Everybody let's get this show rolling. Woo. Woo. So please give a warm round of applause to our
two speakers James and Burton. He'll be adding one more thing to my list of worrying about
which is hacking psychological networks. So please.
Okay um. Okay um now can you hear me? Yeah. Oh awesome. Okay guys uh welcome to our
talk. Um this is called Exploiting and Attacking Seismological Networks Remotely. Um my
name is Burton. Uh this is my colleague James Jara. We are from Costa Rica. And we're here to
share uh to share uh the the results of uh our last research. So okay um this is our disclaimer
first of all. This is not a typical talk. Uh of course it's a technical talk. Uh probably it is
the first uh research of this kind. All will never
happen. Um we are not responsible of the action that someone can take after attendee's talk.
Okay. So hello guys. Hello. This is okay. Ready. So who we are. Uh the agenda for today is
this one. So who we are we already know. Uh the motivation behind this research. Uh
how we get into these devices. Um how we find it. Um we will talk also about the risks and the
impact. Um who is getting affected by um attacking these devices. Also we will talk a little
bit about the seismological instrumentations in order to understand better um this research.
Also about the internals um deployments. Um deployments on the earth and ocean as well. About
how we get into vulnerability space. Uh also about the firmware analysis and attack vectors
and and finally we get into our own conclusions. And recommendations. Okay so my
name is Bertin as I mentioned at the beginning. And my colleague James we are from Costa
Rica. San Jose. Uh we are the co-founders of the NETDB project. The Network Database Project
project which is a search engine for IOT devices. Um it's a
project that I started uh 5 years ago and then um James
joined into into my idea and we started working uh very hard uh
from 2 years ago and the framework and the tool. Um as I
mentioned we're from San Jose probably many of you know our
country uh because thanks because uh it's a nice place to
to live and visit. You're welcome anytime you want to
visit us. We have a lot of beaches. Not beaches. Uh so
you're welcome. It's a very uh very nice place to live. Um we
don't have army so everything is pretty much cool and relaxed.
Okay the motivation for this talk? Uh I think it's very
interesting. Um why are we interested in this
networks? Well uh Attacker is not interested for
this uh for attack these devices because um we haven't seen a
research previously in these field. Um it's pretty weird
actually if you take a look in the Snowden Docs if you look for
the um the string system of logic or the seismic uh Snowden
doesn't mention anything about it and and that was pretty pretty
much interesting for me. Um, who could be interested? I think that governments, you
know, in order to sabotage other countries' cosmological networks. Um, this is a new cool
and attack scenario because these devices are placed in string environments like in the
middle of the ocean or in the underground around volcanoes and specific areas. You're
playing with devices that measure, um, natural disasters. So it's, it's very risky. Uh, this
could lead to a financial, a financial sabotage to a specific company or country. The vendor of
these instruments doesn't have any sense of computer security at all. I'm going to show you.
Remote access, remote exploitation, so all, all the things that I mentioned, um, power
power of this, this research to continue until today. Okay, how we discovered these, these
these devices? So, um, how we discovered these devices? We have, as we tell you before, um,
IOT search engine. So let's see a demo about how we get into this, uh, device. Okay, let me
show you guys very quickly because it's not the main focus of the talk. This is the NETDB, uh,
the web application. Um, you can, uh, perform queries regarding our, uh, query builder, uh,
tool. You can search in HTML, IP, ports, URL, uh, HTTP headers, countries, SSL certificates as
well, uh, fingerprints, um, and so on. There are, uh, there are a lot of options. So in this
particular, uh, what happened here? Sorry. Sorry. Okay. Sorry. Okay. In this particular example,
we are asking to NETDB for a specific IP address. Um, we are indexing, ah, come on. We are
indexing from this IP three ports and this example LDAP SSL with, with the, with the respective, um,
certificate and, uh, HTTP server and HTTP and the port 80. If you take a look and the same IP
address and other search engines, you can see that the, the, the, the, the, the, the, the, the, the, the,
the G-N-G is very well known for you as Jordan, doesn't have any results, no? So I'm not saying
that we are doing a better job scanning the internet but we are doing something, um, something
that, uh, they are not doing. We are using another strategy to get into these results. So we
are focusing and get, um, many as data possible. Yeah. Well, basically that is NETDB and this is
how we were behaving. We are, we are using, we are using the method the, the, the, uh, Adobe, uh,
able to get into the seismograph. Um just looking into the http headers labels. Okay.
So um as you can see we have a lot of finger prints of the many devices so one day um we
have done a lot of research and thanks to this search engine we see um a keyword a very um
curious keyword. So we have another demo when in which we will see how we get into this um
particular device. Okay so so let's see the demo. So this is NetDB in action. As you can see
I'm asking NetDB for a particular stream which is Taurus. Um that stream is available in
the server label and the http header of these two IP addresses. So you can see the fingerprint
JD um 5.1X Linux um 2.4.24 NMX Taurus. Uh that was uh very pretty much uh uh the
um new for us. And I notice when you connect directly to the to the web server running in
the port 80 you will you will get into this dashboard. And you are saying something very
unusual. I have seen many researchers uh about BNCs open in the internet and many other
servers but I haven't seen this before in my life. Um I I have I have seen many many servers
but this one was pretty much different because it's giving you readings, it's giving you um
voltage on readings, power and waveforms. You can see how the way the waveforms um there is
a option called waveforms and you can refresh these waveforms each 5 seconds. So uh at the
beginning I was not sure about exactly what was this thing. So I was not sure what was this
thing. So for the reason I started the research. Okay. For some strange reason you when you
you find a unique fingerprint and millions of fingerprints that we have and we are currently
collecting with NetDB in the port 80. So I'm going to show you how to do that. So I'm going to
talk about what is Taurus and I will show you how to do that. So what is Taurus, that's the
question now. So we have the web server, we have the readings, we have everything, we have
access. And we can track them so we know the finger...we know already the fingerprints so we
can start tracking them on the internet. But what it is...okay. Um...what is Taurus. It's a
portable digital seismograph um developed uh uh using the software called the BNC, the
by Nanometrics uh it's a company based on Canada and when you take a look in the official
documentation you will notice that it's pretty much connected to the directly to the broadband
broadband seismometer which is called Trillion 240 and then uh all the data coming from the
broadband seismometer is um routed to the portable digital seismograph and then the
acquisition center. Also it could be connected to a geophone um these geophones um are
devices uh that are placed in the middle of the oceans in order to understand better the
sounds of the seismic waves in the middle of the of the ocean. So um which is a seismometer?
Seismometers are instruments that measure the motion of the ground um they are reading
the weight movements from earthquakes um volcanic eruptions um or different sources um
from Wikipedia we read um there are different and common applications like earthquake,
detention, um breaking, dealing, also mine safety uh structural analysis. So uh continue
with the research so uh we asked we asked uh what are your thoughts on uh the uh the uh the
so for example uh which is the uh organization to keep the
standards um protocols and and all the rules to to get these
devices properly working um globally in the in the in the
world. So I found the international federation of
digital seismograph networks um this organization keeps up
keeps up to date the seed reference manual which is the
standard protocol for earthquake information exchange um and all
the digital seismograph uh worldwide network. So um these
devices um provides the real location just connecting directly
to the uh web server. Uh as you can see you can go to the time
in option and and you will notice that um the location area
is providing to you the latitude and the longitude and altitude
uh according their their exact um location somewhere on the
world. So there is a uh uh a demo showing you how we can how we
were able to find a seismograph in the middle of the ocean. Uh
so let's take let's take this this this data from this um real
production seismograph and let's uh ask to Google uh for these uh
location and you will notice that it's placed in a very cool
area. So let's go to Google. Put the our exact location. Um here
it is. And there you go. It's placed in the middle of the ocean in Europe um
between UK uh Norvega and Denmark. So so we said well this is cool because uh
this device is is running in an autonomous way in the middle of the ocean so uh let's
attack this thing. So it's pretty cool because I haven't seen someone exploiting
something in the middle of the ocean so let's do it.
No? Okay uh NETDB is giving us uh not their exact location because we are using the
MaxMine uh databases in order to um query uh the exact location of all IP address that we
found every second. But it's pretty much accurate because it's telling us well your device is
located in some ISP in the UK. So let's go to Google. So let's go to Google. So let's go to
Google. So let's go to Google. So let's go to Google. So let's go to Google. So let's go to
Google. So uh this is another example of how you can use um Google street view in order to
query the same information and we found this seismograph located in Marlow Oklahoma. This
is the same one here, this is the the the coordinate. And asking to Google, so is telling
us well it's inside the property but a google streetview doesn't have extractive property, so
so you're not be able to to get into into more inside the
property but it's in there so it's pretty cool. So which is
the impact uh I was looking for the a real impact in the real
world um so first of all um no one else has ever done as we
told before uh research security about this uh field so um we
know that we know right we know this that we can perform a
denial of service also we can take advantage of the web
server applications um um then we get into the web application
vulnerabilities we see that there are several uh box um
dis- information disclosure in the web application that is using
as we said a JETI server also there can be leads um economic
impact for oil and gas research of a specific company um there
are other fields like a military industry and unknown areas.
Yeah. Okay um another company which is called PGS um they sell
these components or these networks in order to perform
guy gas and oil recovery um so this this catch my this this
catch my attention because uh you can see that uh there are
lower applications for uh for oil and gas and oil recovery um
for this technology uh just not uh for earthquake detection um
um or um earth earth uh understanding. So vendors found
in this research uh good old systems um GWL instruments,
Xaira, um also there are other vendors but the most affected is
Nanometrics which uh claims that their are the world leader in the
system logic in the world. Okay so the uh the question is how do we
uh also you can take a look in Google for wait papers regarding
instrumentation and earthquake technology in order to
understand better how these devices works because it's
pretty much a science field. So no one, it's not very familiar
for us as security researchers so it was pretty much difficult
to me to understand exactly how these devices work so I had to
request some help to our organization in my country which
is called OpsiCorey and they provide to me some information
regarding how they work and I explained to them exactly well I
got a virtual here in this thing so they told me well bro we are
screwed basically. A lot of mathematics, a lot of physics so
if you're interested you can take a look. This is an example
about the other seismological instrumentation. This is an
example about how to use geophones and what is the other
one? Hydrophones. Hydrophones in order to catch up the sounds
from the ocean and to catch up the movements from the earth but
in the first example they are producing a fake movement in
order to get into the gas and oil. So uh I found a demo from a
company doing this and let's take a look how they are being
deployed and how they are producing the fake movement in
the earth in order to get into the gas and oil sources. So as
you can see each point represents uh a little uh uh a
sensor but you notice that they have a big truck and they in some
way stimulate the earth in order to get the response and check
well uh there is gas and oil so let's dig into it. This uh truck
is collecting all the data from the network and then um is sent
to the acquisition main center.
So this is where we are attacking. Each of these uh
little uh devices. So um let's take a look at how they look at
typical configurations. Um as we can see uh this is uh this is a
digital system graph. We have the sensor and we have um a key um
the portable digital seismograph. So basically um the portable um is
the small piece on the left uh top of the image. Um we have the
broadband small mirror uh the bottom which is called Taurus.
Um which are the internals of these devices? Um they are Linux
based uh system. They have a remote uh management system. They have a several
service like um SSH um Telnet, HCP um all the web servers Jetty. Um they have
a really accurate GPS that can be um used and pure to get um you know exactly
location of the device. Also they basically are made for ocean bottom deployment. In
this case the Trillium. Um they have a battery that can make the device uh be long time
uh I mean years in the ocean. Um in this case we have uh sophisticated uh image
we in which we can see a horizontal sensor um vertical sensor. We have a
cellular accelerometers. Yeah sorry. Um um other layer for seismological and
electronic stuff. Um in this image um this is a pretty uh expensive device so we are not uh available
to get one. So this is a HD photography and we in which we can see uh the several components of
this device. So um what about the deployment options? We have two cases. The first one is for
the air deployment and the second one is for the ocean bottom deployment. For the first one
as a stand alone um deployment um it's typical uh typically running a buffer mode. Um it's not
require a network connection. For the second one it will work as a network element. So in this
case um the user must configure the Taurus with the required um acquisition server IP. So the
Taurus will be streaming the data to the acquisition server using the MP protocol. That means
nanometrics protocol. Okay um geophysicists depend on seismometers to monitor earthquakes
generated by the motion of the tectonic plates uh that forms the air crust. In order to function
the instruments needs to be uh leveled prior to operation. Uh that's easy enough for a device
deployed on uh dry land but when it comes to seismometer place in the ocean floor thousands of
feet below to to the surface uh the process gets bit uh more challenging. As you can see in the
air deployment is uh pretty simple. Um uh the uh the uh the uh the uh the uh the uh the uh the
ummtechnology of the seismological network. So um um um to typical air safety system you
know it's such a small device and is um simple steps to deployment. But um now let's see as
the apology of the seismological uh network. Um before jumping into the ocean deployment um
this is how looks uh seismological network. Um
acquisition. So basically the data comes from the sensor, is
sent by the towers to the acquisition server. Well um
this is uh typical ocean bottom deployment. Uh they're using uh
autonomous underwater vehicles uh as known as uh AUADs. Uh this
is a pretty much expensive um deployment because you need uh
several um chips and several AUADs. And each of these um
sensors and digital seismograph has a cost around uh $30,000
each. So it's pretty much an expensive infrastructure. Uh
this is uh an example about how it looks like uh the the
dashboard which receive all the data coming from the remote
stations. And this is uh the uh the uh the uh the uh the
the size in this case the seismograph. Uh this is
software provided also by Nanometrics which is called
um. And it it it can provide to you the exact location uh and a
nice web do it. But it's not the focus of the talk today. There is
uh also an open source uh of web server that can collect also the data coming from this station which is called uh 1613 if you are interested to take a look in the open source uh SEC Good marketing product event! Thanks for your attention!
technology. Okay, the challenge, as I mentioned, is pretty much, uh, high. In order to
function, um, these instruments need to be leveled prior to operation. It's not, it's not easy
when it's thousand feet on the, to the ocean floor. So, um, I would like to share, share,
uh, share with you, uh, a video about how this, how this works. Actually, we have sound.
No sound. Well.
a quick demo, well not a demo, it's just in order to take a look at how these engineers
works in the ocean deploying these devices. You can see this is the UAB and that antenna
that you can see is the GPS antenna. Inside that uh glass ball is the cylinder with the
sensor. So this device is has an autonomy of uh it's
eight months. Also they can be powered by a solar cell. Uh also in some cases they can be
um provided with a long term battery because these devices consumes uh pretty much uh few
power for their operation. So there you go. This is going straight to the to the to the
ocean.
Okay. Um okay seismometers capture a transient a transient phenomenon. If an instrument
malfunctions whether it is at the bottom of the ocean or at top of a polar ice cap the data is
lost forever. So it's telling us okay if you can deny the
service this thing you will lose a lot of data. And what happen if you do the same with uh
one thousand or two thousand of these devices at the same time. So this could impact a lot the
research uh that these engineers are doing. You need to be absolutely sure that the sensor will
perform perfectly every time. That's exactly what the director of marketing at Nanometrics says.
So what about the vulnerability research? Um we are start looking for get a shell of the device.
So we are start looking first for the firmware um in Google and other source source. But what is
uh pretty difficult to get it. So what I did was uh look with my friend um for the firmware using
other techniques. So let's explain about that. Okay so the the firmware what knows what the
firmware was not uh very easy to find in the internet when I started looking at it. So I decided to
send an email directly to the support the Nanometrics support. And they replied me back uh
10 minutes 10 minutes later. And they told me uh welcome you're welcome good team well
well la so I'm going to give to you a username and a password. Mmhmm. In order to get all the all the
documentation and all the firmware in front of us and all
the software. Okay. So I said well, pretty cool. And the same
day I started downloading everything, the firmware and all
the stuff available because they gave me access. I haven't done
anything illegal here or something weird. It just was a
simple email requesting access to the firmware and they were
very gently to provide access to me to that database. Okay,
so there's the firmware, finally. It's that TGC file
which contains a lot of scripts and batch. So basically you
don't need to use a BingWalk tool or a firmware mod kit in
order to take a look into the firmware like only, like other
fingers available in IOT devices. So I thought well you
probably you're kidding me because there is a script
called TGC which contains a lot of scripts and batch. So I
thought well you probably you're kidding me because there
is a script called Taurus install.sh which is pretty much
a lot of bunch of um um batch commands. So imagine that you
could uh inject a batch command inside that script and then
upload it to the to the to the sensor, to the to the Taurus
and you will probably get a backdoor running always. So
nothing complicated for us. Okay. So the first thing we
did was um after three days uh they sent to me an email uh
Durbertine. Nanometric software and firmware can only be
provided to registered customers and I I do not see your
organization registered in your customer database. So what is
the serial number of the Taurus you wish to upgrade? So they
cut me up all the access to the database but it was too late for
them because I already have all the documentations and all the
things. So uh starting digging into the firmware I was able to
get all the passwords, the root passwords of the SSH daemon, uh
the password of the web server, uh the password of the telnet,
FTP and everything. And also I found several backdoors that are
not well documented in the official documentation. So too
much talk I know uh it's pretty uh it's pretty hard for you all
to get all this information. I know it's pretty heavy. So let's
take a look in there in the demo. So this is the shell um with the
default password and the SSH daemon. So who I am, I'm Root
of course. Um let's uh as to the system uh the username and uh you
it's NMS and NMX Taurus um and after that what happened in the middle of the ocean is
the following. Go on. Yeah. That's it. Well, exploit. You know what I mean.
Um. Let's take a look here. Again. So basically uh now we have a root shell. We have the
highest privilege on the system. We can do whatever we want. Uh we have uh Bucybox shells
also. Uh we have access uh to all the system components to all the uh threads. Everything.
Everything is completely compliant. Uh so we have access to all the system components. Uh
we also need to compromise after after you get the the default password for the ssh server. So
you can see there are a lot of profiles. So you can go straight to user's txt template um which
are all the users in plain text. And you will notice uh that there is something called factory
which is not documented and then central, tech, and user. Um the password is the same for for
all the users.
Central Central, tech tech, and user user. And the factory
backdoor which is not in the official documentation. Um,
these users are from the web application, specifically. So
let's continue taking a look into the system file. You get
the PSW file. So let's do a cut. Um, more users. You notice
that, uh, the SSH password is not, um, is not in here. It was,
uh, in another file. But it was only available, um, unpacking
the, the, the finger. So, uh, let's go back to the, uh, the
code. So the password, uh, was, uh, Dolphin18 for the SSH
server. I don't know why they choose, uh, that, um, uh, pretty
much, uh, innocent password. I don't know. Nothing related to
the system or the, or the field. Dolphin18. So, now we have
a user, um, a backdoor user. A lot of vulnerabilities. Um,
let's test some vulnerabilities. Um, I wouldn't call this, uh,
zero day. Uh, but no one else, uh, previously, uh, found this,
uh, bug before in the system until I reported to the US
search. And actually Nanometrics, um, confirms the
issue. But they told me, well, uh, yeah, the bug is in there.
um you win but uh I think that there is no way to exploit this um remotely but it's in there so
well uh I think that an attacker with a lot of um um creativity um can exploit this um
remotely. So let's take a look in the video in order to show you how the bug uh works
perfectly. So let me rewind this. Okay. There you go. Also you notice that we have access to
all the interfaces so we can turn off or turn on turn turn turn on the interfaces. So this is
the bug. The shell shell bug.
Uh it's completely vulnerable. And that's it. So more bugs and errors you can see traces.
So here is an example about um when we was trying to put it down the server
jetty um we noticed that um it's pretty easy to crash crash it out. Um so we
with just a pushing technique sending randomly data over this jetty server because uh they
have uh they don't have enough memory. Yeah you can actually send um crafted uh URLs
in order to get these traces. You will get a lot of this information and messages. Okay so
another bender affected that um we notice is Google Cloud. So Google Cloud is an Android
systems, specifically in the SSL protocol. Uh, these devices are
running HTTPS server, uh, with, uh, full, uh, HerbiBlock, uh,
HerbiBlock enabled. And also, using our platform, NetDB, you
can, um, query the SSL certificate, uh, for the string
Guralt systems. And you will get directly into the Guralt
seismometers. So, um, let's talk about a little, uh, let's
talk about, uh, protocol and communication stuff. Um, um,
these devices are using SEED. SEED is the protocol, the, um,
data format internally primarily for a change of seismological
time series data and related mirror data. So, the format of
the nomenclature of the SEED format use four components. Um,
the first one is the
network code. It's one to two characters to identify the owner
of the data. The second one is the station code. Um, one to
five characters for the station recording the data. Because could
be several stations. Um, location ID, uh, identify the
different data streams for a single station. And the last
one, channel code, that is most important, will contains the
band sample rate, type, and orientation of the data. Um,
the sensor. So, um, if you want to know more about the SEED, uh,
protocol, you can get into the reference manual that you can
see on the web page. Well, this is an example about, uh,
Guralt systems, uh, deploys the networking using, uh, the
screen server or something like that. Well, our attack now, we
were, we have a root shell, but we need to do something more. We
are not just happy, having a root shell and a seismogram in
the middle of the ocean, so we need to do something else. So,
I thought, well, I have access to the protocol, I have access to
the device, so let's do a man-in-the-middle attack, um,
from all the data, um, coming from the earth and being
streamed directly to the acquisition center. So, my
position now would be, um, in the middle of the station and
the acquisition center. Because these packets are not being
sent using any type of, um, encryption. There is no SSL,
there is no PPT tunnel, there is nothing. This, this
packets are being, um, routed to the public internet without any
protection. Uh, this is an example about how looks the
packet header and the, um, excuse me, packet. This is pretty
much representative, it's not the exact packet. Um, I, I did
just for, for you, uh, in order to understand better how the
packet looks like. Um, basically, it's an XML file,
which, uh, contains all the information regarding the
latitude and longitude. And this is the packet header, um,
which is the main, the main focus of the man-in-the-middle
attack, uh, because we can modify in our proxy the
latitude and the longitude. And this is going to be injected
directly to the main acquisition center as a false
data or a false positive. So, we can flood the acquisition
center with, um, false data. Um, let me show you the demo of
the man-in-the-middle attack plug. Demo six. So, uh,
there's the same thing, the same seismograph in the middle of
the ocean, but this time, um, these devices has an option
called communications. So, they can stream in an autonomous way
packets to any specific IP address that you provide to
them.
So, let's take a look. Let's, let's create, uh, a new
profile, uh, in order to route all the traffic to my proxy. You,
you need to go to data streaming. You will notice that
there are some profiles in this seismograph. Uh, these three
main profiles, but we're not going to touch anything. We're
going to create a new one just for the proof of concept. Okay.
So, let's provide, uh, or, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
for our IP address. And after, um, press the apply button, the
seismograph is going to start sending to me all, uh, the
information coming from the Earth. And you will see at
your right the TCP dump, um, running. This is our proxy in,
in this case. And you will see all the data coming straight to
our proxy. And what I'm going to do is, uh, I'm going to run in
going to do is modify uh the latitude and longitude and then
replace uh our IP address to the original um main acquisition
center IP address because it's using UDP as as you know UDP
packets uh doesn't use any um sequence um a mechanism like TCP
so you can spoof the IP address and that's it. So that's it.
So well um conclusions we are able to locate these devices
anywhere in the world. We are in control of the device, the
network and the software running on it. Um there is no SSL in
communications. Um these devices help engineers to save people
understand the earth and vendors please code better and think in
security about devices that help us to protect our people in the
world. Yup. So recommendations basically um the uh the
think in security when you code um these equipment and and that's
it. Uh in case you have any questions just let us know.
Thanks. Thanks.