1
Pwning the Industrial IoT: RCEs and backdoors are around!
Sergey Temnikov, Senior Security Researcher, Critical Infrastructure Defense TeamKaspersky Lab ICS CERTVladimir Dashchenko, Senior Security Researcher, Critical Infrastructure Defense TeamKaspersky Lab ICS CERT
2
3
Penetration testersMalware analysts
Security auditors
Industrial engineers
Security analysts
Security architects
Who are we?
4
What’s the IIoT?
5
What’s the IIoT?Simple words
Fancy concept/solution
Old security problems
IIoT
6
Vulnerabilities
18
50
410
10
10
20
30
40
50
60
RCE DOS Injections File manipulations
Account manipulations
Vulnerabilities
7
Vulnerability research approach
• Custom protocols
• DCOM
• OPC UA
8
Vuln1. XML :(
Custom XML parser allows easy trace
9
Vuln1. XML :(
Custom XML parser allows easy trace
10
Vuln2. OPC UA :(
DOS and possible RCE
11
Vuln3. Custom protocol
Not only ICS. It’s huge
12
Vuln3. Custom protocolReported in Dec 2016 (2 RCE; 11 DOS)Reminded in the end of Dec 2016Sent report again in Jan 20176 months of nothingSilently pushes the driver updateNot installed with MS updatesWaited for CVEs (spoiler: no luck)Notified US ICS CERT about potential threat“Hey! We gonna talk about this at DEFCON” email ->private alert sent->confcall with VP/CTOPublishing public advisory with CVEs assigned (CVE-2017-11496, CVE-2017-11497, CVE-2017-11498)BUT THERE’S MORE
13
Strange thing same vendor
14
Strange thing same vendor
Looks like BEAR
Smells like BEAR
Acts like BEAR
Taste like BEAR
What’s that?
NOT-A-BEAR
15
Strange thing same vendorRemotely enable and disable admin panel (undocumented). Panel available on 127.0.0.1
Remotely change proxy-server for the updates
Got the NTLM hash of user who runs the process
Still under research (got new RCEs; logical RCE?)
16
Conclusion and advice
Share the knowledge
Stand corrected
If you want to do Industry 4.0, IIoT and blah-blah-blah – do it right and secure
3dr party software should be tested properly
