open sesame bypassing building management controls and tradecraft - bsides … bmc preso part...
TRANSCRIPT
![Page 1: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/1.jpg)
Open Sesame – Bypassing Building Management Controls and
Tradecraft
Dan Kennedy – Senior Consultant
19/04/2016
![Page 2: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/2.jpg)
Background Info
Why this talk?
Scope
Where did our Vigilance go?
</rant>
19/04/2016
![Page 3: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/3.jpg)
19/04/2016
Red? Blue?
![Page 4: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/4.jpg)
BMS environment
19/04/2016
Building Management Systems
Security
Intrusion Alarms
CCTV
Patrols
PIDS
Intrusion Prevention
Access Control
CPTID
Man traps
Automation
Doors
HMI
Bio Metrics RFID
Fire & Safety
Fire Safety Alarms
Duress
EWIS
Engineering
Hydro Pumps
Energy Management
Information Systems & Communications
Facility Manager
Workstation
Telco Lines
Building Automation
Illumination
HVAC
Elevator
Facility
Plumbing
Cleaning
![Page 5: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/5.jpg)
Physical Security Controls
19/04/2016
![Page 6: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/6.jpg)
Controller Systems Diagram
19/04/2016
![Page 7: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/7.jpg)
Component Diagram
19/04/2016
![Page 8: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/8.jpg)
Controller Enclosures
19/04/2016
![Page 9: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/9.jpg)
19/04/2016
![Page 10: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/10.jpg)
Enclosure Bypass
19/04/2016
![Page 11: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/11.jpg)
Control Panels
19/04/2016
SPI
UART
PSTN
RS232
![Page 12: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/12.jpg)
BacNet Native Controller
19/04/2016
![Page 13: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/13.jpg)
Building Control Protocols
AS-Interface
BACnet
CANopen
CC-Link
ControlNet
DeviceNet
EtherNet/IP
EtherCAT
FIPIO
FL-net
Interbus
Lonworks
M-Bus
Modbus Plus
Modbus RTU & Modbus-TCP
POWERLINK
Profibus
Profinet-IO
Sercos
19/04/2016
![Page 14: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/14.jpg)
Net Enumeration
Security Controller (BOSCH) TCP/UDP Port
7700
Modbus: Master/Slave – TCP Port 502
BACnet: Master/Slave – UDP Port 47808
LonWorks/LonTalk: Peer to Peer - Port 1679
DNP3: Master/Slave – TCP Port 20000
Niagra Fox TCP Port 1911
Zigbee – TCP Port 17729-17756
Rockwell PLC TCP/UDP Ports 2221 UDP
29402, 1434
FactoryTalk Port TCP/UDP 1330-1332, 3060
19/04/2016
![Page 15: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/15.jpg)
Tools
Lots of proprietary ones
BacNet Attack Framework
ModBus SMOD Exploitation Framework
19/04/2016
![Page 16: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/16.jpg)
Exposures - Internet
19/04/2016
![Page 17: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/17.jpg)
Exposure Stats - Current
19/04/2016
![Page 18: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/18.jpg)
Building Automation Control Architecture
19/04/2016 http://www.automatedlogic.com/specsheets/se_cs.pdf
![Page 19: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/19.jpg)
Bacnet Attacks
Enumerate all the Devices
Announce yourself as a trusted Bacnet Router
Flood and Takedown entire net
Arbitrary Command Execution
19/04/2016
![Page 20: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/20.jpg)
19/04/2016
![Page 21: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/21.jpg)
19/04/2016
![Page 22: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/22.jpg)
19/04/2016
![Page 23: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/23.jpg)
Modbus Component Architecture
19/04/2016
![Page 24: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/24.jpg)
Modbus Protocol Design
19/04/2016
![Page 25: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/25.jpg)
Shells & More
19/04/2016
![Page 26: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/26.jpg)
19/04/2016
![Page 27: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/27.jpg)
19/04/2016
![Page 28: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/28.jpg)
19/04/2016
![Page 29: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/29.jpg)
19/04/2016
![Page 30: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/30.jpg)
19/04/2016
![Page 31: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/31.jpg)
19/04/2016
![Page 32: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/32.jpg)
19/04/2016
![Page 33: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/33.jpg)
![Page 34: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/34.jpg)
19/04/2016
![Page 35: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/35.jpg)
An approach to alternative analysis of Building
Management Control Environments
19/04/2016
Define the target
environment doctrine
High-Impact,
Low probability analysis
Recon: OSINT,
HUMINT, GEOINT, SIGINT
Vulnerability Probing
Measure degrees of Success
Course of Action
Exploitation &
Control/Movement
Persistence Increase
attack density
Target Instituion
Defined and Agreed Scope
Enumeration
Vulnerability Analysis and Exploitation
Escalation and Lateral
Movement
Persistence
Checkpoint 1 Checkpoint 9
![Page 36: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/36.jpg)
Intel Gathering Leverage public databases/records of Building facility
management
Use Social Networks to
determine People, Roles, Skill sets and behavioural
traits
Analyse building tenant documentation for any sensitive or usefull info, such as names, phone
numbers, roles
Obtain protocol and procedures
for contractors/3rd party suppliers
Assess Signals Spectrum
Physical Location Co-ordinates, Landscapes,
Geospatial Info
19/04/2016
OSINT
HUMINT
SIGINT
GEOINT
OSINT
![Page 37: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/37.jpg)
Recon
Layout
Protection
Timing
Personnel
19/04/2016
Both ordinary and emergency exits, hallways, stairways
,windows, rooftops and even sewers
Observe and map all Entry/Exit points for public and staff
Location of important offices and rooms
Observe Guards and Patrol routes
Observe the type and placement of Perimeter security devices
Identify access methods
Observe Busy times where “reception/door access” is heavily
utilised
Map staff congregation and mustering areas
Observe type of Lanyard and Access Pass/Card technology
used
![Page 38: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/38.jpg)
High Value Targets
MDF Room
Building Facilities Management Office
Security Controller
Plant Room
Electrical Communications
19/04/2016
![Page 39: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/39.jpg)
19/04/2016
![Page 40: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/40.jpg)
19/04/2016
![Page 41: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/41.jpg)
Vulnerability Probing
i. Human: Employee Protocols, Procedures and Behaviours
ii. Human: Building Management Personel Reachability
iii. Technology: Perimeter and Internal Intrusion Monitoring Controls and Countermeasures
iv. Technology: Gate/Door/Elevator Access controls
v. Technology: Signals emanation & manipulation, BCS Exposures
vi. Technology: Door Controls
vii. Processes: Building Automation (Elevators), Security Gates, Service Entry Carpark,
viii.Processes: Identity Validation
19/04/2016
![Page 42: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/42.jpg)
19/04/2016
![Page 43: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/43.jpg)
Identity Validation
19/04/2016
![Page 44: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/44.jpg)
HMI RFID Cards & KeyPads
RFID Cloning
Circuit Jumper | Splicing
Ultra Violet Ink
Earth Magnets
19/04/2016
![Page 45: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/45.jpg)
Circuit Jumping
Most alarm/sensors are protective circuits
The notion of “open” and
“closed” circuit is important
locate the wires to and from the circuit and
jumper them to bypass the entire system.
Door Proximity Controllers usually 12v
Watch for Anti-Tampering Measures
(opened circuits) :-)
19/04/2016
![Page 46: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/46.jpg)
Magnetic Contact Switch Doors
Magnetic switch most common of hardwired components
Two individual pieces, the switch and the companion magnet
19/04/2016
![Page 47: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/47.jpg)
Service Elevators
Fire Emergency Services Elevator Key
Security Key override
Lift Surfing
19/04/2016
![Page 48: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/48.jpg)
Lever Doors
19/04/2016
![Page 49: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/49.jpg)
And some ftw moments
19/04/2016
![Page 50: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/50.jpg)
Exposed Wiring
19/04/2016
![Page 51: Open Sesame Bypassing Building Management Controls and Tradecraft - BSides … BMC Preso Part 1.pdf · 2016-04-19 · 19/04/2016 Building Management Systems Security Intrusion Alarms](https://reader036.vdocuments.net/reader036/viewer/2022080723/5f7bf06f1600cb09bc64abfa/html5/thumbnails/51.jpg)
Any Questions? [email protected]
Greetz bsides team, rich, context, gio, david, petr, kurt, andrew and chris :-)