>>So what we are going to talk today is on SCADA HMIs, and to understand the different kind of vulnerabilities that exist in those kind of app interfaces that are used by SCADA devices -- so let's get it started. So a little bit of background on mine. I'm actually part of the cloud tech labs, cloud security in Elasticka in San Jose, and just wrote a book on targeted cyber attacks, if you get a chance, take a look at it. So before going to discuss research on this topic, I just want to very quickly, lay a disclaimer vulnerabilities or issues we're going to discuss are solely based on my research. It does not relate to my previous or present employers and all the vulnerabilities we are going to take a look at have been reported, in the scenario, and they are in the process of patching it. A couple of vulnerabilities have already been patched, and other vendors are actually working to address the issue. So let me get into the brief idea why SCADA is becoming a problem, because of critical infrastructure, several things, because this is getting on the edge at the spot of time. Hackers are targeting SCADA infrastructure, devices, and all along try to get control of infrastructure, and then from there on, you can have diversified impact on the target, so just pick up what media is talking about in here, SCADA systems face diverse software attacks and thats in several other issues. But the end point is this is a problem and we need to take a look into it as a community, hunt for vulnerabilities, report it, and make it secure. A little down the lane during the host of this presentation, you will realize that SCADA design is completely broken. something -- so take a look into it, so before moving further, let's have an idea of you know the vulnerabilities of SCADA existed in last few years how the trend is going on. I did this snapshot from the SCADA hacker, very good website, and so they took the SCADA from OSV and they get an idea that with moving forward, so 2015 you'll see 98 vulnerabilities have been released, and if you look at from the last couple of years, the trend is increasing. It’s exponential. It means that the more that you have visibility here, the more attacks in this scenario and that is what is happening in this SCADA infrastructure. Another brief look on the way the SCADA vulnerabilities from the advisories, this one released, [indiscernible] just like a few weeks back. Different kind of [indiscernible] like different kind of vulnerabilities that exist in SCADA devices here, and so it goes from overflows, directory travels, man in the middle, hijacking and different kind of things and even if you look the scenario, vulnerabilities, file inclusion, local file inclusion, authentication bypasses, those scenarios, wide variety of vulnerabilities out there. We'll take a look into it. Now, again, it’s a big problem because if you look as service, attackers in underground market, compromises SCADA infrastructure and sells control to other buyers for making money and that is one interesting, because the SCADA is not up to that mark, SCADA becomes very easy for them to go ahead, just sell the excess, manufacturing plan [indiscernible], you know things like that. But this is a big problem these days, and as a community, as a nation, you know, find issues, have them to patch things. So take a look at it, the simple SCADA model. Sometimes I have a couple suspicions with the search engine, pretty good researchers, audience. Sometimes they think HMI is not actually a part of SCADA, but whole model, if you look at, so this is an etching, it’s the one complement of it. BLC programmer, to watch and controls your drivers driving, and the SCADA devices and in this picture I have basically taken a simple scenario, you have HMI complement BLC, interface through drivers, and then it goes from the actual manufacturing point, devices. So if you look in this particular model, you see HMI is actually being used at the front end and from there onwards, a lot of statistics about different components of SCADA, and you can perform operations, you can look into statistics. Execute commands that will be [indiscernible] through BLC to drivers and have the inclined motor. Target is looking into the HMI [indiscernible] so basically, HMI human machine interface to a web. Could be a web server, phone, further application, desktop applications, but in this particular talk [indiscernible]. An interesting point HMI, visually presentation of what is going inside the complete SCADA environment. And how the data is, you know, taken from the panel and then how it's taken from the various devices that are running back end. So simple way, centralized control center managed through web. If you control the web, the front component of it, you can do much more with it. And we'll take a look with a scenario. So this is basically a Web HMI, embedded web server in a phone, which is exposed on the internet, or maybe not properly secure, and things like that. But our motive in particular talk to go into the design and the security, of the web HMI, how they have designed, why they're not following secure design principles and what could be the impact. So in this particular talk, I mean, you can say most of these devices are not deployed with SSL, which is fine. They are basically configured in wrong manner because not securely configured. They have having a default username and password or even if they configured the password, the password is weak. [Indiscernible] Security which actually means that if the web server tries to send some sort of hacker, embedded web server no capability at this point in time to send some sort hackers back to the browser, and from there on the browser can act accordingly. For example, extreme options can include, intense security, so there's no concept of that, at this point in time. But we are not going into these issues in this talk, but what we are going to talk about is how the design has been done. So what we are going to have in -- so any embedded, primarily web servers, power lines slash -- web technology used by HMS, anything exposed through web is target of this talk. So we are basically, in this particular talk, is going to target front end. Any web based software used to control HMI, any software that is used to spool HMI, any web component providing interface to these SCADA device, so that's the target here. So what vendors we are going to look into from security vulnerability point of view. So there are many vendors out there, but I chosen for this talk, automation [indiscernible] paired devices, Schneider electric prisma, [indiscernible] and a whole lot of vulnerabilities out there, can't discuss in this because of time constraint. What I will say now is that there are a lot of vulnerabilities out there. And we'll take a look and you might, you know, think of it as fun, but it is actually a fun, when you look at vulnerabilities, there are so many ridiculous vulnerabilities out there. Now we are going to target for the next couple of minutes on the BMX family of devices, which has been provided by Schneider Electric. Basically HMI active web services, as a part of the web server, embedded in the phone here. It requires real time communication with internet ECPI, used for that end device. It has a capacity to host dynamic user defined web pages to provide more updated information, for what's going on. One target, let's talk about some vulnerabilities, so while I was doing research on it hard core vulnerability, possible actually [indiscernible] account, in the [indiscernible] file. We have multiple [indiscernible] vulnerabilities, a remote file inclusion, local file inclusion, authentication design. And in this particular device, and put the most stress on the RF file, which I will hopefully be demoing, hopefully DEFCON network will work, otherwise we have a video. But let's just go into a better analysis. Let's say [indiscernible] and I have not masked a URL in this case. You find this device, and you open it in your browser, you will be presented with Java. You need to install Java for that. You will be install like this, you will install it, because in order to excess all the HMI functionalities you have to access this shallow template, to install it accordingly. >> When you install it, you come up with, you know when you download this, the update, you try to look into the source code, you know where the Java update has been placed, how you can access it and things like that. So the whole just this slide is going to tell you where the Java update is placed for that particular web HMI and how you can access. Basically looking into the source code of it, that browser. When you do the source code analysis, just presenting a figure here, if you do the source code analysis of the Java file, password in it and you can see, Schneider, and then you have activity log and a sys log. So you're basically looking into the decompilation of the Java source for analysis and this is hard coded. You can use it to actually access the FTB [indiscernible] server. Moving forward, so a bit more of source code analysis, you get an idea all the config files are hard coded, pick apart, put in URL, and if you are authenticated you can even access it, or in certain cases you can even bypass that too. Moving forward, so vulnerabilities, specify, so it is a complete URL, which is simply HTTP. You have parameters. Force the user to click on the link and you can change the password. You can control the editor password. Things like that. It's all open in that scenario and this is one is interesting one, so they have vulnerability in the scenario, unauthenticated, file inclusion, one URL, when you search for URLs on that web HMI, specific URL, validates the input you are supplying, so basically framing the content. In this case I have shown that, on this particular device you can include a remote trial, and I will be demoing in just a bit in seconds. Similarly, all these vulnerabilities are also present in the factory cost this is [indiscernible] I think Schneider Electric and Telemecanique are collaboratively releases these devices. If you go ahead to like the previous devices, some old school devices, or even devices that are being, you know released these days, the same vulnerabilities apply affect the cost. So I'm going to demo here, remote file inclusion vulnerability, I hope. Connect with box. [No audio] This was working just five minutes back, so. It happens DEFCON all the time but I have a backup. [Laughter] Very interesting demo, actually somehow you can even download malware, encode format to device. If you get a chance later on, and I can show you where the network is working, so this was the demo. So let's take a look from the video point of view. So this you will see that we are highlighting file inclusion vulnerability in Schneider, BMX, CPUs. Web HMI, the video might not tell you exactly how you can download [indiscernible] in the encoded format but it can give you an idea where is the vulnerability and what you can do with it. We just try you know as a researcher try to look at what's going on in and out of a system, and you can see that even if you try to access some of the source, basically restricted, so you need to provide a basic -- so actually a basic authentication here. But, we have -- this is a case we want to show. We want to actually look at it. So I closed it. So you see that the vulnerability is present in one of the index HTML file not actually validating what kind of content is being passed through, so you can easily load any third party website directly into it, and in this case we uploaded the BlackHat One so I can explain how this can be used in targeted attacks. A similar case, you can go find a host or some sort of malware on the third party domain. You know, it’s used for any [indiscernible] effect. You basically encode the URL or you can use URL shockna, you can simply pass it through it and force the user to click it. Any SCADA administer or other guy and that way download the malware and use the system and it's very interesting. You can also pass an XY code through to and HTMP file. Wherever it’s framed, HTML in the browser, but then you can get compromised. But basically, simply through RFI in this case. The next device I'm going to target here is the mock Sy Logic. From the authentication final view. Just a simple [indiscernible] So basically they don’t provide any [indiscernible] for XTPS in this. If you look at how the password is being hacked, this is basically the MD5 and no fault provided for it, so -- which makes it pretty difficult to replay attacks and you can crack it within a spec of time. So whatever the vulnerabilities, I'm discussing in this, test radius [indiscernible] along different devices and these are basically tested on the real devices on the internet. So once you, this is basically in software is like a bad design, where you pass your credentials in the HTTP get because it’s got cached [indiscernible] and then it becomes easy for the attackers get access to that, any proxy device or it may have been the web server, everything is going to get cached that's bad security design. But in this case, we did our test for real time device, so in this case, if you look, you will be presenter with this web log in prompt. You provide a password and that kind of STTP request is issued. You can see that the [indiscernible] hash has passed, and in this particular case -- so we actually moved forward and just hoping some normal website on the internet and you can see here, that when we pass by a hash, it was easily crackable and once get access to the password, you can go ahead and access the complete [indiscernible]. So the problem is that no [indiscernible] an HTTP can get, no man in the middle and things like that. But this is a big problem with -- from the authentication point, several web HMIs, they are not up to the mark. On the next target, Symantic HMI rap, I personally like the vulnerability that exists in this web HMI. The reason, this HMI provides an exploder interface. So when you click the exploder interface you are presented with a directory listing of all hard drives that are connected to it and any directories connected on the server. In that scenario if you move forward, just in case, I want to highlight vulnerability, [indiscernible] file uploading. So it is possible to actually upload a file by sending a link to a target. Once it clicks the link, the file will be uploaded to the USB device that is connected to it. This web HMI or any exploder with interface on it. But again, these are vulnerabilities out there. You can execute any command or force the user to perform any actions, which not authorized to do. Just snapshot, you get an idea that when you are uploading a file, [indiscernible] specified, which is very bad design practice, and -- but this exists. So this is actually a web HMI for Symantec. I have actually shown an exploder interface, so you can get an idea, we are into the directory of that web HMI for this particular one, and another small snapshot is present, once we uploaded the file, you can access the file directly from there. And if you look at this particular screenshot, you get an idea that we use simple external HTTP request to trigger the cross origin not actually the cross origin, just trigger the cross request, and from there on, which we can upload any file directly to it. And then actually once we access it, you get a control of it, you can process files. A lot of data out of it. Maybe you can upload malware through the USB directly. If you remember in 2009, Stuxnet, they simply put a malware on the USB, but in this particular case, you can -- through the web and force the user to click on a link, file will be uploaded directly to the USB. Once disconnected, it will be taken care of that. But once connected, you can also upload files on the web panel, and things like that. You have another cross [indiscernible] vulnerability, you can delete any files, by forcing the user to have no tokens. You can keep on deleting files, lock files and other interesting things. Let's take a look at this vulnerability. Actually -- if I remember correctly, Semens in the process of patching this vulnerability. Might have already patched. But we can try. In this case, we go to the file browser. You can see that there's a www route temp directory storage card, storage card two, and -- so this is our target. We want to upload a file here. I just created a custom demo, so just for the sake of showing what is exactly happens in the back, so we clicked the button. But you can basically send a link, once it has been clicked by the user, backups is automatically cookies will be taken care of, and then the request will issue. so this is a classified site file, vulnerability. Next part is just uploading that test file. If you see, we don't have any test file at this point of time. There's no file uploaded right now. And let's figure the export code. Show how has been issued through the HTTP box. And this all -- URL can be sent out in an automated manner. So we clicked it. The request has been issued. So request has been accepted by the web server. This is a file we uploaded a simple text file in this case. If you go back, and refresh the page, and there you go. We got a XTP file there. So the idea is that you can upload any file, executable, as I mentioned earlier and from there onwards you can access the file through URL. Like routing or compromising the systems through web, and all these vulnerabilities play a significant role in it, and all these vulnerabilities as I mentioned tested against a real environment. So moving next, we going to tackle a similar device in this scenario. I’m going to show you in just a few but these are interesting vulnerabilities to understand what kind of design they are following. In the solar device, again hard coded administrator password and these devices are heavily used for visualization for solar plans, take a look into it. Once you open -- you know this HMI interface to a web, you will be have this XP Java template. Just the name. You have to install a Java or download a .jar file to it, and another snapshot you can see that there is links to where the .jar file is placed, so follow the same tactics, and we perform this source code analysis, and then from there on wards we get an idea, just an old system for the vulnerability demonstration, so if you take a look in that. SO you get a username and password as [indiscernible] and then something, 2008, all of that. This password will give you a direct access to the web HMI. Now once we use this password, and then you can see we get access to that device, and if you see, this HMI interface, placed in that mimic diagram, and then you can get complete idea that you are in control of that -- this solar panel, maybe solar devices, through importers and all of that. The problem again here is that it’s just a web, these problems persist, and from there on, that hacker can easily to gain control of that. I always believe if I can do it, and I think any other person can easily do it, because the reason is that, SCADA, things from that perspective, and hackers are thinking from much more wider perspective because they have a lot of time, significant and solicit interest and I think these vulnerabilities can be powned pretty easily and control all these devices. So I just -- we can take a look into it. Demo here. Just one minute demo. Just want to show that the vulnerability actually exists there, so the vulnerability has been avoided. I see they are working with the vendor now, so see you get a Java [indiscernible] like this. You have to accept the risk in this case. We are trying to accept the Java application here. Try the admin password but it's not going to work. You're not allowed, so we are going to follow our simple tactic, we going to go into the source code and go to the .jar file, to try to see what is actually in there. The file they have this VM -- VMS.jar file, and we… I already downloaded it, and now we're going to look into the source code analysis, just a simple thing, five minute of stuff. And once you look at the classes once you do a lot of source code analysis, you get an idea where you have to look into. For example, authentication log in classes, you know, session identifier classes, things like that. So just skimming over things. So of course, we're going to look into hard coded configuration and any other things. So now here you go. When we look into this, hard coded information. It just five to ten minute, in this case and for an advance tech it might be a little lesser. Again, the thing is that your hard core credentials are being presented in .jar files. Flash files, insecure authentication design and frameworks, and we are using SCADA a lot these days, and we are finding vulnerability protocol levels, and you know [indiscernible] and all those kind of things but we also need to look into the web HMIs, just broken, and take a look a bit more into it. If you see access to the complete HMI I can look into, I can change configuration and I can screw the device if I want. Just for testing purposes. So again, you don't need to attack the infrastructure right away. You just need to access the device to web, and then you have the idea of what’s going on in and out of the system, and there you go. You got access. Now, in the next set of devices, I’m just going to show the wide variety of devices to show the vulnerabilities we are discussing in here, are not actually present in one specific device but a wide range of devices, and this time I cannot cover all of them, vulnerabilities, but still whatever the best I can, I will take care of it. In this [indiscernible] automation, [indiscernible] there's a variety of… they have devices here. I766. I769 family and thing. Simple thing I want to highlight information basically through default files. A lot of information being presented in it and by default design, web applications and things. You need to get the credential first to provide any kind of info but in this case, the design principle is not following. Again, you have a RFI, you have a local file inclusion, and long live processed scripting. Good to find out, again it can be used is Schneider’s, but in case of SCADA, I don't consider this that kind of pretty advanced vulnerability or basically hard core one. So if you look at this particular screenshot information disclosure is happening. We move forward, more file inclusion. Again we just uploaded the data. BlackHat web page in it and it’s all authenticated, so you don't need to wait for the person to do the authentication and process the link. You just place the link and it should be done. And I see if I get time later on and the network is working, I rapidly show you that demo that you can download malware on the fly with this thing. So scripting as usual. Unauthenticated, simply send a link, get whatever you want. Now, we have gone through the Schneider electrical devices, drop [indiscernible] prisma and we're going to target fisma web. Interesting, one of the most, I think easy vulnerability you can, or funny vulnerability. Fisma web is one of the vendor that are based out of the [ indiscernible] and they actually build different devices like metal detectors. Build devices like jack [indiscernible] and stuff like that. And they also build devices for X rays like inspection machines. So interesting thing with this device is web HMI, the password disclosure in JavaScript file. Who could ever imagine this? So you are, let’s say you are acting in so some sort of airport or another place with a metal detector. Or somewhere you found is a prisma web metal detector, somewhere you get access to IP. Boom, I mean you can do a lot of bad things. It's all in JavaScript, the client side. and it was working, the… all the vulnerability has been reported. Again these are full of [indiscernible] vulnerabilities, which I don't want to go in right now, but this one is interesting through simple JavaScript file. Take a look. So we access this, prisma web here, so you get this web panel, and from there on, try to look into the source code to just understand what kind of components are being used, what kind of files are being included in with this web HMI. If you see, we access two specific JS files, one is log in .path JS, the other one is config.JS So the config.JS. has been configured in a simple manner. But if you look in a log in .JS, it says Fisma web, and fisma. So this actually show that it might be running in this case a default password could be possible, but they are storing it in a JavaScript file, so if you are going to configure, any administrator is going to configure a new password for it, it's still going to be present in the JavaScript file because that’s how… exactly how that device works. And -- so we have the credentials. So I got access to the fisma web by using the password, and from there on, you can see particular device, you can set up the parameters, can screw up the process it is going in. But this is -- this is one of the funniest vulnerability I've seen in this SCADA HMI research. A lot of impact. This vulnerability, if you were going to manipulate metal detectors, it's just crazy. But -- from there onwards you also have a crosseyed request forgery. Means the connector tokens is totally, not followed with SCADA HMI simple through HTTP guest, and change the password on the fly and then you can gain access to it. Now, see if internet is working, but I… [No audio] Looks like we're not lucky today. I can show you the demo, if you're interested. Just outside somewhere I can show you the real time how this can be. Just some live device somewhere. Moving forward, now we're going to take a look into the ITC controller devices, primarily that goes in thumbs, so if you look into these thumbs, these are basically used for pumping water, some sort of further purposes. Again, you can look into the snapshot and you can get an idea that what it actually looks like as a -- you know, the controller 3,000 design for it, and you'll again have a web HMI for it. But they have like some problem, again you can upload the phoneware in this case, uploading the files. You can go and upload the phoneware, forgery. From there onwards, you can go ahead and play the device through in this case but this is also… so there's a lot of other vulnerabilities also present in this [indiscernible] controller, which might not cover but just an open platform. You can go ahead, if you have some time, motivated enough to hunt for vulnerabilities. I think this is a very good platform and work with the [indiscernible] to report them… those issues. And following that, this is one IDC controller, request, actually the request and response mechanism, and from there, how the request has been issued and has been accepted, so you can upload files, phoneware, things. With this vulnerability, once you control the phoneware, so you control [indiscernible] using… in addition to that, these are totally configured. You can find a lot of devices and the passwords and all of that. But this is just from the design perspective all security has been lined according to, to the research. Basically these are people who dwell this kind of devices. Now, from there onwards, hunting continues, a little discussion, and -- this is just tip of the iceberg. If you go around and search, vendors out there that provide HMI web services and keep looking for them, research different devices, you will find a lot of vulnerabilities, just not rocket science, you need to look into the control point that you need to control. And from there on wards you can spy own input stuff and see device is working according to the way you want it to be. There's a big playground out there. You just… broken, not enough vulnerabilities in web HMI have been reported back to the IC, but more on the protocol level, [indiscernible] hijacking, but if you open the scan, a lot of vulnerabilities in there. And from the conclusion, I can only say this research, and other vulnerabilities out there, the SCADA web HMI security is completely broken. Why is so? Because we all used to say all is good and all is gold and you can see SCADA technology has been used for a long period of time but in this case when it comes to security it's not that golden. But the problem here is that it's still being used in more stronger critical functions on the internet, or our day to day routine purposes, like discussed earlier metal detector, thumbs, and a lot of further additional details out there so easy to find vulnerabilities, so easy to attack them, so easy to control them and you can see how a big market crimeware as a service can build a threat. But you go ahead find it, distribute an account and start selling these devices in the underground community. This is a real problem, and for that, I think for researchers, any motivated people, they need to come up and hunt vulnerabilities, work with the teams, whatever the best we can. This is actual the state this amount of time. Moving forward, some of the relative research done earlier, other people portals, good resources to look into to understand what kind of vulnerabilities have already been disclosed, what new are there. Personally feel that the vulnerabilities like cross side file uploading, phoneware uploading, remote file inclusion all have a a potential impact considering the state of security and web HMI. And thanks and I'm open to questions. You're free to have any questions. If you need some demos I can show you that. [ Applause ]