cyber security lecture at rah rah 7
TRANSCRIPT
Cyber Defense Group
Contemporary threats to cri0cal and mobile infrastructures Are we soon deaf, blind and muted ? ANSES Rah Rah 7, Singapore January 2010 Filip Maertens Avydian Cyber Defense
Cyber Defense Group
Agenda
➤ About the speaker ➤ CriEcal Infrastructures: state of affairs ➤ Trending threats for criEcal infrastructures ➤ The imminent risk of our mobile networks
➤ What are we up against ?
Cyber Defense Group
About the speaker
➤ CEO and Founder Avydian Cyber Defense Group ➤ President Cyber-‐Security at European Corporate Security AssociaEon ➤ Cybercrime invesEgator
➤ CISSP, CISM, CISA, CPO, CFE and CCSP (“cer7fied common sense prac77oner”)
➤ MSc. InformaEon Risk and BSc. InformaEon OperaEons
➤ Guest professor on capita selecta on Cyber Warfare
➤ Cyber Security Auditor & Advisor for <this_is_where_you_go_bleep>
Cyber Defense Group
Cri0cal Infrastructures: state of affairs
(no, not another stuxnet talk)
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ Where do we find IT components and other modern technologies within criEcal infrastructures: ➤ Nuclear, oil and gas industry ➤ Air traffic and railways
➤ Power generaEon, transmission and metering
➤ Water management
➤ Satellites
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ What do industrial systems do for you ? ➤ Supply power to your home
➤ Provide drinkable water to your home
➤ Traffic lights
➤ Control commuter trains
➤ Regulate the air condiEoning in the office
➤ Ensure you can make mobile and landline phone calls
➤ …
Cyber Defense Group
➤ But, let’s not cry wolf: ➤ 2003 U.S. East Cast Black out ➤ 2008 Spanair Crash
➤ Who benefits from FUD: ➤ IT Security: New Business = Profit (2016: 7 billion USD) ➤ Safety: Loss of Business = Loss
➤ Reliable incident reports is what we need !
Cri0cal infrastructures: state of affairs
Cyber Defense Group
Cri0cal infrastructures: state of affairs
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ Basic SCADA architecture: ➤ Human Management Interface (HMI)
➤ Remote Terminal Unit (RTU)
➤ Programmable Logic Controller (PLC)
➤ CommunicaEon Infrastructure
➤ Typical SCADA protocols: ➤ Raw data protocols: modbus, DNP3, …
➤ High level protocols: ICCP, OPC, …
Blaster
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ 0.01% of recorded incidents (that make you think): ➤ 2000, Russian hackers seized control of the gas pipeline network ➤ 2003, Ohio Davis-‐Besse nuclear plant safety monitoring system down for five hours
➤ 2007, Simple PING sweep acEvated roboEc arm (huh? Simple PING?)
➤ 2010, Stuxnet Incident
➤ Main scenario is where viruses degrade the system to make it useless: ➤ 2005, Windmill incident Belgium
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ Some basic test you go use against your system: ➤ nmap –sV –A
➤ Ping –f –s >56200 ➤ Traffic > 10 Mb/s
➤ SQL InjecEon through the HMI
➤ Usage of simple passwords
➤ Using SenEent Hyper-‐OpEmized Data Access Network (SHODAN) as search engine
➤ As of 2008, Metasploit Framework has SCADA tesEng modules built-‐in
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ Some of the common SCADA challenges we experience: ➤ Security patching (problem in IT, nightmare in SCADA) ?
➤ AuthenEcaEon of machines ? Logging ?
➤ EncrypEon ? ➤ AuthorizaEon for transacEons / commands ? Remote login ?
➤ Code review and secure development ?
➤ Protocol specific firewalls ?
➤ Many challenges !
Cyber Defense Group
Cri0cal infrastructures: state of affairs
➤ It’s an emerging trend, so we are scared and we have poor risk management abiliEes.
➤ EsEmate the risk: ➤ Q: How many people killed by sharks in U.S. ? A: 40
➤ Q: How many people killed by pigs in U.S. ? A: 23.589
➤ EsEmate the impact (today) of: ➤ Q: Terrorists ? ➤ Q: Cyber-‐terrorists ?
Cyber Defense Group
“ There is no cause for panic nor cause to ignore the issue ”
We should be concerned. And so we are. That’s good.
Cyber Defense Group
Trending threats for cri0cal infrastructures
Cyber Defense Group
Before: proprietary, isolated, obscure and robust
Trend: documented, standardized, connected and open
Cyber Defense Group
Trending threats for cri0cal infrastructures
➤ Industry standards take security into consideraEon: ➤ BS7799-‐ISO27000 InformaEon sec. management systems – SpecificaEon with guidance for use
➤ NISTIR 7628 Guidelines for Smart Grid Cyber Security v1.0
➤ ANSI/ISA S.99.1 Security for Manufacturing and Control Systems
➤ ANSI/ISA SP99 TR2 IntegraEng Electronic Sec. into Manufacturing and Control Systems Env.
➤ ISO/IEC 15408 Common Criteria
➤ CIDX Chemical Industry Data Exchange -‐ Vulnerability Assessment Methodology (VAM) Guidance
➤ ISPE/GAMP4 Good Automated Manufacturing PracEces
➤ NIST System ProtecEon Profile for Industrial Control Systems (SPP-‐ICS)
➤ PCSF Process Control System Forum ; NERC standards ; AGA standards ; NISCC Guidelines
Cyber Defense Group
Trending threats for cri0cal infrastructures
➤ Root causes for SCADA vulnerabiliEes today (and tomorrow): ➤ ISO 27000 vs. ISA-‐99.00.01 have contradicEng prioriEes; SCADA wants AIC, while
INFOSEC wants CIA
➤ The human communicaEon conflict: INFOSEC and SCADA people just don’t understand each other !
➤ The human element remains a largely ignored weakness: ➤ You get bored at night, right ? ➤ You want to browse the Internet on your shiu, right ?
➤ You want to logon from your home to the HMI, right ?
Cyber Defense Group
Trending threats for cri0cal infrastructures
➤ Bad Trends Top 5 : Things that probably will stay around for a while ➤ Office AutomaEon and Industrial Networks become connected
➤ Cyber Security remains an auerthought during design of soluEons
➤ Protocols are in clear-‐text (speed reasons) ➤ Inadequately developed firewalls that naEvely speak SCADA protocols ➤ Insecure coding pracEces
➤ Old protocols, old systems: ➤ Basic hacking techniques most likely will work
Cyber Defense Group
Trending threats for cri0cal infrastructures
➤ Focus on Top 3 CriEcal Infrastructures:
Oil and Gas Smart Grid TelecommunicaEon
Cyber Defense Group
Trending threats for cri0cal infrastructures
➤ Ongoing developments: Smart Grids / Smart Metering ➤ Metering and control of intelligent electricity delivery to the household
➤ Privacy by Design: Achieving the Gold Standard in Data ProtecEon for the Smart Grid as a guideline on best pracEces (actually, prewy good)
➤ High Priority on security: U.S. Na7onal Coordinator for Security, Infrastructure Protec7on, and Counter-‐Terrorism, has stated that a cyber aSack aimed at energy infrastructure “could disable trains all over the country and it could blow up pipelines. It could cause blackouts and damage electrical power grids…It could wipe out and confuse financial records… It could do things like disrupt traffic in urban areas by knocking out control computers. It could…wipe out medical records.
Cyber Defense Group
Trending threats for cri0cal infrastructures
Replace exisEng SCADA systems
with new soluEons
New SCADA based soluEons are deployed in
society
Improvement of SCADA security
controls
Controlled Industrial
Environment
Cyber Defense Group
The imminent threat of our mobile networks
Cyber Defense Group
If you have the ability to deliver a reasonably strong radio signal, then those around you are compromised.
Any informa7on that goes across a cell phone you can now intercept. Even though the
GSM spec requires it, this is a deliberate choice on the cell phone makers
Cyber Defense Group
The imminent threat of our mobile networks
➤ Security by obscurity : ➤ GSM is one of the oldest protocols (and most insecure; it’s like telnet)
➤ Extremely liwle scruEny on 3G/GSM protocols
➤ Only 4 closed-‐source GSM stacks produced
➤ GSM chipset makers never release any hardware documentaEon
➤ Access to firmware source (3.5G baseband codes) are only… some lucky few
➤ Prices for BTS’s, etc. are very steep
➤ Open source research is on its way (and advancing rapidly) !
Cyber Defense Group
The imminent threat of our mobile networks
➤ GSMA is not too worried, though :
✓ Underes0mated complexity: Ability to decrypt A5 family in (near) real Eme (2009)
✓ Underes0mated complexity: IMSI catching, bypass A3/A8, … (2010)
✓ Radio receiver system: USRP / USRP2 + GNUradio + OpenBTS (you know, the soDware)
“ … intercept approach has underes0mated its pracEcal complexity A hacker would need a radio receiver system and the signal processing
soDware necessary to process the raw radio data. CSMA, Aug 2009
Cyber Defense Group
The imminent threat of our mobile networks
➤ Become your own operator: ➤ Universal Souware Radio Peripheral ➤ GNUradio Project ➤ OpenBTS / OpenBSC / SMSqueue
➤ OsmocomBB
➤ Asterisk
➤ Under 1.500 USD you cover up to 300 m of GSM signal (indoor) + 2 channels (850/900/1800/1900).
USRP 800 USD
52 Mhz 37 USD
Trixie Priceless R/TFX900
175 USD
Cyber Defense Group
The imminent threat of our mobile networks
➤ Or become your own DIY mobile intelligence unit: ➤ 4 x USRP2 (Xilinx Spartan FPGA’s) ➤ 4 x quad core i7 CPU’s ➤ 2 x nvidia Tesla CUDA C2070 cores ➤ Power generator + antennas ➤ 4 TB storage
➤ Costs about 20.000 USD. Cheap eh?
Cyber Defense Group
The imminent threat of our mobile networks
➤ The mobile network threat vectors:
ConfidenEality
AcEve Intercept
Passive Intercept
IMSI Catching
LocaEon Monitoring
Availability
Power Jamming
Call Blackholing
Integrity
InserEng audio streams
Fuzzing GSM handsets
Cyber Defense Group
“ Cell phones behave like ducks ”
(you may quote me on this)
Cyber Defense Group
The imminent threat of our mobile networks (confidenEality)
If it looks like a duck , walks like a duck , talks like a duck = it’s a duck !
MCC=525, MNC=010 Handset registers to who ? This is where you do “Hello”
?
Cyber Defense Group
The imminent threat of our mobile networks (confidenEality)
➤ Listening in on phone calls + SMS (“unlawful intercept”): ➤ Using the Berlin A5 Codebooks (2.3 TB) ➤ Decode A5.1 within seconds / minutes
➤ Ac0ve intercept: ➤ AcEve downgrade of A5.1/.2/.3 to A5.0 ➤ OpenBTS + Asterisk ➤ Basically, man-‐in-‐the-‐middle awack on GSM
➤ Passive intercept: ➤ Time-‐Memory Tradeoff Awack
➤ OpenBTS + Airprobe ➤ DecrypEon required
Cyber Defense Group
The imminent threat of our mobile networks (confidenEality)
➤ How handsets get connected to a rogue base staEon so an awacker can intercept: ➤ Receive gain override (“so, you are a 100db
tower?”) (used for IMSI catchers by R&S)
➤ Changing LAC (LocaEon Area Code) to enEce handsets to handoff to new (your) BTS
➤ Short jam burst, so handsets are forced to execute handset power-‐up process
➤ ConEnuous jam 3G bands, so fail-‐over to GSM
Cyber Defense Group
The imminent threat of our mobile networks (confidenEality)
➤ Remote and local tracking of users, using a blend of RRLP, GPS, GSM, SMS, mobile applicaEons and Google technologies: ➤ Google GSM GeolocaEon API (not LaEtude)
➤ Cell-‐locaEons stored on local smartphones
➤ Using applicaEons to covertly send out logs
Cyber Defense Group
The imminent threat of our mobile networks (availability)
➤ By accident. Jammed my neighborhood in a 800m radius using GNUradio, 2W and a noise generator => Impossible to defend!
➤ Purposeful: ➤ Camping GSM signals and sink-‐holing them
➤ Noise generators in the GSM spectrum
➤ Frequency division duplexing flooding ➤ Sending IMSI DETACH messages
➤ Channel Request Flooding of the RACH
Cyber Defense Group
The imminent threat of our mobile networks (availability)
➤ Channel Request Flooding of the Random Access Channel (RACH) burst: ➤ Anonymous awack
➤ Successfully executed under a few seconds ➤ Cell-‐phone registers (Channel Request), when the
channel is not established (Eme-‐out), the channel is released by the BSC
➤ Only affects one BTS at a Eme
Cyber Defense Group
The imminent threat of our mobile networks (availability)
DoS
Cyber Defense Group
The imminent threat of our mobile networks (availability)
➤ Isolated noise output test: 892 mode test
➤ Results: ➤ Upset neighbors, but peace of mind
➤ Completely knocked out the 850/900 GSM signal in 800 meter radius, using a short (45sec) burst
➤ Test (but I’m not doing it): ➤ 100 W amplifier (450 USD) (1.500 W HAM limit!!)
➤ Will knock out GSM/3G/CDMA over large secEon of Singapore
Cyber Defense Group
The imminent threat of our mobile networks (integrity)
➤ ManipulaEng voice conversaEons
➤ AcEve intercepEon required, as we do not modify GSM signal, but ulaw data packets: ➤ Should be easy to manipulate (given IMSI spoofing)
➤ No pracEcal usage, unless you really want to annoy people :-‐)
➤ … manipulaEng SMS messages however, is a threat (OTP over SMS, anyone?).
Cyber Defense Group
The imminent threat of our mobile networks (integrity)
Free McDonalds!
Cyber Defense Group
The imminent threat of our mobile networks (integrity)
➤ Fuzzing target: ➤ GSM stack in baseband processor
➤ GSM funcEon libraries in operaEng system
➤ Fuzzing results auer one month (using scapy): ➤ iPhone IOS 4.2, already 2 crashes ➤ Windows Mobile 7, already 5 crashes
➤ Android 2.2, already 3 crashes
➤ Not sure if they are exploitable yet.
Cyber Defense Group
What are we up against ?
Cyber Defense Group
What are we up against ?
➤ Vital and criEcal infrastructures keeps humans safe, alive and comfortable, but: ➤ Closed source protocols are being leveraged over
vulnerable transportaEon media and protocols (think TCP/IP, RPC, …)
➤ Full disclosure research increasingly brings exploits and vulnerabiliEes in the open
➤ It is 100% target of terrorist awacks and asymmetric warfare tacEcs
➤ Alot of Fear-‐Uncertainty and –Doubt (FUD)
Cyber Defense Group
What are we up against ?
➤ Mobile telecommunicaEons and wireless technologies are connecEng everyone and everything, yet they are mostly based on insecure protocols: ➤ SCADA systems using GSM for large plant coverage
➤ SCADA systems using Bluetooth (e.g. smart meters)
➤ SCADA systems using Wi-‐Fi / ZigBee protocols
➤ Our day-‐to-‐day lives and safety inherently depend on IT systems and networks (*gulp*)
Cyber Defense Group
What are we up against ?
➤ Hackers will conEnue to awack embedded and industrial systems (“stuxnet is only the beginning”).
➤ Within five years, a large scale electronic awack will disrupt a modern society to its inner fabric.
➤ Security industry will need to rapidly embrace industrial standards and collaborate on establishing secure and robust protocols.
Cyber Defense Group
“ Unless cyber security controls can guarantee our safety, it is irresponsible to merge industrial protocols with vulnerable IT technologies (law of weakest link)”
(you may quote me on this one too)
Cyber Defense Group
If not, one day we will wake up and find ourselves:
deafened
blinded
and muted
Cyber Defense Group
Contemporary threats to cri0cal and mobile infrastructures Are we soon deaf, blind and muted ? ANSES Rah Rah 7, Singapore January 2010 Thank You,