DEF CON 30 - Sharon Brizinov - Evil PLC Attacks

DEF CON 30 - Sharon Brizinov - Evil PLC Attacks - Weaponizing PLCs

Рет қаралды 22,659

Жыл бұрын

These days, Programmable Logic Controllers (PLC) in an industrial network are a critical attack target, with more exploits being identified every day. But what if the PLC wasn’t the prey, but the predator? This presentation demonstrates a novel TTP called the "Evil PLC Attack", where a PLC is weaponized in a way that when an engineer is trying to configure or troubleshoot it, the engineer’s machine gets compromised.
We will describe how engineers diagnose PLC issues, write code, and transfer bytecode to PLCs for execution with industrial processes in any number of critical sectors, including electric, water and wastewater, heavy industry, and automotive manufacturing. Then we will describe how we conceptualized, developed, and implemented different techniques to weaponize a PLC in order to achieve code execution on an engineer’s machine.
The research resulted in working PoCs against ICS market leaders which fixed all the reported vulnerabilities and remediated the attack vector. Such vendors include Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO and more.

Пікірлер: 28

@willemvdk4886 Жыл бұрын

Much, much respect. There is a LOT of work in that 10 seconds he spent on telling us about the protocol reversing. Incredible.

@halo37253 Жыл бұрын

Sad to see the two biggest PLC Vendors main product lines missing. Rockwell with Studio5000 and Control Logix or Compact Logix Siemens with TIA Portal and S7 1200 or 1500. They have a Cheap modern Micrologix with CCW, which no one uses. I think the only thing CCW is used for by most engineers is to configure Power Flex Drives if not using drive tools.

@CrIMeFiBeR Жыл бұрын

Really intrested in siemens exploitation

@ivanv754 Жыл бұрын

Well those are very very expensive and you kind of need a service contract to fully use

@peterevenhuis2663 Жыл бұрын

Good that you totally missed Siemens, now I can sleep better

@chebhou Жыл бұрын

I was looking for it too 🤣

@Mekkor Жыл бұрын

They technically missed Allen-Bradley as well as they only covered Micro800s with Connected Components Workbench, which is free licensing.

@johnmhedges Жыл бұрын

Most IDEs don't load the source code to the PLC unless the programmer downloads it or enables the feature in the programming environment.

@SALTINBANK Жыл бұрын

Great talk from unit 8200 !)

@NickMoore Жыл бұрын

That was awesome!

@Jeeperanthony Жыл бұрын

Really cool! I assume you could put a flag in that would allow authorized personnel (through MAC, IP, etc) to upload.

@tommyhuffman7499 Жыл бұрын

A more advanced explanation of how PLC's work. Love it!!

@ChristoffelTensors Жыл бұрын

Bro is the RTFM gigaCHAD

@lassorb4752 Жыл бұрын

What about Siemens?

@TheEndermanOfEvil Жыл бұрын

fuck yeah, thats dope as

@cesar.automacao Жыл бұрын

Wow :p

@MrGillb Жыл бұрын

I wonder how many people bricked PLCs due to the confusing ass nomenclature

@johnkost2514 Жыл бұрын

Just a replay of Stuxnet, and from well, I'll just leave it at that..

@DeShark88 Жыл бұрын

It's err.. nothing like Stuxnet. What are you on about? It involves PLCs, sure, but the method and outcome is totally different.

@johnkost2514 Жыл бұрын

@@DeShark88 it's an insertion attack. Stuxnet modified the Step7/WinCC DLL(s). The payloads and focus was on DLL(s).

@DeShark88 Жыл бұрын

@@johnkost2514 the attack vector was totally different. One was an OS 0-day (Windows Shortcuts) exploited via USB stick, and the other is via a honeypot. Also the target was different. In Stuxnet the target was the PLCs, in this attack the target is those trying to hack PLCs. Sure, the PLC programmer's DLLs were edited in both cases, but I wouldn't call this a simple replay, since it's being done the opposite way around to target the complete opposite target.

@johnkost2514 Жыл бұрын

@@DeShark88 there were multiple Stuxnet campaigns (versions) and the probability that all were delivered via a USB is suspect. Again, DLL(s) were the focus of the exploit. Anyone who really knows the deeper constructs of ICS security and vulnerability would acknowledge the similarities. Relax your ego. I made an observation, I stated the similarity. Cyber researchers generally have more open minds than you do.

@jeremydaniels1973 Жыл бұрын

I was excited when I read the title but let down by the execution of this presentation..

@DeShark88 Жыл бұрын

What were you let down by? The content of the presentation was excellent in my opinion.

@bahadirm Жыл бұрын

Dude, people hacking an exposed PLC found on Shodan with possibly propriety IDE/Developement Software that they had most likely need to pay for, are not script kiddies.

@mlu5653 Жыл бұрын

You think they paid for it?...xD

@bahadirm Жыл бұрын

@@mlu5653 depends on the IDE and their implementation of software/dongle licensing.

@prometheuscubesystems4399 Жыл бұрын

yeah he think them r paying kkk