Hot cyber war. Hackers and rocket launchers

One of the most spectacular elements of the competition program of the PHDays V forum, held at the end of May in Moscow, was the competition presented by Advantech . Participants were to seize control of the industrial control system associated with the rocket launcher, and shoot at the "secret object."

What should have been done

The stand was a rocket launcher placed on a turret rotating in two axes and a target. The contestants had to gain access to the control system, deploy the installation in the direction of the target and hit it (in this case, the decommissioning of the equipment would not have led to the task).
')
During the competition, a situation was simulated in which the attacker had already penetrated the external perimeter of the organization and had full access to the office segment of the network. The connected username and password of the operator level were issued so that they could monitor the functioning of the system. Also on the stand there was a sign with all the IP addresses of the installed devices.

This year, separate competitions were an integral part of the CTF (for more details, see our article on Habrahabr ). More than 40 visitors to PHDays and several CTF teams tried their hand at this competition.

Technical details

The SCADA station was hardware executed on the Advantech TPC-1840WP industrial panel computer and worked under the Windows 7 Ultimate operating system without additional security features.

The operating system had all the regular updates available at the beginning of the competition; Windows Firewall has been enabled. SCADA was implemented using Advantech WebAccess 8.0 software.

Since this software could contain unpatched vulnerabilities for which exploits exist, the operator was only given access to the process visualization in the controller. The controller tags had the read-only status, so overwriting them did not affect the equipment performance. Obtaining administrator privileges opened a hacker with a page describing the structure and internal addressing of the system.



The connection between the SCADA system and the PLC was carried out using the Modbus TCP protocol using pseudo-registers (readout was performed not from the I / O modules, but from the memory cells of the controller's program).

Normally, both client and administrator access to the WebAccess SCADA system is performed via Internet Explorer's browser using the HTML4 protocol using IIS, which is part of the standard Windows distribution. By default, user authentication is performed by the SCADA system itself.

Physically, the connection between the SCADA station and the PLC was carried out via the Advantech EKI-7659C managed L2 switch using standard Fast Ethernet. Through the same switch, the contestants were connected via wire through the EKI-4654R or via Wi-Fi through the EKI-6351. The switch was not used to implement a VLAN or as a MAC address filter, although it did have this capability. In addition, a laptop was connected to the subnet for booth administration.



The PLC functions were implemented on the Advantech APAX-5620KW PAC controller, which is a device based on an ARM processor running the WinCE5 operating system. The controller implemented the working cycle of turning the rocket launcher on a timer (conditionally - a technological program of a controlled technological process). To do this, use the softlogic-core ProConOs, written by KW Software and executed as a task at the core level. The program of the actual movement was implemented by the author of the stand in the language of ladder logic using the KW Multiprog package. The program cycle is 50 ms.



This controller has three standard connection methods. One — through local VGA and USB connectors — was not available to the contestants. The second, through the remote desktop, was locked with a password. The third one - from the development system in IEC 61131 languages ​​- allows you to manage and debug the softlogic-subsystem.

Physically, the controller had two LAN ports, one of which was connected to the SCADA system (office subnet), and the second to the I / O modules (field subnet). Network ports were addressed from different subnets. Thus, the tasks of load balancing and access sharing were solved.

For I / O, ADAM-6050 modules were used (for discrete input from the axial end position sensors) and ADAM-6260 (for relay control). These modules have the ability of distributed programming in the GCL language, and it was used to implement emergency protection functions. In particular, when driving a trailer, the DI module reports this fact to the DO module, and the DO module reverses the corresponding motor for 3 seconds. In case of interruption of the connection, a watchdog was installed, which turned off all outputs. In the control unit of the rocket launch drive, it was specifically left to bypass the lock by writing a logical “1” to a dedicated internal variable (for this it was necessary to perform the write function in the Modbus register within the internal subnet).

Physically, the communication between the modules was performed without the use of an external switch, using the capabilities of the daisy chain technology in ADAM-6260.

The turret of the rocket launcher itself was powered by a separate block of 5 VDC and was equipped with three motors (turns around the vertical and horizontal axes, as well as the launch of rockets). To perform the reversal of the rotary motors, as well as a zero level of protection against short circuit of the power supply, a relay circuit was used. In addition, the rocket launcher was equipped with five push sensors of the end position (left, right, up, down, salvo emitted).

On all components of the system, where it was possible, non-word (generated) passwords of 8-10 characters in length were inserted, including Latin capital and small letters, numbers, punctuation marks.

The course of the battle

The competition was held during the two days of the forum Positive Hack Days.

The first day

During the first day, the contestants mostly understood the structure of the external subnet and tried to influence the system through SCADA. Hackers shut down the operating system services, including the firewall, were able to “hook up” the new user (albeit not at the administrator level), and restart the computer twice.



Several people, using Windows exploits and SCADA systems, were able to gain administrative access to WebAccess, familiarized themselves with the description of tags, and had the opportunity to stop the kernel of the system. However, the system did not respond to the attempt to rewrite the tags, the kernel was restarted automatically using Windows Scheduler. In the evening, exhausted hackers left an autograph on one of the pages of the system - and postponed their attempts until the morning.

Second day

Half past one day was spent in search of the source of control signals. One of the contestants discovered an unclosed exploit in WinCE5, but could not use it.

At 14 o'clock the contestants were given a hint that the external segment of the controller has read-only status and you must try to “go through” the controller.



At this moment, the CTF-team RDot joined the work on the stand. Within an hour and a half, team members were able to access the APAX-5620 remote desktop, were able to "kill" and run the softlogic task and manipulate the parameters of network adapters.

Also, one of the contestants claimed that he had the opportunity of unidirectional forwarding of packets from LAN1 to LAN2 without receiving reverse packets. However, the ideology of Modbus did not allow to use this opportunity for destructive actions.

At 15 o'clock on the stand, mechanical problems appeared. The contestants got the opportunity to listen to KW Multiprog work packages with the controller - stopping, restarting the controller, turning on debug mode, using force functions with respect to the memory cells of the controller. However, the contestants did not demonstrate the use of the information received.

At 16 o'clock the participants were given the source code of the APAX and ADAM modules to search for the possibilities of operating the standard programs. The RDot team was noted to have successfully attempted to re-read the program from the controller (this function in KW Software was not deliberately protected with passwords), turning on debug mode, and monitoring the operation of the controller registers.

At 5 pm, users were allowed into the internal subnet. In fact, a DDoS attack on the emergency protection system began with attempts to disable it.



By the time the competition ended at 18 o'clock, no one could stop the operation of the GCL program or control the outputs for the given purposes, although there were signs of an impact on the firmware of the modules. The restoration of the functioning of the modules was performed already outside the stand, although not in the conditions of the repair center.

Prizes were distributed "on points":

• I place - to Arthur G. from the Rdot team for opening the remote desktop of the APAX controller, successful work with the source in the language of IEC61131 ,;
• II place - Pavel I. for the fact that he was the first to receive administrative access to the interface of the SCADA-system and elegantly dealt with it;
• III place - Alexander I. for sending packets between the ports of the APAX controller and the total amount of effort expended.

The consolation prize is given to Alexey P. for using social engineering methods (for detecting the SCADA project backup on the administrator’s laptop and getting the administrator password from there).

Conclusion

According to the results of the competition, the organizers made the following important conclusions:

• Industrial control systems are generally not familiar to most violators. The methods were used mainly power (port attacks) or those that did not take into account the specifics of the system (monitoring of the Modbus traffic using Wireshark). However, with sufficient motivation, you can understand the structure of the system and the methods of its regular use.
• The most vulnerable are the elements close to the operator interface - the entrance of SCADA clients, remote desktops. For systems based on Windows, additional software protection is required for both the computers themselves (firewalls) and communication channels (encryption).
• An enterprise bus and a field bus must be physically isolated from each other, at least by a device with two network cards. Using VLAN is not always effective because of the presence of vulnerabilities in the switch web interfaces.