CONFidence 2015: SCADA and mobile: security assessment of the applications that turns your smartphone into a factory control room - Alexander Bolshev, Ivan Iushkevich

Ivan ‘Steph’ Yushkevich, Alexander ‘dark_k3y’ Bolshev

Digital Security

SCADA AND MOBILE:SECURITY ASSESSMENTOF THE APPLICATIONS

THAT TURN YOUR SMARTPHONE INTO A FACTORY CONTROL ROOM

; cat /dev/user

• Ivan ‘Steph’ Yushkevich:

Security Auditor @ Digital Security

Role: Mobile security guy

• Alexander ‘dark_k3y’ Bolshev

Security Researcher @ Digital Security, Ph.D., Assistant Professor @ SPb ETU

Role: Fuzzing && SCADA security guy

-2-

Agenda

• Very Quick ICS 101

• Types of mobile ICS applications

• Testing approaches

• Example vulnerabilities and attacks

• Conclusion

-3-

What is ICS

• ICS stands for Industrial Control System

• Today, ICS infrastructures are commonly used in every factory and even in your house, too!

• ICS collects data from remote stations (also called field devices), processes them, and uses automated algorithms or operator-driven supervisory to create commands to be sent back

-4-

ICS

-5-http://sub0day.com/wp-content/uploads/2015/01/asdC2121.jpghttp://www.paceindustrial.com/uploads/images/Controls/Industrial_System_Page.gif

Typical ICS infrastructure

-6-

Corporate network

ERP

MES

PLC 2, 3…

PLC 1

PLC 7, 8…

Routers/Firewalls

OPC

SCADA/DCS

HMI

Industrial bus(es)

AMS

Transmitters

ICS 101 terms

• Transmitters/RTUs – works with real world objects and parameters

• PLC (Programmable Logic Controllers) -- digital system used for automation of typically industrial electromechanical processes.

• SCADA – systems operating with coded signals over communication channels so as to provide control of remote equipment

• OPC – Open Platform Communications

• HMI – Human-machine interfaces

• MES – Manufacturing executioning system

-7-

Mobile Apps place in the ICS

-8-

Internet Corporate Network

PLCs…HMI

SCADA servers

OPC, MES, Historians

(3) Remote SCADA client

(1) Mobile HMI panel

(2) Mobile OPC/MES client

Mobile ICS Apps classification

• PLC configuration/interaction app• SCADA client• Mobile HMI panel

Control room applications

MES/HMI/Historian clients

Remote SCADA clients

-9-

Control room applications• Direct configuring/monitoring/supervising industrial

process and/or its components

• Several types:

• PLC configuration/interaction app

• SCADA client

• Mobile HMI panel

-10-

source: http://www.centurioncontrols.com/sites/default/files/ControlRoom2.jpg

These applications reside inside the “safe” (at least firewalled and separated) network of control roomFull or partial “local” control of the industrial process

OPC/MES/Historian clients

• Allow the engineer and process owner to read and interpret some data from middle-high level components of ICS

• Data is read-only; you don’t have direct access to the PLCs, HMIs, or SCADA apps -- your only ability is to read some variables or aggregated values

-11-

SCADA remote control apps• Applications that allows remote (outside of safe perimeter or

even plant network) monitoring/controlling of the industrial process

• For ALL applications in this group, we found pictures/schemes/architecture sketches/documents from the vendor where the mobile app is shown as a remote control client outside of the plant network (high-low levels)

-12-

Typical attack vectors

• Smartphone/tablet loss

• MitM attack (public Wi-Fi, GSM/GPRS)

• “Unlocked phone on the table”

• SD card data compromise (another app/virus/USB connection to PC)

• Server compromise via remote bug (SQLinj/DoS)

-13-

Main threats• server DoS or compromise• lack of server-side data validation in terms of

industrial process • compromise of stored data that could lead to

interface/feature modification (HMI apps)• client-side DoS

Control room app

• process data leak through a protocol vulnerability• server DoS or compromise• client-side DoS or compromise• deceiving the operator for hiding alarms

MES/OPC/ Historian

client

• process compromise through a protocol or application vulnerability• lack of server-side data validation in terms of

the industrial process • process compromise through a server bug• client-side DoS or compromise

SCADA remote

control app-14-

Test steps

Analysis according to Test Checklist

Client and server fuzzing

Deep analysis with reverse-engineering

-15-

ChecklistApplication• Purpose of app: SCADA/HMI/PLC/OPC/etc.• Permissions• Password protection• Native code• Web-based components

Protocol• Authentication.• Tokens/cookies/sessions• SSL• XML• Server API

Storage• Connection strings/passwords• Data/projects/HMI interfaces etc.

-16-

Fuzzing

• Some applications used vendor-specific protocols for interactions between client and server

• Full reverse-engineering of such protocols could take infinite time

• To test them easier, we used fuzzing

-17-

UIautomator

• Fuzzing requires regular communications between mobile app and server

• Problem: mobile app is a GUI app. In most cases, it won’t interact with server without the user’s command

• Solution: use Android UIAutomator (GUI testing tool) to emulate the user‘s taps in the mobile app -18-

Native UIs• Problem: many mobile SCADA apps use native

code (C++ or Delphi, arm7eabi). GUIs of such applications also use native elements. UIautomator standard methods have no support for them

• Solution: simple custom extension of UIautomator

• Method:

• Do first round of fuzzing with no mutations (with correct data)

• Capture a series of screenshots during first round and put them in cache

• On the next round, where crashes/disconnects could occur, detect them by comparing the current state screen with the appropriate screen in cache-19-

Fuzzing architecture

-20-

Server (SCADA, demo application,

PLC, etc.)Fuzzed application

Fuzzing proxy (erlamsa)

GuiTesterLib

UDP, Erlang objects

GUI test scenario (Erlang)

UIautomatorapp

Test scenario exampleshow_status_window(S) ->

{ok} = nuitestclient:send_cmd(S, {click, 200, 600}, 3000),

{ok} = nuitestclient:send_cmd(S, {click, 200, 350}, 3000),

…

prepare(IP, Port) ->

S = nuitestclient:connect(IP, Port),

run_logoapp(S), timer:sleep(5000),

{ok} = nuitestclient:send_cmd(S, {putscreenoncache, "working"}, 5000), S.

…

fuzz(S, false, FailCnt) ->

io:format("Relauncing...~n"),

{ok} = nuitestclient:send_cmd(S, {click, 358, 463}, 3000),

timer:sleep(1000), show_status_window(S), timer:sleep(1000),

{ok, Res} =

nuitestclient:send_cmd(S, {comparescreenoncache, "working"}, 5000),

fuzz(S, Res, FailCnt + 1).

-21-

Fuzzing in progress

-22-

List of analyzed applications

-23-

Afcon Pulse Autobase SCADA

CyBroDroid Ellat SCADA

HMI MASTER

HMI OBA7 MiScout OPC XML DA client

OPC XML DA Explorer

PLC-5 HMI

Pro-face Remote

HMI

ProficySCADA

Prosys OPC UA client lite

S7 Android Movicon Progea Web

Client

ScadaTouch Siemens LOGO! App

Wagoid Watch*IT WHS Live Light

Legend: Control room app

OPC/MES/ Historian

client

Remote SCADA client

Test results summary

-24-

Control-room apps

OPC/Historian clients

SCADA remote clients

2.5 7.5 12.5 17.5 22.5 27.5 32.5

Control-room apps

OPC/Historian clients

SCADA remote clients

Vulnerabili-ties

2 2 9

Weak-nesses

4 12 21

Test results summary

-25-

Vulnerability/ weakness

Control room app OPC/MES client Remote SCADA client

No authentication n/a 3 3

Username-only auth 0 0 1

Plain text auth 0 0 2

Weak hashes 0 0 2

Insufficient check of input process values

n/a 0 1

Built-in crypto keys 0 1 3

Weak SSL 0 1 2

SQL injection 1 1 0

No password protection

4 5 4

Plain text protocol 0 3 4

DoS 1 0 3

SD card storage 2 0 3

But… responsible disclosure

-26-

Authentication problems

-27-

Plain text authentication

-28-

Username-only authentication

-29-

Built-in cryptokeys

-30-

Weak hashes

-31-

Let pi be password symbols, then:

225 is easily crackable on most modern computers

Server-side Denial of Service

-33-

Client-side Denial of Service

-34-

Double free(..)?

-35-

Attack 1

-36-

Insufficient validation of input parameters from mobile app

• The attacker should:

• Either be connected to the network with the target client/server (in case of control room application)

• Or knew remote control SCADA endpoint (server address) and have valid logon credentials

• E.g. potential victim uses his smartphone with public Wi-Fi AP (e.g. in restaraunt or trade center). If there is no encryption (or weak/vulnerable), the attacker could MitM into the connection with the server (using, for example, ARP spoofing). When a legimate request goes to the system, it can be modified

Attack 1: query

-37-

GET /scgi/?c8785.<removed>=26999& HTTP/1.1

Cookie: sessionid=98aec9bc19d2bed32d3cc9a1140920e2

Host: <removed>

Proxy-Connection: close

Connection: close

Attack 1: results

-38-

Attack 2

-39-

Compromising HMI storage

• Several applications store HMI databases (circuits, interfaces, connection parameters, and HMI projects) on SD card

• If HMI project data is somehow compromised (virus, another application vulnerability, direct access to SD card from PC, etc.), the attacker can slightly reconfigure or change its interface. They could replace component events and logic, or, for example, sensors data sources

• The unsuspecting operator is “compromised” now and could make a wrong decision

Original HMI interface

-40-

HMI project storage

-41-

HMI project file format

-42-

Changed HMI panel

-43-

Attack 2: …

-44-

original pic source: http://www.smartcityexpo.com/new_products/-/newness/955751/Afcon-s-Pulse-Mobile-2-0-for-cities?return=microsite

Conclusions• 20 Android applications for ICS reviewed

• Not even one was free of weaknesses and/or vulnerabilities

• The most dangerous consequence of these vulnerabilities is “compromising” the operator per se, i.e. give them a false understanding of the current industrial process state

• SCADA and ICS came to the mobile world recently, but brought old approaches and weaknesses. Hopefully, due to the rapidly developing nature of mobile software, all these problems will soon be gone

-45-

Used tools

• Fuzzing: erlamsa + Android UIAutomator + Android NativeUI automator extension

• Reverse-engineering: jd-gui, r2

• Misc: Wireshark

• Proxies: ProxyDroid, BurpSuite, Erlamsa built-in proxy

-46-

Links

• http://github.com/Darkkey/AndroidHMISecurity -- up-to-date whitepaper, sources & binaries of Android NativeUI (will be published by June 17)

• http://github.com/Darkkey/erlamsa -- erlamsa mutational-based fuzzer (fork of radamsa)

-47-

Thanksgiving service

• Dmitry ‘D1g1’ Evdokimov for “some binary magic” and great help in reverse-engineering ARM native code

• Marina Krotofil for some threat ideas

-48-

Q&A

http://dsec.ru

@dsecru

@dark_k3y-49-