00:00:00.133,00:00:06.907 > OKay everybody let's get this show rolling. Whoo! So please give a warm round of applause to 00:00:06.907,00:00:09.743 our two speakers James and Bertin, who will be adding one more thing on my list of 00:00:09.743,00:00:14.748 worrying about: which is hacking Seismological Networks. So please. [Clapping] >> Okay. Umm. 00:00:19.686,00:00:24.691 Can you hear me? Awesome. Okays guys welcome to my talk. This is called Exploiting and Attacking 00:00:32.766,00:00:38.672 Seismological Networks Remotely. Ummm my name is Bertin, this is my colleague James Jara, we are 00:00:38.672,00:00:43.677 from Costa Rica. And we are here to shed..to share, there is also our last research. So okay this 00:00:48.448,00:00:55.289 is our disclaimer first of all. This is not a typical talk, of course it's a technical talk. 00:00:55.289,00:01:01.261 Probably it's the first research of this kind, all the vulnerabilities we found has 00:01:01.261,00:01:06.266 been correctly reported to the US Cert and they contact the vendor affected. We are not 00:01:08.902,00:01:13.907 responsible for the actions someone could take after attending this talk. Okay. >> So 00:01:17.911,00:01:22.916 Hello guys. Hello. This is, ready. Who we are. The agenda for the day is this one. Who we 00:01:25.752,00:01:31.325 are you already know. Um the motivation behind this research, umm how we get into these 00:01:31.325,00:01:36.330 device, how we find it. We will talk also about the risks, and the impact. Who is getting 00:01:39.232,00:01:45.238 affected by attacking these devices, also we will talk a little bit about the 00:01:45.238,00:01:51.645 seismological instrumentations, in order to understand better umm umm this research. Also 00:01:51.645,00:01:58.318 about the internal, the deployment, ummm deployments on the earth and on the oceans as 00:01:58.318,00:02:04.658 well. About network topology, also how we get into the vulnerability space. Also about 00:02:04.658,00:02:09.663 the firmware analysis. Attack vectors, post exploitation. And finally we get to answer 00:02:11.965,00:02:18.605 conclusions. >>And also recommendations. Okay so my name is Bertin as I mentioned at the 00:02:18.605,00:02:25.145 beginning, and my colleague James are from Costa Rica, San Jose. We are the co-founders of 00:02:25.145,00:02:30.150 the NETDB project, the Net Database project, which is a search engine for IOT devices. 00:02:32.853,00:02:37.858 Umm its a project I started 5 years ago, and then umm James joined into my idea. And we 00:02:41.028,00:02:46.033 started working very hard from 2 years ago, on the framework and the tool. Ummm as I mentioned 00:02:49.903,00:02:55.275 I'm from San Jose, probably many of you know our country [Clapping]. >>Thanks [Clapping] 00:02:55.275,00:03:00.213 >>Yeah thanks. Because it's a nice place to live and visit. You are welcome anytime to if 00:03:02.816,00:03:07.821 you want to visit us, we have a lot of beaches not bitches. [Laughter]. So you are welcome, 00:03:10.824,00:03:15.829 it's a very very nice place to live. We don't have armies, everything is pretty much cool 00:03:17.898,00:03:22.903 and relaxed. Okay. The motivation for this talk. Why are we interested in 00:03:25.105,00:03:30.110 seismological networks? Well uhhh a malicious attacker is not interested for this, for attack 00:03:32.245,00:03:37.250 these devices, because we haven't seen research previously in this field. Umm it's pretty 00:03:39.319,00:03:44.324 weird actually, if you take a look in the snowden docs, if you look for the ummm string 00:03:46.460,00:03:51.631 seismological [inaudible], snowden does not mention anything about it. That was 00:03:51.631,00:03:56.636 pretty much very interesting to me. Ummm who could be interested on, I think that governments to 00:04:01.308,00:04:08.215 sabotage other country's seismological networks. This is a new and cool attack scenario, 00:04:08.215,00:04:13.220 because these devices are placed in a extreme environments like the middle of the ocean or umm 00:04:16.089,00:04:21.094 in the..underground. Around volcanoes and specific areas. You are playing with devices 00:04:24.131,00:04:29.136 that measure, ummm natural disasters. Sooo it's it's very risky. This could lead to a 00:04:32.205,00:04:38.845 financial...a financial sabotage, to a specific company or country. The vendors of these 00:04:38.845,00:04:44.618 instruments does not have any sense of computer security at all, i'm going to show you. 00:04:44.618,00:04:50.891 Remote access, remote exploitation. So all the things that I mentioned, ummm 00:04:50.891,00:04:55.896 power...power up this res..this research to continue until today. So how did we discover 00:05:00.700,00:05:05.705 these devices? We have as, as we told you before, a IOT search engine, so let's see a demo 00:05:10.577,00:05:17.350 about how we getting to this device. >> Okay let me show you guys very quickly, because it's 00:05:17.350,00:05:22.355 not the main focus of the talk. This is the, the NETDB web GUI, or the Web application. Ummm you 00:05:26.293,00:05:31.298 can um perform queries, regarding our query builder, on tool you can search on HTML, IP, 00:05:34.334,00:05:39.339 ports, URL, http headers, countries, SSL certificates as well, fingerprints and so on. So 00:05:42.976,00:05:47.981 there are a lot of options. So in this particular, uhhh what happened here. Sorry, okay 00:05:51.885,00:05:56.890 sorry. Okay. In this particular example we are asking NETDB for a particular IP address. Umm we 00:06:01.294,00:06:07.400 are indexing...uhh come on. Aaaaah. We are indexing from this IP, 3 ports, and this 00:06:07.400,00:06:10.136 example LDAP SSL with the respective certificate, and the http server, and http and the 00:06:10.136,00:06:15.141 port 80. If you take a look, and this is a IP address, and other search engine, and very well 00:06:23.016,00:06:28.021 known for you as snowden, doesn't have any resource. So uhh. I'm not saying we are doing 00:06:30.991,00:06:35.996 a very good job scanning the internet, but you are doing something, something that they 00:06:39.399,00:06:44.971 are not doing. >> We are using another strategy to use the resource. We are trying to get 00:06:44.971,00:06:49.976 as many as there are possible. >>Well basically that is NETDB and this is basically how we 00:06:52.312,00:06:58.318 were able to get into the seismograph. umm just looking into the http headers 00:06:58.318,00:07:03.256 labels.Okay. So umm as you can see we have a lot of fingerprints, of many devices. 00:07:08.194,00:07:10.196 So one day, we have been doing a lot of research and things to the search engine, we see a 00:07:10.196,00:07:12.198 keyword, a very curious keyword. We have another demo where we will see how we get into this 00:07:12.198,00:07:17.037 ummm particular device. Okay. So. So let's see the demo. So this is NETDB in action. As you 00:07:17.037,00:07:21.675 can see i'm asking NETDB for a particular string, which is Taurus, that string is available 00:07:21.675,00:07:23.677 in the server label and the http header of these two IP addresses. So you can see the 00:07:23.677,00:07:28.682 fingerprint, JD5.1X Linux 2.4.24, NMX Taurus. Uhh that was very, pretty much ummm new for 00:07:44.497,00:07:49.502 us. And I noticed when you connect directly to the, the web server running on the port 80, 00:07:57.010,00:07:59.879 you will get into this dashboard. And you are seeing something very unusual. I have 00:07:59.879,00:08:03.650 seen many researches about VNC, often on the internet, and many other server, but I haven't seen 00:08:03.650,00:08:06.820 this before in my life. Uhhmm I have seen, many many servers, but this one was pretty much 00:08:06.820,00:08:09.189 very different, because it is giving you readings, it's giving you voltage on readings, forward 00:08:09.189,00:08:11.858 and waveforms. You can see how the waveforms ummm, and there is a option called waveforms, and 00:08:11.858,00:08:14.527 you can refresh these waveforms every 5 seconds. In the beginning I was not sure, I was 00:08:14.527,00:08:16.896 exactly what was this thing. So Bervis and I started this research. Okay. [Clicking] For 00:08:16.896,00:08:19.399 some strange reason you find a unique fingerprint and millions of fingerprints we have and are 00:08:19.399,00:08:21.935 currently collecting with NETDB on the public internet. So what is Taurus? That is the question 00:08:21.935,00:08:26.940 now. So we have the web server, we have the readings, we have everything, we have access and 00:08:52.966,00:08:57.971 we can track them. So we now know already the fingerprints so we can now start tracking them 00:09:44.184,00:09:50.590 on the internet. But what it is? Okay ummm. What is Taurus? It is a portable, digital seismograph 00:09:50.590,00:09:55.361 developed by Nanometrics. It is a company based in Canada. Ummm when you take a look in the 00:09:55.361,00:09:58.832 official documentation, you will notice that, it's pretty much connected directly to the 00:09:58.832,00:10:01.601 broadband, broadband seismometer, which is called trillion 240. And then all the 00:10:01.601,00:10:04.137 data coming from the broadband seismometer is routed to the portable digital seismograph and 00:10:04.137,00:10:06.639 then that decision centre. Also it could be connected to a Geophone, ummm this Geophones 00:10:06.639,00:10:09.275 are devices, uhhh they are placed in the middle of the oceans to understand better the 00:10:09.275,00:10:12.078 sounds of the seismic waves in the middle of the ocean. >>So what is a seismometer. A 00:10:12.078,00:10:14.380 seismometer are instrument that measure the motion of the ground. They are reading the 00:10:14.380,00:10:16.549 wave movement from earthquakes, volcanic eruptions, or different source. From wikipedia we read 00:10:16.549,00:10:18.551 there are different ummm common application like: earthquake detection, umm fracking 00:10:18.551,00:10:20.653 [inaudible], mine safety uhh and also structural analysis. >>So ummm continue with the research. 00:10:20.653,00:10:24.424 So, uhhh we asked..we asked...for example which is the, uhh organization to keep 00:10:24.424,00:10:29.429 the standards, protocols and all the rules; to get these devices working properly, ummm globally 00:11:57.216,00:12:02.155 in the world. So I found the the International federation of digital seismograph networks. 00:12:06.192,00:12:09.429 This organization keeps,keeps up to date the sea reference [inaudible], which is the uhhh 00:12:09.429,00:12:11.431 standard protocol for earthquake information exchange and all the digital seismograph worldwide 00:12:11.431,00:12:13.433 network. >> So umm, these devices provide the real location, just connecting 00:12:13.433,00:12:18.438 directly to the web server. So you can see you can go to the timing option and, and you will 00:12:41.327,00:12:46.332 notice that the location area is provided to you in the latitude and the longitude, and altitude. 00:12:49.135,00:12:56.109 According to their exact location somewhere in the world. So there is uhhh, uhhh demo, 00:12:56.109,00:13:01.781 showing you how we can...how we were able to find a seismograph in the middle of the ocean. So 00:13:01.781,00:13:06.786 let's take this, this data from the this ummm real production seismograph, and lets ask to 00:13:13.192,00:13:18.197 google for this location. And you will notice that its place in uh a very cool area. So just 00:13:28.608,00:13:33.613 go to google, put in the exact location and uhh, take it. And there you go. Its placed in the 00:13:43.189,00:13:48.194 middle of the ocean, in Europe, between UK and Norway and Denmark. >>So we said well this 00:13:54.767,00:14:01.340 is cool, these devices is running in an autonomous way in the middle of the ocean, so 00:14:01.340,00:14:06.345 let's attack this thing. Its pretty cool. Because I haven't seen someone exploiting in the 00:14:08.481,00:14:13.486 middle of the ocean, no? Okay umm NETDB is not giving their exact location because we are 00:14:15.855,00:14:20.860 using the MaxMind databases to query uhh the exact location of all IP address we find every 00:14:24.163,00:14:29.869 second, but it's pretty much accurate. Because it does know as well that your device is 00:14:29.869,00:14:34.874 located in some ISP in the UK. So this is an example of how you can use ummm google street view 00:14:46.819,00:14:52.525 in order to query the same information, and we found this seismograph located in Marlow 00:14:52.525,00:14:57.530 Oklahoma, it is the same one here, this is the co-ordinate. And asking to google, so it's 00:15:02.835,00:15:05.238 [inaudible], it's inside that property, but google streetview does not have access to that 00:15:05.238,00:15:08.775 property, but it's in there. So it's pretty cool. >> So which is the impact? So I was looking at 00:15:08.775,00:15:11.778 what was the real impact in the real world. ummm so uhh first..all...no one else has 00:15:11.778,00:15:16.783 ever done as we told before, research and security about this field. So we know that...we know 00:15:34.400,00:15:39.405 this that we can perform a denial of service, also we can take advantage of the web server 00:15:41.707,00:15:48.614 applications. And when we get to the web application vulnerabilities we see that 00:15:48.614,00:15:53.619 there are several bugs, ummm information disclosure, in the web application, that is using 00:15:56.322,00:16:01.260 as we said a web server. Also there is complete economic impact for oil and gas research 00:16:04.163,00:16:09.168 of a specific company. There are other fields like military industry and other areas. >> 00:16:14.540,00:16:19.545 Yeah. Okay ummm. In our company which is called PGS, umm they sell these components or these 00:16:22.381,00:16:27.386 networks, in order to perform uh guy...uh gas and oil recovery. Umm so this, this catched my 00:16:31.390,00:16:36.395 attention because you can see there is [inaudible] applications for this 00:16:39.966,00:16:44.971 technology. Uhhh just now, for earthquake detection or earth understanding. So vendors found 00:16:49.308,00:16:54.313 in this research, good old systems, G-well instruments, [inaudible], also uhhh, there 00:16:58.718,00:17:03.656 were more other vendors. The most effective is Nanometric, which claims they are the world 00:17:06.325,00:17:11.330 leaders on seismological instrumental networks. Uhhh also you can take a look in google 00:17:13.699,00:17:18.971 for white papers regarding instrumentation and earthquake seismology and to understand 00:17:18.971,00:17:23.976 better how these devices works, because it's pretty much a science field. So no one, it's 00:17:26.812,00:17:29.982 not very familiar to us as security researchers, its was pretty difficult to me to 00:17:29.982,00:17:31.984 understand exactly how these devices work, so I had to request some help from the 00:17:39.325,00:17:44.330 organization in my country which is called OBSCURE some information on how it works. And 00:17:46.732,00:17:53.072 I explained to them exactly well I got a [inaudible] in this thing, and they told me hey bro 00:17:53.072,00:17:58.077 we are screwed basically. Uhhhh. A lot of mathematics, a lof of physics, so if you are 00:18:01.414,00:18:06.419 interested you can take a look. This is an example of other sys....umm...seismological 00:18:09.355,00:18:14.360 instrumentation, ummm this is an example of how to use geophones, and ummm and hydrophones to 00:18:19.532,00:18:24.537 catch up the sounds from the ocean. And to catch up the movements from the earth. And in 00:18:28.674,00:18:33.679 the first example, they are producing a fake movement in order to get into the gas and 00:18:37.583,00:18:42.588 oil. So uhhh I found a demo, from a company doing this, and let's take a look how they are 00:18:48.094,00:18:54.133 being deployed and how they are producing the fake movement in the earth, in order to get into 00:18:54.133,00:18:59.138 the gas and oil, ummm sources. So as you can see, each point represents a little uhh sensor, 00:19:08.714,00:19:13.719 but you notice that they have a big trucks and they, in some way stimulate the earth in order to 00:19:18.057,00:19:23.062 get the response and check, well uhhh there is gas and oil so let's dig into it. This uhh 00:19:27.867,00:19:34.407 truck is collecting all the data from the network and then, ummm it sent to the acquisition main 00:19:34.407,00:19:38.110 centre. So this is what we are attacking. Each of these uhhhh little uhhh devices. [Clicking] 00:19:38.110,00:19:40.112 >> So uhhh let's take a look how the looks a typical configurations. As we can see, 00:19:40.112,00:19:42.114 we have the sensor, and we have a key...a portable digital seismograph. So basically the 00:19:42.114,00:19:48.320 portable is the small piece on the top of the image and we have the broadband, the small 00:19:48.320,00:19:53.325 [inaudible] at the bottom, which is called the Taurus, which is the internal of this devices. 00:19:57.663,00:20:02.668 ummm they are linux basis, uhh based system. they have a remote management system. they have a 00:20:07.306,00:20:12.311 several service like ssh, telnet, ftp, [inaudible], they have really accurate GPS that 00:20:24.190,00:20:29.195 can be used to get you know exact location of the device. They also basically are made for 00:20:34.767,00:20:39.605 ocean borne deployment, in this case the trillion. They have a battery that make the device be 00:20:39.605,00:20:44.610 long time, I mean years in the ocean. In this case we have sophisticated image, with which 00:21:15.141,00:21:22.081 we can see horizontal sensor, vertical sensors, we have a cellular...uhh >>Accelerators. 00:21:22.081,00:21:27.086 >> Oh yeah sorry. Ummm other layer for seismological and electronic stuff. Umm in this 00:21:30.256,00:21:35.261 image, this is a pretty expensive device, so we are not available to get one. So this is 00:21:37.897,00:21:42.902 a HD photography, in which we can see several components of this device. So uhh what about 00:21:46.138,00:21:51.844 the deploying options? We have two cases. The first ones is for the earth deployment and the 00:21:51.844,00:21:56.849 second one is for the ocean water deployment. The first one is standalone ummm deployment, 00:21:59.485,00:22:04.423 it is typically running in buffer mode, it does not require a network connection. For the 00:22:07.626,00:22:12.631 second one we will access some network elements, so in this case the user must configure the 00:22:15.267,00:22:22.208 Taurus with the required acquisition server IP. So the taurus will be streaming the 00:22:22.208,00:22:28.881 data to the acquisition server using the NP protocol. That means the Nanometric protocol. 00:22:28.881,00:22:35.387 >> Okay umm the offices depend on seismometers to monitor earthquakes generated by the 00:22:35.387,00:22:40.392 motion of tectonic plates, umm that turns it to crust. In order to function, the instruments 00:22:42.861,00:22:47.866 need to be umm level prior to operation. And that's easy enough for a device deploy on 00:22:50.102,00:22:55.341 dry land, but when it comes to seismometer placement on the ocean floor, thousands of feet 00:22:55.341,00:23:01.947 below to the survive, the pressures get to be more challenging. >> As you can see 00:23:01.947,00:23:08.621 the earth deployment is pretty simple. Umm you know its a small device, its simple steps to 00:23:08.621,00:23:13.626 deployment. So let's see the topology of the seismological network. Ummm before jumping 00:23:16.328,00:23:22.635 into the ocean deployment, ummm this is how it looks the seismological network. In this 00:23:22.635,00:23:27.640 scenario we have 3 different communications type. Ummm the first one is a BSAT, the second 00:23:30.342,00:23:35.347 one is a ADSL, and the third one is a GPRS modem. So basically the data comes to the sensor, 00:23:38.717,00:23:43.722 it's sent by the Taurus to the acquisition server. >> Well ummm, this is typical ocean born 00:23:48.661,00:23:53.666 deployment. They are using autonomous underwater vehicles, ummm as know as AUAVS. This is a 00:23:57.770,00:24:02.708 pretty much a expensive deployment as you need uhhh several ships and several UAVS. 00:24:07.479,00:24:12.484 And each of these sensors and digital seismographs cost around uhhh $30 000 dollar each. So 00:24:16.855,00:24:21.860 it's pretty much very expensive infrastructure. >> Uh this is an example how it looks like, the 00:24:26.398,00:24:33.172 uh the dashboard that receives all the data coming from all the remote stations. Uhh this 00:24:33.172,00:24:38.177 software which is provided also by Nanometric, which is called antenna. And it can provides to 00:24:41.613,00:24:47.920 you the, uhhh exact location and the nice web GUI. But that's not the focus of the talk today. 00:24:47.920,00:24:52.925 There is also an open source ummmm uhhh web server that can also collects the data coming 00:24:56.061,00:25:00.866 from this station, which is called uhh Syscom Tree. If you are interested to take a look in 00:25:00.866,00:25:06.972 the open source ummm seismological technology. Okay the challenge as I mentioned, is 00:25:06.972,00:25:11.977 pretty much ummm uhhh high. IN order to functions, ummmm this instruments need to be level 00:25:15.013,00:25:20.019 prior to operation. It's not easy when its thousands of feets on the ocean floor. So umm I 00:25:28.961,00:25:33.966 would like to sha...share, share with you, a video about how this, how this is works. 00:25:44.309,00:25:49.314 Actually we had sound. [Clicking] Uh okay. No sound, well. Well this is an quick 00:25:55.921,00:26:00.859 demo, uhh not a demo, it's just in order to take a look how these engineers work in the 00:26:06.899,00:26:11.904 ocean, deploying these devices. You can see this is the UAV, and that antenna that you can see, 00:26:14.039,00:26:19.044 is the GPS antenna, and inside that glass ball, is the cylinder with the sensor....... So this 00:26:49.975,00:26:54.980 device is..has an autonomy of 8 months, also they can be powered by a solar cell. Also in some 00:26:59.318,00:27:04.256 cases, they can be provided with a long term battery, because these devices consume pretty 00:27:07.559,00:27:12.564 much, a few power for their operation. So there you go. This is going straight to the, to 00:27:25.711,00:27:30.716 the, to the ocean.... Okay. >>Um okay. Seismometers capture uhh transient umm transient 00:27:39.024,00:27:45.664 phenomena. If an instrument malfunctions, whether it's at the bottom of the ocean, or at 00:27:45.664,00:27:50.669 the top of a polar ice cap, the data is lost forever. So if somebody know you can denial of 00:27:52.738,00:27:59.111 service this thing, you will lose a lot of data. And what happen if you do the same with a 00:27:59.111,00:28:05.117 uhhh with 1000 or 2000 of these devices at the same time, So this could impact a lot the 00:28:05.117,00:28:07.119 research these engineers are doing. You need to be absolutely sure that the sensor will 00:28:07.119,00:28:12.124 perform perfectly every time. That was exactly the direction of the marketing of Nanometrix. 00:28:19.498,00:28:24.503 >> Um soo what about the vulnerability research. Umm we start looking for get a shell 00:28:27.372,00:28:32.377 off the device, so we start looking first for the firmware, ummm in google..[inaudible[. But 00:28:34.713,00:28:39.718 it's pretty difficult to get it so what I did was uhhh look with my fiend for the firmware using 00:28:43.155,00:28:48.160 audit techniques. So let's play another video. >> So okay the firmware was not very easy to 00:28:51.063,00:28:56.935 find in the internet, when I started looking at it. So I decided to send an email 00:28:56.935,00:29:01.873 directly to the support, Nanometric support. And they replied me back, ummm 10 minutes 00:29:04.543,00:29:06.545 later. They told me uhh welcome, welcome to team [inaudible], so I am going to give you a 00:29:06.545,00:29:09.214 username and a password in order to get all the documentation, and all the firmware and all the 00:29:09.214,00:29:14.219 software. Okay. So I said oh pretty cool. So the same day I started downloading, everything, 00:29:17.856,00:29:20.525 the firmware and all the stuff available. They gave me access, i haven't done anything illegal 00:29:20.525,00:29:22.594 here, or something weird. Was a simple email requesting access to the firmware and, and they 00:29:22.594,00:29:27.666 were very gentle to give me access to that database. Okay so. There is the firmware 00:29:27.666,00:29:32.671 finally. It is uhh that tcg file, which contain a lot of scripts in bash. So basically 00:29:58.463,00:30:04.369 you don't need to use a bingwa..bing walk tool or firmware mod kit to take a look 00:30:04.369,00:30:09.374 into the firmware, like only...like other firmware available in IOT devices. So I 00:30:11.710,00:30:16.715 thought well you are probably kidding me because uhhh there is uhh a script Taurus install.sh, 00:30:22.587,00:30:27.592 which is pretty much a lot of uhhhh bash commands, so imagine you could inject bash commands 00:30:31.730,00:30:38.603 in that script, then upload it to the sensor, to the Taurus and you will probably get a backdoor 00:30:38.603,00:30:43.608 running always, sooo. Nothing complicated for us. Okay. Umm....after 3 days they sent to 00:30:51.116,00:30:56.121 me a email, uhhh Bertin Nanometric software and firmware can be provided to registered 00:30:58.190,00:31:04.629 customers and I don't see your organization registered in our customer database, so what is 00:31:04.629,00:31:10.602 the serial number of the Taurus you wish to upgrade? So they got me off all the access to the 00:31:10.602,00:31:15.240 database, but it was too late for them, because I already have all of the documentations and 00:31:15.240,00:31:20.245 all the firmwares. So I started digging into the firmware, I was able to get all the passwords, 00:31:23.115,00:31:29.321 the root passwords of the ssh daemon, the password of the web server, uhh the password of the 00:31:29.321,00:31:34.326 telnet, ftp and everything. And also I found several backdoors that are not, well documented in 00:31:37.095,00:31:42.100 the official documentation. So too much talk I know is, pretty hard for you, all this 00:31:45.470,00:31:50.475 information I know is pretty heavy. So let's take a look in the demo. [Clicking] So this is 00:32:01.887,00:32:06.892 the shell, umm with the default password and the ssh daemon. So who am I? I'm root of course, 00:32:10.028,00:32:15.033 Let's ask to the system the uname. You know it's a MMM...uhh NMX Taurus. And after that what 00:32:20.405,00:32:25.110 happened in the middle of the ocean, is the following............hahaha. 00:32:25.110,00:32:30.115 Come on. Yeah. [Laugher]. Hahaha yeah exploit. Ummm. Uhhh. Let's take a look here. Again. So 00:32:54.940,00:33:01.079 basically we now have our root shell, we have the uhh the highest privilege on the system. 00:33:01.079,00:33:06.084 We can do whatever you...we want. We have a busybox shell also, we have access to uhh all 00:33:09.387,00:33:14.392 the system components, all the threads. Everything is completely compromised after you 00:33:18.263,00:33:24.903 get the root password for the ssh system. So you can see there are a lot of profiles, so you 00:33:24.903,00:33:29.908 can go straight to user's text template, which are all the users in plaintext, and you will 00:33:32.744,00:33:37.148 notice that there is something called factory, and then central, tech and user. The 00:33:37.148,00:33:39.150 password is the same for all the users, uhh central central, tech tech, and the factory backdoor 00:33:39.150,00:33:44.155 which is not in the official documentation. Ummm this, this users are from the web 00:33:56.234,00:34:01.172 application, specifically. >> So let's continue taking a look at the system file, we look at the 00:34:11.983,00:34:16.988 [inaudible] passwd file, so let's do a cute, more users. You notice that, the ssh password, 00:34:21.559,00:34:26.565 is not, is not in here. It was in another file, but it was only available on, unpacking the 00:34:36.007,00:34:41.012 firmware. So,....so the password was dolphinating for the ssh server, I don't know why they 00:34:54.092,00:34:59.097 choose that uhh ummm pretty much, innocent password. Nothing related to the system, or the 00:35:03.501,00:35:08.506 field. dolhinating. So uhhh now we have access, a user, a backdoor user, a lot of 00:35:12.944,00:35:17.949 vulnerabilities, ummm lets test some vulnerabilities. Ummm and I wouldn't call this 0day, but no 00:35:20.085,00:35:25.090 one else previously found this, umm bug in the system until, I reported it to the US CERT. And 00:35:29.828,00:35:34.833 actually Nanometric confirms the issue, but they told me, well um yeah the bug is in there, and 00:35:37.502,00:35:42.507 you win, but I think there is no way to exploit it remotely, but it is in there. So well, I think 00:35:45.844,00:35:50.849 an attacker with a lot of creativity can exploit this umm remotely. So let's take a look 00:35:54.319,00:35:59.324 at the preview, to show you how the bug works perfectly. Oh yesss. So let me rewind 00:36:09.734,00:36:14.739 this.........okay, there you go. Also you notice we have access to all of the interfaces, so we 00:36:22.180,00:36:27.185 can turn off or turn..turn..turn on the interfaces. SO this is the bug, the shellshock bug. 00:36:29.587,00:36:34.592 This is completely vulnerable. And that's it. Sooo uhh more bugs and errors. You can see 00:36:46.237,00:36:52.844 traces. >> So uhh here is an example of a umm where when we was trying to put it down the 00:36:52.844,00:36:57.849 server getty, umm we noticed that it was pretty easy to crash, crash it out with a 00:37:01.319,00:37:07.826 fuzzing technique. Just sending it random data, over this getty server, because they have...uh 00:37:07.826,00:37:12.831 because they don't have no memory. >> Yeah you can actually send crafted URLS in order to 00:37:17.202,00:37:22.207 get these traces, so... >> So you will get a lot of these disclosure information messages. 00:37:24.209,00:37:29.214 >> Okay. So another vendor affected, that we notice is Dual systems. Specifically in the SSL 00:37:33.118,00:37:38.123 protocol. Uhhh these devices are run in https server, with uhhh full, [inaudible] block enabled, 00:37:41.326,00:37:46.331 uh [inaudible] bug enabled. And also using our platform NETDB, you can query the SSL 00:37:49.834,00:37:54.839 certificate for the string Dual systems and you will get directly into the Dual 00:37:57.075,00:38:03.915 seismometers. >> So ummm let's talk about a little, let's talk about protocol and communication 00:38:03.915,00:38:08.920 stuff. Umm this devices are using SEED, SEED is their protocol, their data format, 00:38:11.856,00:38:16.861 internally primarily, for a change in seismological times series data and related data. So 00:38:19.731,00:38:24.736 the format, the nomenclature for the SEED format, use for components. The first one is 00:38:26.938,00:38:33.378 network call, it's one to two characters to identify the owner of the data. The second one is 00:38:33.378,00:38:39.617 the station code, one two 5 character for the station recording the data, because it 00:38:39.617,00:38:46.090 could be several stations. Location ID, identify the different data streams for a 00:38:46.090,00:38:51.095 single station. And channel call, this is most important, which contains the band symbol 00:38:53.731,00:38:58.736 rate, type, and orientation of the sensor. So if you want to know more about the SEED 00:39:01.673,00:39:06.678 protocol , you can get into the reference manual which you can see on the webpage. >> Well this 00:39:08.846,00:39:11.316 is an example of about [inaudible] systems deploys the networking using the screen 00:39:11.316,00:39:13.384 server or something like that. So our attack now, we have a root shell but we need to do 00:39:13.384,00:39:15.420 something more. We are not just happy with a root shell in a seismograph in the middle of the 00:39:15.420,00:39:19.557 ocean, so we need to do something else. So I felt well, I have access to their protocol, 00:39:19.557,00:39:25.463 I have access to the device, so let's do a man in the middle attack. Umm from all the data 00:39:25.463,00:39:27.465 coming from there, being streamed directly to that decision centre. So my position 00:39:27.465,00:39:32.470 would now be in the middle of the, the station and that decision center, because these 00:39:40.812,00:39:45.817 packets are being sent without using any type of encryption, there is no ssl, there is no ppt 00:39:54.626,00:40:00.732 channel. there is nothing. These packets are being routed to the public internet without any 00:40:00.732,00:40:05.737 protection. This is an example of how looks, the packet header and the excuse me packet. This 00:40:09.007,00:40:14.012 is pretty much representative, it's not the exact packet. And I just did just for you to 00:40:16.381,00:40:21.386 understand better how the packet looks. Basically it's a xml file which contains all the 00:40:23.621,00:40:28.426 information regarding the latitude and longitude, and this is the main focus of the main in 00:40:28.426,00:40:35.266 the middle attack. Umm because we can modify in our proxy the latitude and the longitude, and 00:40:35.266,00:40:40.338 this is going to be injected directly to the management and decision centre as a false data, 00:40:40.338,00:40:45.343 or false positive. SO we can flood their decision centre with false data. Ummm let me show you 00:40:48.980,00:40:53.985 the demo of the man in the middle attack POC. Demo 6. [Mumbling]. So the same thing, 00:41:07.565,00:41:12.570 the same seismograph in the middle of the ocean, but this time...ummm this devices has a 00:41:16.140,00:41:21.145 option called communications, so they can stream an autonomous way packets to any specific IP 00:41:24.082,00:41:29.087 address that you provide to them. So let's take a look. Let's, let's create ahhhh a new 00:41:31.689,00:41:36.694 profile...uhh in order to route all the traffic to my proxy. You need to go go to data streaming. 00:41:40.598,00:41:44.869 You will notice there are some profiles in this seismograph, uhhh these steaming profiles, 00:41:44.869,00:41:51.042 but we are not going to touch anything. We are going to create a new one just for the proof of 00:41:51.042,00:41:56.047 concept. Okay. So let's provide uhh our IP address. And after pressing the apply button this 00:42:05.556,00:42:10.395 seismograph is going to start sending to me all the information coming from the 00:42:10.395,00:42:15.400 earth. And you will see on your right the TCP dump, ummm running. This is our proxy in 00:42:18.302,00:42:23.307 this case, and you will see all the data coming in straight to our proxy, and what i'm going to 00:42:27.044,00:42:32.049 do is modify the latitude and longitude and then replace uhhh our ip address to the original 00:42:35.953,00:42:40.958 main acquisition centre IP address, because it's using UDP, as as you know UDP packets 00:42:45.196,00:42:50.201 doesn't use any sequence mechanism like TCP, so you can spoof the IP address. And that's 00:42:55.072,00:43:00.011 it. So our conclusions. We are able to locate these devices anywhere in the world. We are in 00:43:04.916,00:43:09.187 control of the device, the network and the software running on it. Umm there is no ssl in 00:43:09.187,00:43:15.593 communications. This device is helped engineers to better understand the earth. And 00:43:15.593,00:43:22.366 Vendors please code better and put in security in device that help us protect our people 00:43:22.366,00:43:28.739 around the world. >> Yup >> So recommendations. Basically think of security when you code this 00:43:28.739,00:43:41.219 Ummm this equipment and that's it. Umm incase you have any questions just let us know. >> 00:43:41.219,00:00:00.000 Thanks [Clapping]