I didn't come here to fuck spiders. Let's get started. This is switches get stitches this is the third episode. And is -- then I took it to Kyos communication and I wanted these guy to join me to bring some different elms to a talk and a talk focus on ether -- multilink and over there the open so that's what this is band that's the previous episodes. So who are we? I'll. >> So I'm Colin Cassidy I have been a senior engineer for 15 year and I gave that up -- >> Rob lee, I was one of the guys you probably hate I was in the government recently. So I'm alive and civilian. And I'm a re -- >> I used to be a senior risk research until I started telling jokes at DEFCON. >> So we expect you to be a DEFCON audio yen, to have a lot of fun. One is private keys. When you see them on the screen when we talk ability them and the other one is when you here vendor patch time story that you like. I expect you to make some noise. Switches get stitches. So the -- X 2 hundred switches. Basically this the one I worked on. They have session ID in their web interface and we know session ID is a good place to get started. Management plain so when you go to web site of this switch to management you get these session IDs. Is anybody here reverse engineering? I'm glad there is a few people -- these should be pretty obviously. You see the CO, AA and you think that looks like a local I P address. But you notice they're increasing. They're increasing only. Can you see the rights on the left happened side? It will give you in -- up time in and hacked. And then I got confuse because I check the IP address and it was not the IP address of the switch. Right? So I kind of thought of it for a little while and then surely lay didn't and of course it was my machine that was connected. Client up time. Based on time was one of the first -- week session ID and you can sort of see in the mind of the develop here. I know I'll create all of the IP space and all of time and that would be impossible to estimate but barely weak session ID. I'll say one other thing. The better the talk is how the passwords were wired. So obviously the user, password is the computer text of the password -- now the is pass back and forth and the ID you cannot replay a hatch from previously. So there it is in the end but you'll realize -- is not a very large space so you can snatch one over these ID. I think 16 characters maybe 15 minutes. Something like -- here. >> Also has a weak session ID. 8 character low. We didn't really look into much further but there was a nice configuration item if -- these highlight some of the problems with these switches but they're not always deploys the most default. If there is one less thing they can test and do a quick swap that makes life so much easier. All right. So. >> After finding these issue with the session ID. Can you do some side hacking. If you work regular to do pen testing. You realize from an operation -- how often so I have to wait for that to occur. As best. So we didn't like those -- in terms -- and particular on firmware. If you go over to get hub you can pull down this script and basically this is a CSRF. Is it makes possible for you to down load a configuration file or down loud the file or if you do a put, you can put the soft wire. I find this amazing because you can change the log file before you break into it and this creates an authentication by bass I can have known good configuration and the password is hatched in those file and I take that known good one, well before I use the known good one so I have the bass words that used to be there. I log in with my password which might be -- -- reload and no one -- authentication and is also brilliant that you can post a firmware imagine to device. So fix this in newer version but if you do pen test in this environment or have access to these -- prof to yourself that those -- >> So I got involved in this project about a month after joining my firm. I have been breaking these switches if you want to take a look. Fair enough. Down load, so the tool of choice more often is been -- basically looks like -- for sort of header of particular type in this case we can see there is a large compress file. So taken the last compress file we can see that the first items there -- better? >> Yeah. >> So we can see the first 4 items there relate to -- semen -- and there it is. So report this to vendor as you do and vendor came back and you can change into the web interface. That's fine. Where in documentation you have this key that needs changing otherwise that's like an undocumenation. Okay, we'll change it. So self-science it can be change in the web interface. So guess what? Bowl in a -- in the same style same pattern. Default key and important because we like to do it bigger and better. Trying to build parts signatures and stuff. We wanted to this talk to say if you do web American people pin testing every embedded device has an embedded web server and they are enough to get you control over the device so we can use your help. But that's really good for you they tell some of the best -- I carved out a firm way of -- someone sent me a peek app. A one of them send me a peek app of this device and said, here's this HD traffic but once we do the firmware upgrade and use the same -- I carve up all the files. It was over FDF so now I have a copy of the firmware imagine from the peek app and I look through it and been -- didn't recognize a lot of it. And other stuff and then wrote a little script and manage to decompress it and found a raw imagine and inside there is these private keys and I know you guys like these private key collection. Yeah. So these private key it is first one is for the H -- seen the -- firmware upgrade and uninstall wire shark so you get those as well. But I think this is a reel key issue in the sense that once if you only have -- I wanted interface in device and someone breaks out you know don't have a secure channel in where to up load keys. The second key belongs to SSH and another researcher has then force the key so the password on that is magnum 6 K. We'll talk about in a minute. I guess we're talking ability it now -- about. So it turns out this switch is sold by GE but is manufacture by garo -- magnum 6 K so you basically take a different firmware. The key has change but it is the same unless you clarify that these particular keys affect 7 out of 9. This stuff doesn't apply. So you know just what an hour or two of ben walk and you pull these keys and you get a bypass for a thousand -- switch of the switch family. >> Just continuing. We found these keys in GE switch. Is and so when you see the report itch -- that is affected and how does that get out of the way of the public. That makes it hard to do incident response and control. So pulling keys of see men switches we moved onto GED we don't actually have this switch this investigation highlight not having the switch, what we found was not really problem, we went to Ga about it and because interesting if we nothing else. So being our friend pull it down is a -- it happens to be a -- and in deed it contain it is password and hatches. So you know it has off code which is used if you forget the password you need the reset. It has a factory password so if anyone has a faster password cracking rate than me. Take a note of it and -- we did report this to GE and the guys rang me back. I think I had one of their head product people and their enticement develops, we don't believe it was a thing. Now I don't have this device to test that so if anybody has one and I can borrow that would be ideal. But the other slightly thing is this is an industrial network -- why is there a games user and they got private keys too. So yeah king manages and network -- you are going to find key -- if they're unchangeable that is bad. We have not found unchangeable keys. Self-sign -- keys if you are isolated network that's fine because you should not be connected your -- right certificate a -- no. This switches ten to lack sort of processing power and any sort of -- but if you are going to set these things up you'll plug them into a lab top and it has sort of capability so the vendors out there maybe they need to consider a sort of initial step process that helps lock these things down from the start while they have one thing that will -- every switch that's not helpful. Essentially the problem with key management have you to manage your keys don't leave it to the vendors or whatever. All right so you know let's get back to web back phones instead of prepping keys out. There is a good story. Bad ass -- I spent a little bit of time with him and he does code review. How do find so many -- I just grab for them. And I thought you know what. His write. If I'm going to write one script that -- would be like grab for private keys and hacks and it works. So this switch also I'm using the flash interface if anybody is really into flash. I didn't explore that I just went looking for cross sigh scrapping and I'm -- I was listening to DJ Kuber and that was a sample at the moment. So it just seemed appropriate. So there are 8 pipe types of cross site scriptioning. You don't have to put them in specific parameter because you can make for the web server. >> Hello gentlemen. How are you? So we have thing we do for people who have never spoke ever at DEFCON before. It is called shoot the noob. Don't worry. -- Don't -- how many of are not familiar? So I'm talking directly to you. [ APPLAUSE ] >> Sir, were you born yesterday? Have you been to DEFCON before? Okay. >> Yes it is. Wait what's your name? >> Ryan. >> Is that you're real? >> Yes it is. >> We don't use real name at DEFCON. [LAUGHTER] >> All right. So we're going to explain to -- that was fun. To get into this stage you really have to be really smart or really stupid. >> He was not talking about uh-uh are the smart guy. >> Any way just a quick toast for our new speakers are they doing a good job? And Ryan is up there representing the new attendees, so thank you. >> Thank you. >> So then we'll have to make that pretty quick. So we promise -- I come here to drink and dance. And this is an excuse to do that so let's go to the next slide. Remember earlier I did not want to reinforce that password. Brute force. Because I can patch in my key and run a CRC alert and try to reverse at the bottom so basically 2 checks. And if you patch your own key with your own password it turns out that just works so top tip there. So this is one of my favorite -- why do you hack switches. That's where the packets are. Paraphrasing. A little bit of crypt toe but for the most part they don't. Can you tell it to do something? Oh -- and you can evener form like recording traffic and replaying it. So once you have control over the switch. Now that will work on many environments. Let say electrical. Have you like -- in tax so if you rout your traffic half way around the word to another country are you going to fail to reach your timing in that system. So you need to be able to alter the firmware. In the style of Jason or something. So I'm playing around with this switch and before authentication I found this -- there is a conflict file before you log in that you fetch and I create add no catch -- rebooted it, just initial fuzzing. And I thought that's a DOS they don't matter. So this is the fix the current fix from GE they are to go -- now they're change their mind and patching it but I want you to read that very carefully. Their me -- is turn off the server. I don't like that I think we can do better. Where we skid -- amazing stuff they did really deep into the -- but basically they showed in this paper that having a DOS in certain types of chemical process control is enough to give you almost complete process control. All right so I'll do the first one there is an old day, SSH user name if any of you remember. I found it -- is worth saying. It gave me this switch. You research switches like we'll give you one. We'll get free testing and you'll get -- but still GE took 8 months -- see men took 3 months to fix the CSRF so one week I think deserves a round of applause. >> Yes I spend most of time looking at the switches; out of the 3 is probably the most secure taste. You had to be locked onto the switch to do anything. So it makes a lot of the post impact maybe my for some of these issues. So the impact is much, much lower and our conversation they were up front and told us when these switches were plan they did help. But we'll carry on. So that is open switch. Looks like that on the web site. You can down load. They also have an open development kit so you -- so that's pretty cool. First issue they have on their web page this nice support, is probably really tiny. But they have link at the top. Allows to down load the support details and of line viewing. But in this page is normally accessible but the root -- user. However you can directly navigate to page as any user and pull down all the information. Like the chrome tab, log, sport text file and that contains the IP table configuration. The location of tall SSH keys. Things all the user names but no passwords so numeration so pull -- everybody else. Next which I shall they have we found was get file and this allows to get any of the files on the device. Useful if you don't have SHH or -- but you can still pull them -- you got them so you can pull password file. GE password file and it doesn't have password however you can also down load their private key. Yeah. Again sit default key can change it is documented. And then try the traditional. No validation denied. I'm as shocked as you R. however we decided what about output validation. So you can log on and change the and basically just input your own looks like HT -- executes. But again you know, cross site scripting on these devices but you have to have sort of permission to do this thing. Yes is nice and cork -- but is not the most brilliants of attacks. Of the sort of creating a new user so this got perimeter so we -- small web page that contains those codes. We deliverer -- locked in device and -- you too can create your own log in. Onto the -- and we can probably demo that. Can you make that look easy? We'll find out. So at this point in the presentation you're probably wondering what the hell is this guy on stage for. So why don't we give him a little time to explain that while Colin sets up the demo. >> Thank you. -- and at that point if you are industrial person. I'm the kumbaya. Talk about how attacker can take advantage. So the -- are you ready for the demo? Do that first. >> You see at bottom the route is default one, the tested I just created so test script. Which is exactly what we had in first place and so we're logged in and another tab. We can navigate to our evil page. The things -- anybody? And we can go back to our user group and there is a new user. Yay. But again the ability to get that sort of timing attack is probably really low. You can get them to navigate. You can have low control or network or con figure their own device that probably wrong. So recently high impact but likelihood down there. So summarizing. The issues have been thought about. The session ID is just something you can -- input validation. Is all post authentication. None of this was -- these people have if I canned these issues and what I like developed sprint time. 2 to 3 weeks, and think that deserves a round of applause because theses guy are on. >> Back to fence doable. As I was working with these gentlemen. And what can we do. There is an interesting -- maid into the presentation because that's how many -- so if we see GE or semen that's not the only ones that are bad is a cross the industry. We want vendor -- where add I have -- so we as community -- that's what I want to talk about a little bit. So one interesting aspect of industrial control system network is that they're fairly static if you think of your enterprise -- ICS network that shouldn't exist. You should have multiple places that capture data on environment so the screen up here idea network as you have your processes separated out with multiple location that capture data. But they're static. OPC whatever ICS protocol calls. They should be relatively static now we usually don't do a good job. When you walk into -- is all flat network and nobody has any idea who's going on. So the downside with that is add I have -- without ever being notice because on the network is really to spot. We're talking about industrial network. Add I have -- use those things D. that doesn't matter if you're just on the network can you do anything you want. All the proto call, give you the firmware. Do whatever you want just by having access to the network. So the idea set -- anybody in government that would want to get to these fatalities is to get the network but we as defenders can see that. How amazing adversary are and funny because those are usually government kind of position and as former government guy I think is interesting folks things -- realistically we can do a good job so when you look at the -- I want to know excuses about legacy equipment and who knows info structure but they have to do a good job. So the first one I want to talk -- on stage I feel like we have earned the right to talk about. So when you look at an ICS network is really easy to map it up so second piece of malware, when you look at what it does on a -- should know your network traffic. Aspect my ICS -- and go safely capture. One of the things that I dislike is one at most fear in the culture if is not broke please don't touch the network. Can you safely go acquire information and see if things that are going on. Like I mention -- there is high confidence, but there is -- tuning in we want you to make this is not about shaming vendors this is about saying we have a problem in the community and we can if I can it. So there is some tools, ewe tube, DEFCON and everybody -- -- help. As an example pre -- position it doesn't look that simple in terms of malware on the network. Yes that little heart beat but in tactic environment it is really easy to see. Is a giant spike net workday at a. You do not have to be a train security professional to do this. The interesting part is process and thought and mind set is very similar to a control system architect guy. When Aron and Colin made this comment before. The same skill set they have like that inside environment is the skill set that it taxi cabs to look for abnormalities so today you're ICS engineers and architects can look for threats without relying on the vendor. Right. So. >> The point here being we're talking about doing change control. Using wire sharp. But you should know if anyone tried to change it. Not just -- not change the firm wire unless they go and speak to Ted or whoever it is. But actually check the wire to see if these upgrades are happening at times and I think there is something to be set at merging the idea of security monitoring. >> So we are not going go through and here is how to defend ever aspect so there is going to be continuing interest. How to go through and med gait and abnormality. Kind of as a joke. We were looking at security inside of ICF it takes a whole lot of resources for -- think of that power plant they're all -- a lot of resources to go and do anything interesting. So if we just do our job inside those wet works -- net work. Defensible networks that we have. Yes I T and OT are operation technology. We need to have ownership and brake down those barriers that require to bring those things. We want to bring that legacy and I think that's where we want to focus. I'm ashamed really when we look at this info structure that is we are not doing a better job of security. Human life, trains, power plants, ect. That needs to be a priority. >> We are ashamed. We know how much money to invest on banking security. We don't think about the long term cost of when we need them to be some time so we are ashamed and we would like you to be ashamed as well. We can help contribute to this. Whether you coming from the web -- stronger engineer, this is spy ware, all the rest of it. We can contribute to help the -- good things we are enjoying. >> We don't mean of like DEFCON like you should be ashamed. We mean think ability the info structure that was left to you. That enable all of was to come into this room and talk about hack and security. When we talk about legacy we say, is legacy. Meaning is -- and we're screaming. Reclaim the word legacy: treat industrial as info structure. Leave your children a legacy of secure functional info structure.