Surprise! eBay Helped A Hacker Model Your ICS
March 19, 2021
Story
Cybersecurity firm Dragos recently released its annual Industrial Control Systems Cybersecurity Year in Review Report for 2020, which shows that threats targeting ICS and OT infrastructure tripled last year. The 703 identified vulnerabilities were underscored by the company’s findings that roughly 90 percent of its clients had little to no visibility into their ICS environments beyond the IT/OT network boundary.
But Dragos isn’t the only company looking for vulnerabilities on behalf of the industrial cybersecurity community.
"We're just trying to find vulnerabiilities and make sure they're being remediated," said Sharon Brizinov, Principal Vulnerability Researcher at Claroty, a cybersecurity company that deals primarily in identifying attack vectors on SCADA and other operational technology networks. Claroty also offers an intrusion detection system, or IDS.
The sole job of Sharon’s team is to find vulnerabilities in industrial control system hardware, software, and/or firmware. When a vulnerability is identified, it is added to their IDS and the researchers notify both their clients and the organization responsible for developing the affected components.
So basically, when Sharon and his colleagues are on the clock they are being paid to think like hackers. And last year, they started thinking big.
"We wanted to fgure out how can we attack multiple companies and multtiiple softwares at once," Brizinov said. "That's why we decided to focus on CodeMeter, because we knew it is so commonly used."
WIBU-Systems CodeMeter is piece of licensing protection software designed to protect IP against piracy, reverse engineering and outright theft, as well as the ability to flexibly license features and functionality. It’s widely deployed on ICS systems like industrial PCs and PLCs from vendors like ABB and Rockwell Automation, and is also used in other industries like automotive and pharmaceuticals.
Last year, the Claroty research team took CodeMeter to task, and uncovered vulnerabilities that Sharon discovered could enable exploits ranging from the fairly sophisticated to one so commonplace that something like it has probably happened to you or someone you know in the past – a kind of phishing attack.
"Through the vulnerabilities we discovered – we discovered six vulnerabilities – we were able to develop two different atttack vectors," Brizinov said.
"The first attack vector is, imagine a victim, who can be an engineer or a technician with a laptop, and this technician has some kind of software from a big vendor," he went on. "In the bundle that he installed with this software comes CodeMeter. So this victim, this technician has CodeMeter installed on his computer and is not even aware of it because he installed the big vendor's software.
"The first attack vector that we developed is luring this technician to go onto our malicious website," Brizinov explained. "And once he's on our website we send him specifically-crafted JavaScript code that can manipulate some of the licenses on his computer. And so we basically created an attack scenario where you go on our webpage and the webpage attacks CodeMeter on the machine.
"This is a very simple technique that we've actually seen in different products previously. A very average hacker could do that. No special skills are needed to do that," the Claroty researcher stated. "To leverage this we even developed our own testing tool so users can go online and test if they're vulnerable, because very little skill is needed. We even published the PLC so that people could test it themselves."
No wonder the OT guys haven’t wanted to connect to the Internet! So, don’t open those summer promotional emails or visit any unknown websites on your work laptop.
But what about the more sophisticated attack? What did that look like?
"In the second attack vector the attacker would need to be on the same local area network with the CodeMeter server, which means the attacker needs to be on the same network as its victim," the specialist proceeded. "In this case the attacker would need to send some specifically-crafted packets to the CodeMeter server in order to trigger some kind of memory corruption vulnerabilities.
"To do that, the attacker would first need to break the encryption key, which keeps on changing all the time because of how WIBU implemented their encryption scheme," Brizinov said. "This is a bit more difficult and requires some knowledge of reverse engineering and some cryptographical knowledge."
But WIBU Systems uses things like advanced 112-bit ECC encryption and FIPS 140-compliant random number generation in its CodeMeter product. So, how are these exploits even possible?
"If you're using commonly-used encryption schemes like AES or SHA-1, it's very hard to exploit these encryption schemes and hashes because they are mathematically very complex," said Brizinov. "But usually the issue resides in the implementation. So if you implement these encryption schemes in the wrong way, which means the seed that you choose for the encryption process is weak, then it can easily be broken.
"And this is just what happened in this case: the seed that was chosen for the CodeMeter encryption scheme was very weak so we could brute force the seed that the encryption key was derived from," he maintained. "We reduced the key space from 4 billion or something to just 4 milliion, and we were able to develop a method so that we could brute force it at home so we didn't need to communicate with the CodeMeter server the whole time.
"And so we were able to break any key within just a few seconds," he added.
They had to have had some special equipment to do this, though, right? Like a high-end server or tensor processor or something, right?
Not exactly.
"We didn't use all of Google's power," Brizinov explained. "We just used a simple four CPU setup. That's it."
Well, in any event, these nerds not only have unlimited time to perform this type of analysis, they also probably have unimpeded access to industrial control systems and a full lab at their disposal, even if they didn’t need to use a high-performance computer to brute force a poorly implemented encryption algorithm.
Can we then put this in the same category as the infamous 2015 Jeep hack by Chris Valaseek and Charlie Miller? An anecdotal project that requires a significant enough investment of time, money and effort that it would only be worth a hacker’s while in rare circumstances, therefore rendering the situation almost hypothetical.
Well, unfortunately, that’s not the case.
"When someone finds a vulnerability in Microsoft, everybody knows about it," the Claroty expert explained. "Now, suddenly in the last few years, more and more vulnerabilities are starting to be discovered in ICS. The reason for that is that ICS equipment has become more approachable for researchers.
"In every factory, in every company, in every plant there is PLCs and HMI equipment that you can buy on eBay," he continued. "Almost every embedded system can be bought on eBay. So it's true that maybe you don't have access to the real thing, to the real equipment, but you can definitely set up a lab with very similar equipment and you can research that.
"The vulnerabilities are still there," he said. "It's just a bit harder to get the right equipment to find them."
I decided to check e-bay for myself just to see what sort of ICS goodies were available for the taking. And, after typing in “PLC,” right there, there they were. A Siemens logic module, more than 10 of which were available for sale and 248 of which had already been sold. An Allen Bradley Ethernet PLC. Two OMRON controllers left from an original collection of five.
Figure 1. This Siemens LOGIC! controller is available on eBay for $129.99, as were 248 others that have already sold.
All of them were less than $500, with some under $130.
Fortunately, Sharon and his team of white hat hackers are the good guys. As soon as they identified the vulnerabilities, they informed WIBU of the issues, who immediately remediated the bugs and passed along the fixes to their customers in the form of new versions of the CodeMeter software.
But if this happened to WIBU, a company whose motto is ““Perfection in Protection, Licensing, and Security,” the question is really, who else could it happen to? Who else has it happened to? And who just got a PLC delivered to their door and is about to start hacking?
The inconvenient answer to all of those questions is “anyone.”
"There are always going to be bugs," Brizinov noted. "It really depends how you handle the bugs when they're reported and if you're routinely doing security analysis on the product.
"If someone reports a vulnerability to you, you must take action immediately and you must try to solve it and work with the researcher or hacker that provided this information," he went on. "And also you need to perform your own self inspection. So maybe you need to hire a third-party security firm to test your products, or maybe hire a full-time employee to do just that, to try to find vulnerabilities in your own product.
"If you're playing with the product and trying to take it to the extreme to find bugs in it, I'm sure it will improve the state of the security of any product," he concluded.
These may seem like no-brainers, but they are security best practices akin to brushing your teeth in today’s world of ubiquitously connected ICS and OT systems.
After all, "bugs will be bugs," Brizinov adds.
WIBU Systems maintains a robust security posture, routinely publishing security advisories for its customers. These can be found at www.wibu.com/us/support/security-advisories.html. The most recent versions of the CodeMeter runtime and SDK, version 7.20a, were released in February of 2021 and are available for download with purchase of a licensing agreement.
Claroty offers IDS, SIEM, firewall, network access control, continuous threat detection, secure remote access, and other cybersecurity products, along with penetration testing services.
