cyber security lecture at rah rah 7

Cyber Defense Group

Contemporary threats to cri0cal and mobile infrastructures Are we soon deaf, blind and muted ? ANSES Rah Rah 7, Singapore January 2010 Filip Maertens Avydian Cyber Defense

Cyber Defense Group

Agenda

➤  About the speaker ➤  CriEcal Infrastructures: state of affairs ➤  Trending threats for criEcal infrastructures ➤  The imminent risk of our mobile networks

➤  What are we up against ?

Cyber Defense Group

About the speaker

➤  CEO and Founder Avydian Cyber Defense Group ➤  President Cyber-‐Security at European Corporate Security AssociaEon ➤  Cybercrime invesEgator

➤  CISSP, CISM, CISA, CPO, CFE and CCSP (“cer7fied common sense prac77oner”)

➤  MSc. InformaEon Risk and BSc. InformaEon OperaEons

➤  Guest professor on capita selecta on Cyber Warfare

➤  Cyber Security Auditor & Advisor for <this_is_where_you_go_bleep>

Cyber Defense Group

Cri0cal Infrastructures: state of affairs

(no, not another stuxnet talk)

Cyber Defense Group

Cri0cal infrastructures: state of affairs

➤  Where do we find IT components and other modern technologies within criEcal infrastructures: ➤  Nuclear, oil and gas industry ➤  Air traffic and railways

➤  Power generaEon, transmission and metering

➤  Water management

➤  Satellites

Cyber Defense Group


➤  What do industrial systems do for you ? ➤  Supply power to your home

➤  Provide drinkable water to your home

➤  Traffic lights

➤  Control commuter trains

➤  Regulate the air condiEoning in the office

➤  Ensure you can make mobile and landline phone calls

➤  …

Cyber Defense Group

➤  But, let’s not cry wolf: ➤  2003 U.S. East Cast Black out ➤  2008 Spanair Crash

➤  Who benefits from FUD: ➤  IT Security: New Business = Profit (2016: 7 billion USD) ➤  Safety: Loss of Business = Loss

➤  Reliable incident reports is what we need !


Cyber Defense Group


Cyber Defense Group


➤  Basic SCADA architecture: ➤  Human Management Interface (HMI)

➤  Remote Terminal Unit (RTU)

➤  Programmable Logic Controller (PLC)

➤  CommunicaEon Infrastructure

➤  Typical SCADA protocols: ➤  Raw data protocols: modbus, DNP3, …

➤  High level protocols: ICCP, OPC, …

Blaster

Cyber Defense Group


➤  0.01% of recorded incidents (that make you think): ➤  2000, Russian hackers seized control of the gas pipeline network ➤  2003, Ohio Davis-‐Besse nuclear plant safety monitoring system down for five hours

➤  2007, Simple PING sweep acEvated roboEc arm (huh? Simple PING?)

➤  2010, Stuxnet Incident

➤  Main scenario is where viruses degrade the system to make it useless: ➤  2005, Windmill incident Belgium

Cyber Defense Group


➤  Some basic test you go use against your system: ➤  nmap –sV –A

➤  Ping –f –s >56200 ➤  Traffic > 10 Mb/s

➤  SQL InjecEon through the HMI

➤  Usage of simple passwords

➤  Using SenEent Hyper-‐OpEmized Data Access Network (SHODAN) as search engine

➤  As of 2008, Metasploit Framework has SCADA tesEng modules built-‐in

Cyber Defense Group


➤  Some of the common SCADA challenges we experience: ➤  Security patching (problem in IT, nightmare in SCADA) ?

➤  AuthenEcaEon of machines ? Logging ?

➤  EncrypEon ? ➤  AuthorizaEon for transacEons / commands ? Remote login ?

➤  Code review and secure development ?

➤  Protocol specific firewalls ?

➤  Many challenges !

Cyber Defense Group


➤  It’s an emerging trend, so we are scared and we have poor risk management abiliEes.

➤  EsEmate the risk: ➤  Q: How many people killed by sharks in U.S. ? A: 40

➤  Q: How many people killed by pigs in U.S. ? A: 23.589

➤  EsEmate the impact (today) of: ➤  Q: Terrorists ? ➤  Q: Cyber-‐terrorists ?

Cyber Defense Group

“ There is no cause for panic nor cause to ignore the issue ”

We should be concerned. And so we are. That’s good.

Cyber Defense Group

Trending threats for cri0cal infrastructures

Cyber Defense Group

Before: proprietary, isolated, obscure and robust

Trend: documented, standardized, connected and open

Cyber Defense Group


➤  Industry standards take security into consideraEon: ➤  BS7799-‐ISO27000 InformaEon sec. management systems – SpecificaEon with guidance for use

➤  NISTIR 7628 Guidelines for Smart Grid Cyber Security v1.0

➤  ANSI/ISA S.99.1 Security for Manufacturing and Control Systems

➤  ANSI/ISA SP99 TR2 IntegraEng Electronic Sec. into Manufacturing and Control Systems Env.

➤  ISO/IEC 15408 Common Criteria

➤  CIDX Chemical Industry Data Exchange -‐ Vulnerability Assessment Methodology (VAM) Guidance

➤  ISPE/GAMP4 Good Automated Manufacturing PracEces

➤  NIST System ProtecEon Profile for Industrial Control Systems (SPP-‐ICS)

➤  PCSF Process Control System Forum ; NERC standards ; AGA standards ; NISCC Guidelines

Cyber Defense Group


➤  Root causes for SCADA vulnerabiliEes today (and tomorrow): ➤  ISO 27000 vs. ISA-‐99.00.01 have contradicEng prioriEes; SCADA wants AIC, while

INFOSEC wants CIA

➤  The human communicaEon conflict: INFOSEC and SCADA people just don’t understand each other !

➤  The human element remains a largely ignored weakness: ➤  You get bored at night, right ? ➤  You want to browse the Internet on your shiu, right ?

➤  You want to logon from your home to the HMI, right ?

Cyber Defense Group


➤  Bad Trends Top 5 : Things that probably will stay around for a while ➤  Office AutomaEon and Industrial Networks become connected

➤  Cyber Security remains an auerthought during design of soluEons

➤  Protocols are in clear-‐text (speed reasons) ➤  Inadequately developed firewalls that naEvely speak SCADA protocols ➤  Insecure coding pracEces

➤  Old protocols, old systems: ➤  Basic hacking techniques most likely will work

Cyber Defense Group


➤  Focus on Top 3 CriEcal Infrastructures:

Oil and Gas Smart Grid TelecommunicaEon

Cyber Defense Group


➤  Ongoing developments: Smart Grids / Smart Metering ➤  Metering and control of intelligent electricity delivery to the household

➤  Privacy by Design: Achieving the Gold Standard in Data ProtecEon for the Smart Grid as a guideline on best pracEces (actually, prewy good)

➤  High Priority on security: U.S. Na7onal Coordinator for Security, Infrastructure Protec7on, and Counter-‐Terrorism, has stated that a cyber aSack aimed at energy infrastructure “could disable trains all over the country and it could blow up pipelines. It could cause blackouts and damage electrical power grids…It could wipe out and confuse financial records… It could do things like disrupt traffic in urban areas by knocking out control computers. It could…wipe out medical records.

Cyber Defense Group


Replace exisEng SCADA systems

with new soluEons

New SCADA based soluEons are deployed in

society

Improvement of SCADA security

controls

Controlled Industrial

Environment

Cyber Defense Group

The imminent threat of our mobile networks

Cyber Defense Group

If you have the ability to deliver a reasonably strong radio signal, then those around you are compromised.

Any informa7on that goes across a cell phone you can now intercept. Even though the

GSM spec requires it, this is a deliberate choice on the cell phone makers

Cyber Defense Group


➤  Security by obscurity : ➤  GSM is one of the oldest protocols (and most insecure; it’s like telnet)

➤  Extremely liwle scruEny on 3G/GSM protocols

➤  Only 4 closed-‐source GSM stacks produced

➤  GSM chipset makers never release any hardware documentaEon

➤  Access to firmware source (3.5G baseband codes) are only… some lucky few

➤  Prices for BTS’s, etc. are very steep

➤  Open source research is on its way (and advancing rapidly) !

Cyber Defense Group


➤  GSMA is not too worried, though :

✓ Underes0mated complexity: Ability to decrypt A5 family in (near) real Eme (2009)

✓ Underes0mated complexity: IMSI catching, bypass A3/A8, … (2010)

✓ Radio receiver system: USRP / USRP2 + GNUradio + OpenBTS (you know, the soDware)

“ … intercept approach has underes0mated its pracEcal complexity A hacker would need a radio receiver system and the signal processing

soDware necessary to process the raw radio data. CSMA, Aug 2009

Cyber Defense Group


➤  Become your own operator: ➤  Universal Souware Radio Peripheral ➤  GNUradio Project ➤  OpenBTS / OpenBSC / SMSqueue

➤  OsmocomBB

➤  Asterisk

➤  Under 1.500 USD you cover up to 300 m of GSM signal (indoor) + 2 channels (850/900/1800/1900).

USRP 800 USD

52 Mhz 37 USD

Trixie Priceless R/TFX900

175 USD

Cyber Defense Group


➤  Or become your own DIY mobile intelligence unit: ➤  4 x USRP2 (Xilinx Spartan FPGA’s) ➤  4 x quad core i7 CPU’s ➤  2 x nvidia Tesla CUDA C2070 cores ➤  Power generator + antennas ➤  4 TB storage

➤  Costs about 20.000 USD. Cheap eh?

Cyber Defense Group


➤  The mobile network threat vectors:

ConfidenEality

AcEve Intercept

Passive Intercept

IMSI Catching

LocaEon Monitoring

Availability

Power Jamming

Call Blackholing

Integrity

InserEng audio streams

Fuzzing GSM handsets

Cyber Defense Group

“ Cell phones behave like ducks ”

(you may quote me on this)

Cyber Defense Group

The imminent threat of our mobile networks (confidenEality)

If it looks like a duck , walks like a duck , talks like a duck = it’s a duck !

MCC=525, MNC=010 Handset registers to who ? This is where you do “Hello”

?

Cyber Defense Group


➤  Listening in on phone calls + SMS (“unlawful intercept”): ➤  Using the Berlin A5 Codebooks (2.3 TB) ➤  Decode A5.1 within seconds / minutes

➤  Ac0ve intercept: ➤  AcEve downgrade of A5.1/.2/.3 to A5.0 ➤  OpenBTS + Asterisk ➤  Basically, man-‐in-‐the-‐middle awack on GSM

➤  Passive intercept: ➤  Time-‐Memory Tradeoff Awack

➤  OpenBTS + Airprobe ➤  DecrypEon required

Cyber Defense Group


➤  How handsets get connected to a rogue base staEon so an awacker can intercept: ➤  Receive gain override (“so, you are a 100db

tower?”) (used for IMSI catchers by R&S)

➤  Changing LAC (LocaEon Area Code) to enEce handsets to handoff to new (your) BTS

➤  Short jam burst, so handsets are forced to execute handset power-‐up process

➤  ConEnuous jam 3G bands, so fail-‐over to GSM

Cyber Defense Group


➤  Remote and local tracking of users, using a blend of RRLP, GPS, GSM, SMS, mobile applicaEons and Google technologies: ➤  Google GSM GeolocaEon API (not LaEtude)

➤  Cell-‐locaEons stored on local smartphones

➤  Using applicaEons to covertly send out logs

Cyber Defense Group

The imminent threat of our mobile networks (availability)

➤  By accident. Jammed my neighborhood in a 800m radius using GNUradio, 2W and a noise generator => Impossible to defend!

➤  Purposeful: ➤  Camping GSM signals and sink-‐holing them

➤  Noise generators in the GSM spectrum

➤  Frequency division duplexing flooding ➤  Sending IMSI DETACH messages

➤  Channel Request Flooding of the RACH

Cyber Defense Group


➤  Channel Request Flooding of the Random Access Channel (RACH) burst: ➤  Anonymous awack

➤  Successfully executed under a few seconds ➤  Cell-‐phone registers (Channel Request), when the

channel is not established (Eme-‐out), the channel is released by the BSC

➤  Only affects one BTS at a Eme

Cyber Defense Group


DoS

Cyber Defense Group


➤  Isolated noise output test: 892 mode test

➤  Results: ➤  Upset neighbors, but peace of mind

➤  Completely knocked out the 850/900 GSM signal in 800 meter radius, using a short (45sec) burst

➤  Test (but I’m not doing it): ➤  100 W amplifier (450 USD) (1.500 W HAM limit!!)

➤  Will knock out GSM/3G/CDMA over large secEon of Singapore

Cyber Defense Group

The imminent threat of our mobile networks (integrity)

➤  ManipulaEng voice conversaEons

➤  AcEve intercepEon required, as we do not modify GSM signal, but ulaw data packets: ➤  Should be easy to manipulate (given IMSI spoofing)

➤  No pracEcal usage, unless you really want to annoy people :-‐)

➤  … manipulaEng SMS messages however, is a threat (OTP over SMS, anyone?).

Cyber Defense Group


Free McDonalds!

Cyber Defense Group


➤  Fuzzing target: ➤  GSM stack in baseband processor

➤  GSM funcEon libraries in operaEng system

➤  Fuzzing results auer one month (using scapy): ➤  iPhone IOS 4.2, already 2 crashes ➤  Windows Mobile 7, already 5 crashes

➤  Android 2.2, already 3 crashes

➤  Not sure if they are exploitable yet.

Cyber Defense Group

What are we up against ?

Cyber Defense Group


➤  Vital and criEcal infrastructures keeps humans safe, alive and comfortable, but: ➤  Closed source protocols are being leveraged over

vulnerable transportaEon media and protocols (think TCP/IP, RPC, …)

➤  Full disclosure research increasingly brings exploits and vulnerabiliEes in the open

➤  It is 100% target of terrorist awacks and asymmetric warfare tacEcs

➤  Alot of Fear-‐Uncertainty and –Doubt (FUD)

Cyber Defense Group


➤  Mobile telecommunicaEons and wireless technologies are connecEng everyone and everything, yet they are mostly based on insecure protocols: ➤  SCADA systems using GSM for large plant coverage

➤  SCADA systems using Bluetooth (e.g. smart meters)

➤  SCADA systems using Wi-‐Fi / ZigBee protocols

➤  Our day-‐to-‐day lives and safety inherently depend on IT systems and networks (*gulp*)

Cyber Defense Group


➤  Hackers will conEnue to awack embedded and industrial systems (“stuxnet is only the beginning”).

➤  Within five years, a large scale electronic awack will disrupt a modern society to its inner fabric.

➤  Security industry will need to rapidly embrace industrial standards and collaborate on establishing secure and robust protocols.

Cyber Defense Group

“ Unless cyber security controls can guarantee our safety, it is irresponsible to merge industrial protocols with vulnerable IT technologies (law of weakest link)”

(you may quote me on this one too)

Cyber Defense Group

If not, one day we will wake up and find ourselves:

deafened

blinded

and muted

Cyber Defense Group

Contemporary threats to cri0cal and mobile infrastructures Are we soon deaf, blind and muted ? ANSES Rah Rah 7, Singapore January 2010 Thank You,

cyber security lecture at rah rah 7

Technology

cri0cal infrastructures

mobile infrastructures

common scada challenges

security patching problem

raw data protocols

gas industry air trac

loss of business

mobile networks