Firesheep moment for SCADA: Hacking critical infrastructure systems now as easy as pushing a button?

Remember Firesheep . . . the addon that was so easy to use that even the clueless could successfully hack Facebook and Twitter accounts via Wi-Fi? In some scarier than your average security news, thanks to several Program Logic Controllers (PLC) exploits that were added to Metasploit today, “hacking SCADA systems can be push of a button easy,” tweeted HD Moore, CSO of Rapid7 and Chief Architect of Metasploit. SCADA as in our critical infrastructure like chemical manufacturing plants or the electric grid. This is all stemming from the news pouring out of the 2012 SCADA Security Scientific Symposium (#S4ics) where this morning’s two hour S4 Project Basecamp presentation by Reid Wightman resulted in what Digital Bond hopes “will be a Firesheep moment for PLC’s.”

“Project Basecamp had six great researchers looking for vulnerabilities in six different PLC’s / field devices, and the PLC’s took a beating,” Digital Bond reported. “There were backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, overflows galore, TFTP [Trivial File Transfer Protocol] for important files and so much more.” The image to your left was posted on Digital Bond.

Dale Peterson, founder of Digital Bond, said, “We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results. These attacks have existed in theory for a while, but were difficult to demonstrate to a Plant Manager. By creating exploit modules for the most widely used exploit framework – Metasploit – we hope that security professionals in critical infrastructure companies, consultants, and penetration testers will prod vendors to add basic security measures to PLCs after decades of neglect.”

HD Moore added, “While most Metasploit modules exploit traditional workstations and servers, these modules are exploiting special purpose devices and will even demonstrate the ability to provide interactive control of a critical system, turning things on and off.”

The Rapid7 press release states, “There are additional GE D20 modules in QA, and plans to move the Basecamp exploits of Rockwell Automation, Schneider Modicon, and Koyo/Direct LOGIC exploits into Metasploit modules. PLCs are the components in SCADA networks that control critical infrastructure, including power plants, pipelines, chemical manufacturing, water treatment, etc.”

It’s the “Revenge of TFTP: SCADA Attacks,” according to the Metasploit blog. The new modules target “General Electrics D20 PLCs, a SCADA component that’s responsible for ‘mud-on-the-boots’ physical assets.” To help prove the exploits are definitely real, the Metasploit Pro update makes those vulnerabilities public knowledge. Now the “people responsible for administering and validating their SCADA infrastructure can use these modules to audit”:

• d20pass : This module leverages a pretty major information disclosure for the device — turns out, anyone who connects to the TFTP server on the D20 can snag the complete configuration for the device, which includes plaintext usernames and passwords. This module does just that — downloads the configuration file, parses out the credentials, and stores them in Metasploit’s database for reuse.
• d20tftpdb : This module demonstrates an asynchronous backdoor functionality in the D20 via the TFTP interface. Again, in an unauthenticated way, anyone can connect to the TFTP server, and issue command by writing to a special location on the filesystem. Also again, this is a pretty big deal. Note that this module is currently still in the unstable Metasploit branch pending a little more QA work on getting this (pretty unique) command and channel all nice and automated. As is, though, it works just fine for demonstration purposes, and if you have some of these PLCs in your environment, you are encouraged to investigate this more (and send patches!).

Also at S4, Ralph Langner, an industrial control systems (ICS) expert, gave a detailed analysis on the Stuxnet worm. Langner said, “If I were your attacker, I wouldn’t bother to discover a buffer overflow. I’d just go to the design flaws, because they can be exploited much more reliably. This is how the pros do it,” reported ThreatPost. Langner not only criticized Siemens but also DHS and accused both of “failing to take the security issues seriously.”

Sean McBride of the SCADA and ICS security firm Critical Intelligence told ThreatPost that Langner was “incredibly brave” to release “such an in-depth analysis of the Stuxnet code to the public.” McBride also wondered if that public release would cause Langner to “face the wrath of the U.S. government or the intelligence sector.”

Meanwhile Tenable Network Security announced, “The release of new SCADA plugins for both Tenable’s Nessus and Passive Vulnerability Scanner (PVS). These plugins will identify insecure PLC configurations that would allow an attacker to take control of a critical infrastructure such as the electric grid, an oil pipeline, a chemical manufacturing plant or water treatment plant.”

Do you remember when there was supposedly a digital hack that destroyed a water pump in the physical world? Krypt3ia said the researcher’s claim about SCADA systems in Illinois was based on “bad data.” But then back in November, one hacker got so bent out of shape by reports blowing off the alleged water pump hack, that the hacker took aim at Homeland and posted ‘proof’ of hacking SCADA for Houston’s water supply. Even that was debated by some. However, it seems we have enough trouble with nation states like China or Russia which are hell-bent on cyber mayhem and harming America. But now that there’s a “Firesheep” so even the clueless can perhaps attack our critical infrastructure? Yikes! Let’s hope SCADA admins and others stop denying the vulnerabilities and immediately get busy closing all those holes.

More on ICS and critical infrastructure security:

• CISA warns of critical flaws in ICS and SCADA software from multiple vendors
• Many ICS flaws remain unpatched as attacks against critical infrastructure rise
• 8 questions to ask about your industrial control systems security
• 10 notable critical infrastructure cybersecurity initiatives in 2023
• NATO tests AI's ability to protect critical infrastructure against cyberattacks