Ivan ‘Steph’ Yushkevich, Alexander ‘dark_k3y’ Bolshev
Digital Security
SCADA AND MOBILE:SECURITY ASSESSMENTOF THE APPLICATIONS
THAT TURN YOUR SMARTPHONE INTO A FACTORY CONTROL ROOM
; cat /dev/user
• Ivan ‘Steph’ Yushkevich:
Security Auditor @ Digital Security
Role: Mobile security guy
• Alexander ‘dark_k3y’ Bolshev
Security Researcher @ Digital Security, Ph.D., Assistant Professor @ SPb ETU
Role: Fuzzing && SCADA security guy
-2-
Agenda
• Very Quick ICS 101
• Types of mobile ICS applications
• Testing approaches
• Example vulnerabilities and attacks
• Conclusion
-3-
What is ICS
• ICS stands for Industrial Control System
• Today, ICS infrastructures are commonly used in every factory and even in your house, too!
• ICS collects data from remote stations (also called field devices), processes them, and uses automated algorithms or operator-driven supervisory to create commands to be sent back
-4-
ICS
-5-http://sub0day.com/wp-content/uploads/2015/01/asdC2121.jpghttp://www.paceindustrial.com/uploads/images/Controls/Industrial_System_Page.gif
Typical ICS infrastructure
-6-
Corporate network
ERP
MES
PLC 2, 3…
PLC 1
PLC 7, 8…
Routers/Firewalls
OPC
SCADA/DCS
HMI
Industrial bus(es)
AMS
Transmitters
ICS 101 terms
• Transmitters/RTUs – works with real world objects and parameters
• PLC (Programmable Logic Controllers) -- digital system used for automation of typically industrial electromechanical processes.
• SCADA – systems operating with coded signals over communication channels so as to provide control of remote equipment
• OPC – Open Platform Communications
• HMI – Human-machine interfaces
• MES – Manufacturing executioning system
-7-
Mobile Apps place in the ICS
-8-
Internet Corporate Network
PLCs…HMI
SCADA servers
OPC, MES, Historians
(3) Remote SCADA client
(1) Mobile HMI panel
(2) Mobile OPC/MES client
Mobile ICS Apps classification
• PLC configuration/interaction app• SCADA client• Mobile HMI panel
Control room applications
MES/HMI/Historian clients
Remote SCADA clients
-9-
Control room applications• Direct configuring/monitoring/supervising industrial
process and/or its components
• Several types:
• PLC configuration/interaction app
• SCADA client
• Mobile HMI panel
-10-
source: http://www.centurioncontrols.com/sites/default/files/ControlRoom2.jpg
These applications reside inside the “safe” (at least firewalled and separated) network of control roomFull or partial “local” control of the industrial process
OPC/MES/Historian clients
• Allow the engineer and process owner to read and interpret some data from middle-high level components of ICS
• Data is read-only; you don’t have direct access to the PLCs, HMIs, or SCADA apps -- your only ability is to read some variables or aggregated values
-11-
SCADA remote control apps• Applications that allows remote (outside of safe perimeter or
even plant network) monitoring/controlling of the industrial process
• For ALL applications in this group, we found pictures/schemes/architecture sketches/documents from the vendor where the mobile app is shown as a remote control client outside of the plant network (high-low levels)
-12-
Typical attack vectors
• Smartphone/tablet loss
• MitM attack (public Wi-Fi, GSM/GPRS)
• “Unlocked phone on the table”
• SD card data compromise (another app/virus/USB connection to PC)
• Server compromise via remote bug (SQLinj/DoS)
-13-
Main threats• server DoS or compromise• lack of server-side data validation in terms of
industrial process • compromise of stored data that could lead to
interface/feature modification (HMI apps)• client-side DoS
Control room app
• process data leak through a protocol vulnerability• server DoS or compromise• client-side DoS or compromise• deceiving the operator for hiding alarms
MES/OPC/ Historian
client
• process compromise through a protocol or application vulnerability• lack of server-side data validation in terms of
the industrial process • process compromise through a server bug• client-side DoS or compromise
SCADA remote
control app-14-
Test steps
Analysis according to Test Checklist
Client and server fuzzing
Deep analysis with reverse-engineering
-15-
ChecklistApplication• Purpose of app: SCADA/HMI/PLC/OPC/etc.• Permissions• Password protection• Native code• Web-based components
Protocol• Authentication.• Tokens/cookies/sessions• SSL• XML• Server API
Storage• Connection strings/passwords• Data/projects/HMI interfaces etc.
-16-
Fuzzing
• Some applications used vendor-specific protocols for interactions between client and server
• Full reverse-engineering of such protocols could take infinite time
• To test them easier, we used fuzzing
-17-
UIautomator
• Fuzzing requires regular communications between mobile app and server
• Problem: mobile app is a GUI app. In most cases, it won’t interact with server without the user’s command
• Solution: use Android UIAutomator (GUI testing tool) to emulate the user‘s taps in the mobile app -18-
Native UIs• Problem: many mobile SCADA apps use native
code (C++ or Delphi, arm7eabi). GUIs of such applications also use native elements. UIautomator standard methods have no support for them
• Solution: simple custom extension of UIautomator
• Method:
• Do first round of fuzzing with no mutations (with correct data)
• Capture a series of screenshots during first round and put them in cache
• On the next round, where crashes/disconnects could occur, detect them by comparing the current state screen with the appropriate screen in cache-19-
Fuzzing architecture
-20-
Server (SCADA, demo application,
PLC, etc.)Fuzzed application
Fuzzing proxy (erlamsa)
GuiTesterLib
UDP, Erlang objects
GUI test scenario (Erlang)
UIautomatorapp
Test scenario exampleshow_status_window(S) ->
{ok} = nuitestclient:send_cmd(S, {click, 200, 600}, 3000),
{ok} = nuitestclient:send_cmd(S, {click, 200, 350}, 3000),
…
prepare(IP, Port) ->
S = nuitestclient:connect(IP, Port),
run_logoapp(S), timer:sleep(5000),
{ok} = nuitestclient:send_cmd(S, {putscreenoncache, "working"}, 5000), S.
…
fuzz(S, false, FailCnt) ->
io:format("Relauncing...~n"),
{ok} = nuitestclient:send_cmd(S, {click, 358, 463}, 3000),
timer:sleep(1000), show_status_window(S), timer:sleep(1000),
{ok, Res} =
nuitestclient:send_cmd(S, {comparescreenoncache, "working"}, 5000),
fuzz(S, Res, FailCnt + 1).
-21-
Fuzzing in progress
-22-
List of analyzed applications
-23-
Afcon Pulse Autobase SCADA
CyBroDroid Ellat SCADA
HMI MASTER
HMI OBA7 MiScout OPC XML DA client
OPC XML DA Explorer
PLC-5 HMI
Pro-face Remote
HMI
ProficySCADA
Prosys OPC UA client lite
S7 Android Movicon Progea Web
Client
ScadaTouch Siemens LOGO! App
Wagoid Watch*IT WHS Live Light
Legend: Control room app
OPC/MES/ Historian
client
Remote SCADA client
Test results summary
-24-
Control-room apps
OPC/Historian clients
SCADA remote clients
2.5 7.5 12.5 17.5 22.5 27.5 32.5
Control-room apps
OPC/Historian clients
SCADA remote clients
Vulnerabili-ties
2 2 9
Weak-nesses
4 12 21
Test results summary
-25-
Vulnerability/ weakness
Control room app OPC/MES client Remote SCADA client
No authentication n/a 3 3
Username-only auth 0 0 1
Plain text auth 0 0 2
Weak hashes 0 0 2
Insufficient check of input process values
n/a 0 1
Built-in crypto keys 0 1 3
Weak SSL 0 1 2
SQL injection 1 1 0
No password protection
4 5 4
Plain text protocol 0 3 4
DoS 1 0 3
SD card storage 2 0 3
But… responsible disclosure
-26-
Authentication problems
-27-
Plain text authentication
-28-
Username-only authentication
-29-
Built-in cryptokeys
-30-
Weak hashes
-31-
Let pi be password symbols, then:
225 is easily crackable on most modern computers
Server-side Denial of Service
-33-
Client-side Denial of Service
-34-
Double free(..)?
-35-
Attack 1
-36-
Insufficient validation of input parameters from mobile app
• The attacker should:
• Either be connected to the network with the target client/server (in case of control room application)
• Or knew remote control SCADA endpoint (server address) and have valid logon credentials
• E.g. potential victim uses his smartphone with public Wi-Fi AP (e.g. in restaraunt or trade center). If there is no encryption (or weak/vulnerable), the attacker could MitM into the connection with the server (using, for example, ARP spoofing). When a legimate request goes to the system, it can be modified
Attack 1: query
-37-
GET /scgi/?c8785.<removed>=26999& HTTP/1.1
Cookie: sessionid=98aec9bc19d2bed32d3cc9a1140920e2
Host: <removed>
Proxy-Connection: close
Connection: close
Attack 1: results
-38-
Attack 2
-39-
Compromising HMI storage
• Several applications store HMI databases (circuits, interfaces, connection parameters, and HMI projects) on SD card
• If HMI project data is somehow compromised (virus, another application vulnerability, direct access to SD card from PC, etc.), the attacker can slightly reconfigure or change its interface. They could replace component events and logic, or, for example, sensors data sources
• The unsuspecting operator is “compromised” now and could make a wrong decision
Original HMI interface
-40-
HMI project storage
-41-
HMI project file format
-42-
Changed HMI panel
-43-
Attack 2: …
-44-
original pic source: http://www.smartcityexpo.com/new_products/-/newness/955751/Afcon-s-Pulse-Mobile-2-0-for-cities?return=microsite
Conclusions• 20 Android applications for ICS reviewed
• Not even one was free of weaknesses and/or vulnerabilities
• The most dangerous consequence of these vulnerabilities is “compromising” the operator per se, i.e. give them a false understanding of the current industrial process state
• SCADA and ICS came to the mobile world recently, but brought old approaches and weaknesses. Hopefully, due to the rapidly developing nature of mobile software, all these problems will soon be gone
-45-
Used tools
• Fuzzing: erlamsa + Android UIAutomator + Android NativeUI automator extension
• Reverse-engineering: jd-gui, r2
• Misc: Wireshark
• Proxies: ProxyDroid, BurpSuite, Erlamsa built-in proxy
-46-
Links
• http://github.com/Darkkey/AndroidHMISecurity -- up-to-date whitepaper, sources & binaries of Android NativeUI (will be published by June 17)
• http://github.com/Darkkey/erlamsa -- erlamsa mutational-based fuzzer (fork of radamsa)
-47-
Thanksgiving service
• Dmitry ‘D1g1’ Evdokimov for “some binary magic” and great help in reverse-engineering ARM native code
• Marina Krotofil for some threat ideas
-48-