it won't give me access right all right what can we do about it ok let me get back to
my unity tester here so remember that message read project info for some reason that thing doesn't even require a session so I'll go ahead and send this zero zero no session zero three is the function code for that and zero zero zero zero will just get the header so let's see what comes out of it my header for the project that is stored on the PLC and this is the name of the project what is this yes the freaking password right so if I were Steve Jobs and I was working at Schneider I would say this is not a buck this is a feature what if you forgot the password the device needs to tell you that right so let's try it DEFCON is my password so when I type Def
Con boom I mean super hard right now I have full control of the PLC again using their own software just because I stole the password and it works I've tried with different slightly different types of maricon mm something serious and the same thing works so yeah you can play with that I can start the controller because I stopped it before and I can
see the programming on it yeah I have full access so this is pretty Alerus now
that's to show you how secure your PLC is and imagine that those things are controlling your nuclear power plants and your water filtration systems I'll just go live in a jungle so Schneider
also they were really nice I submitted this through ics-cert and they talked with me and we tried to come up with some mitigations and they they recommended the following things disable unity protocol this is the best mitigation ever so again you see a different vendor with the same mentality just turn that freaking thing off it doesn't work right they also recommended because of that password vulnerability and all of that they recommended to store your project files in secure access restricted restricted locations and encrypt your project files reputable third-party file encryption tools again they're giving you the responsibility to fix stuff to to secure your settings and this is pretty it gets me worried right and a little bit about what I plan to do in the future by the way I haven't
showed you this this is what open PLC
looks like this is a web interface that is running on the device so once installed a runtime you have that interface up and you can see your programs you can see your hardware you can even mess up with the code live
right so it's pretty cool and this thing
is also vulnerable and unsecure I created it to be like that because I'm trying to mimic what other vendors are doing so we can kind of research about it but my PhD thesis is about creating a secure version of open PLC that will try to prevent those types of attacks from happening okay so it was really fun to
be here at DEFCON today it was really an honor to me to be here and thank you very much for coming and staying with me
the Saturday morning if anybody have any questions [Applause]