Bug hunting in cloud connected ICS devices: Getting root from the cloud
As more and more devices are becoming cloud connected it is important to understand how this attack surface is different from traditional socket based server applications. There is no open port listening with a cloud connected application so there is additional work required in order to just get the application to accept attacker controlled data. This talk will walk through the initial steps necessary to even begin vulnerability research of the application. Cloud based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day there is an application running on a device that acts on messages from the cloud. This means that there is opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud connected application. Zero-day vulnerabilities found in a cloud connected application on a popular industrial controller will be covered in depth. These vulnerabilities will be demonstrated live by impersonating the industrial vendor cloud application, resulting in getting root from the cloud.
Outline
- Introduction
Moving to the cloud
- Software stack, traditional vs. cloud connected
- Additional security benefits of cloud applications
- Libraries provided which include:
- Authentication enabled by default (most times)
- Encryption enabled by default (most times)
- Where are vulnerabilities most likely to be found?
- In the actual handling of the message data, and the actions taken as a result Vendor code
- Challenges for Vulnerability research
- Researcher doesn’t have access to application running in the cloud at least not source access
- Authentication and encryption makes it difficult to MITM to observe traffic for research
- Pre-work is necessary to even begin learning about the data format
- Which is what we will go into next
Intro to the industrial controller
- Azure IoT Hub client
- MQTT based protocol
- JSON data format
- We will need to learn the exact format through research
- Azure IoT Hub
- Running the industrial vendor cloud application
Protocol Overview
- MQTT Overview
- Publish / Subscribe protocol
- Client
- Broker
- Cloud Application
- MQTT Topics
- Format
- Examples
- Wildcards
Research Methodology
- Changes to Research Approach
- Can’t connect to a port and start sending data
- If you’re lucky you might have access to both applications and could capture data between them
- Options
- Configure the device to connect to a real cloud instance that you control
- Stand up a “local” server pretending to be the cloud
- Test Setup - Real cloud instance
- In this scenario the researcher must have access to configure connection properties with the cloud
- Test Setup - Local MQTT broker
- In this scenario the researcher must have the ability to add a root certificate to the device. (will probably require root)
Industrial controller vulnerabilities
- Supported messages
- Discuss device specific messages
- Discuss vulnerable message structure
- Outline of vulnerable process
- Discuss steps involved
- Vulnerability explanations
- Discuss specific vulnerabilities
- DEMO (live)
- Code Execution from the cloud
Conclusion
- Mitigations / Lessons Learned
- Discuss mistakes to avoid when developing a cloud application
- Discuss ways to mitigate with existing industrial control devices
- Review - Research Pre-work
- Impersonating the cloud application
- Local vs. Real Cloud instance
- Learning the topic format
- For both publish and subscribe
- Learning the data format
- Finding the data parsing code
- From there it’s business as usual for vulnerability research
Target audience
Familiarity with programming and common bug classes
Audience expectations
Detailed description of vulnerability research methodology relating to cloud connected ICS devices.
Description of an attack chain combining multiple zero day vulnerabilities to gain root access to a cloud connected controller.
Audience takeaway
Cloud connectivity provides many benefits to Industrial automation, but it also provides additional attack surface. Vendors should be mindful of untrusted data even if it comes from a cloud application.