[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:09.90,0:00:20.58,Default,,0000,0000,0000,,Éireann: Things are blowing up, in\Nindustrial systems, here in Germany, this
Dialogue: 0,0:00:20.58,0:00:26.08,Default,,0000,0000,0000,,year! I had hoped that these things\Nwouldn't happen. This kind of future
Dialogue: 0,0:00:26.08,0:00:34.21,Default,,0000,0000,0000,,wouldn't be one that we are living in. But\Nunfortunately it is. And I hope that we
Dialogue: 0,0:00:34.21,0:00:39.55,Default,,0000,0000,0000,,can make that better, partly through the\Ncourse of this talk. But more, I think, in
Dialogue: 0,0:00:39.55,0:00:45.23,Default,,0000,0000,0000,,the future with your help and your work.\NSo I'm sorry to begin this presentation
Dialogue: 0,0:00:45.23,0:00:52.49,Default,,0000,0000,0000,,with such a dark thought but: This year's\Ntheme is a new dawn. And it's always
Dialogue: 0,0:00:52.49,0:00:57.36,Default,,0000,0000,0000,,darkest just before the dawn. So we're\Ngoing to go through some of that darkness
Dialogue: 0,0:00:57.36,0:01:03.64,Default,,0000,0000,0000,,in industrial systems and SCADA-systems to\Nget to a better place, right? Now with
Dialogue: 0,0:01:03.64,0:01:09.55,Default,,0000,0000,0000,,that said no hacker really gets to be\Nwhere they are without the help of other,
Dialogue: 0,0:01:09.55,0:01:14.65,Default,,0000,0000,0000,,right? We stand on the shoulders of giants\Nand part of the key is not stepping on
Dialogue: 0,0:01:14.65,0:01:20.35,Default,,0000,0000,0000,,their toes, on the way up. So I would like\Nto say thank you to a bunch of people who
Dialogue: 0,0:01:20.35,0:01:24.72,Default,,0000,0000,0000,,are here and also some people who aren't\Nhere. Particularly the Oslo hackerspace
Dialogue: 0,0:01:24.72,0:01:27.97,Default,,0000,0000,0000,,where I hang out. And these people have\Ntaught me a lot of things not just about
Dialogue: 0,0:01:27.97,0:01:33.56,Default,,0000,0000,0000,,technology but about life and on\N"aprendo", which is how Goya signed some
Dialogue: 0,0:01:33.56,0:01:40.09,Default,,0000,0000,0000,,of his last paintings and sketches - which\Nbasically means "I'm still learning". OK.
Dialogue: 0,0:01:40.09,0:01:46.39,Default,,0000,0000,0000,,So with that said I hope that you will\Nenjoy this talk with its darkness and its
Dialogue: 0,0:01:46.39,0:01:49.89,Default,,0000,0000,0000,,humor all at the same time. I used to be\Nin circus, as you may have guessed from
Dialogue: 0,0:01:49.89,0:01:56.20,Default,,0000,0000,0000,,the mustache. So I encourage you not just\Nto view this as a technical vulnerability
Dialogue: 0,0:01:56.20,0:02:02.18,Default,,0000,0000,0000,,presentation but also as kind of live\Ntechnical standup comedy. Instead of jokes
Dialogue: 0,0:02:02.18,0:02:07.45,Default,,0000,0000,0000,,we have vulnerabilities. And I hope that\Nyou will enjoy them. So these
Dialogue: 0,0:02:07.45,0:02:12.70,Default,,0000,0000,0000,,vulnerabilities are in switches. I chose\Nto focus on switches and that will become
Dialogue: 0,0:02:12.70,0:02:19.49,Default,,0000,0000,0000,,clear throughout the presentation, why I\Nchose to do that for industrial systems.
Dialogue: 0,0:02:19.49,0:02:23.58,Default,,0000,0000,0000,,And we are looking primarily at three\Ndifferent families of switches. Because I
Dialogue: 0,0:02:23.58,0:02:28.05,Default,,0000,0000,0000,,don't want to pick on any one vendor. In\Nfact, the whole idea of this talk is to
Dialogue: 0,0:02:28.05,0:02:31.79,Default,,0000,0000,0000,,continue giving it. I have two other\Ncolleagues who couldn't be here with me
Dialogue: 0,0:02:31.79,0:02:35.52,Default,,0000,0000,0000,,today, who have some vulnerabilities in\Nsome other switches. And they look forward
Dialogue: 0,0:02:35.52,0:02:39.55,Default,,0000,0000,0000,,to presenting those vulnerabilities as\Npart of this presentation in the future.
Dialogue: 0,0:02:39.55,0:02:43.41,Default,,0000,0000,0000,,So every time we give this presentation\Nwe'd like to give some new vulnerabilities
Dialogue: 0,0:02:43.41,0:02:49.68,Default,,0000,0000,0000,,and show that this is systemic and endemic\Nrisk. So the three switches we'll be
Dialogue: 0,0:02:49.68,0:02:54.24,Default,,0000,0000,0000,,looking at today are the Siemens Scalance-\Nfamily, the GE Multilin-family and the
Dialogue: 0,0:02:54.24,0:02:58.82,Default,,0000,0000,0000,,Garrettcom Magnum family. These switches\Nare usually not very big. They might be 8
Dialogue: 0,0:02:58.82,0:03:05.71,Default,,0000,0000,0000,,ports, they might be 24 ports. And they're\Nused in a variety of different locations.
Dialogue: 0,0:03:05.71,0:03:13.26,Default,,0000,0000,0000,,So this talk is for you, if you work in a\Nutility, if you test industrial Ethernet
Dialogue: 0,0:03:13.26,0:03:17.48,Default,,0000,0000,0000,,switches, if you manage industrial\NEthernet networking, if you're comfortable
Dialogue: 0,0:03:17.48,0:03:21.51,Default,,0000,0000,0000,,at a Linux commandline and you play with\Nweb apps but you don't know as much about
Dialogue: 0,0:03:21.51,0:03:25.45,Default,,0000,0000,0000,,reverse engineering. Don't worry, I'm\Nexactly the same. I suck at reverse
Dialogue: 0,0:03:25.45,0:03:31.52,Default,,0000,0000,0000,,engineering. But I care about this stuff.\NAnd so I'm learning. If you are a
Dialogue: 0,0:03:31.52,0:03:35.91,Default,,0000,0000,0000,,developer of firmware then I think this\Ntalk is for you as well. I hope you learn
Dialogue: 0,0:03:35.91,0:03:39.71,Default,,0000,0000,0000,,something from it. If you like\Nvulnerabilities you'll enjoy this quite a
Dialogue: 0,0:03:39.71,0:03:45.13,Default,,0000,0000,0000,,lot. I'm going to be sharing with you a\Nlittle collection I have, you know. Some
Dialogue: 0,0:03:45.13,0:03:51.63,Default,,0000,0000,0000,,people collect stamps or stories or jokes.\NI collect private keys. And I like to
Dialogue: 0,0:03:51.63,0:03:58.01,Default,,0000,0000,0000,,share them with other enthusiasts such as\Nyourself. If you happen to work for one of
Dialogue: 0,0:03:58.01,0:04:01.09,Default,,0000,0000,0000,,the switch manufacturers you know I've\Nspoken to before. Some of you I get on
Dialogue: 0,0:04:01.09,0:04:06.81,Default,,0000,0000,0000,,with very well. We speak regularly. Some\Nof you not yet - but I hope you'll come
Dialogue: 0,0:04:06.81,0:04:13.20,Default,,0000,0000,0000,,and have a chat with me later. Ok, most\NSCADA or ICS presentations go a bit like
Dialogue: 0,0:04:13.20,0:04:20.64,Default,,0000,0000,0000,,this: Pwn PLC, the RTU, the HMI - these\Nare terms, you know, that all of us in
Dialogue: 0,0:04:20.64,0:04:23.83,Default,,0000,0000,0000,,SCADA know. Maybe most of you know them by\Nnow, they're pretty popular. I hope you
Dialogue: 0,0:04:23.83,0:04:27.78,Default,,0000,0000,0000,,do. But programmable logic controller,\Nremote terminal unit or human machine
Dialogue: 0,0:04:27.78,0:04:32.92,Default,,0000,0000,0000,,interface. And the basic idea of the\Npresentation is if I pwn these things,
Dialogue: 0,0:04:32.92,0:04:38.09,Default,,0000,0000,0000,,game over. Physical damage. I win. Isn't\Nthe world a scary place? And I encourage
Dialogue: 0,0:04:38.09,0:04:42.24,Default,,0000,0000,0000,,you to demand better content. I certainly\Ngrew up with better content. I used to go
Dialogue: 0,0:04:42.24,0:04:46.23,Default,,0000,0000,0000,,and see the presentations and the talks of\Na guy called Jason Larson. And he has a
Dialogue: 0,0:04:46.23,0:04:50.27,Default,,0000,0000,0000,,fantastic example of this. I want all of\Nyou to try it, right now. Just think
Dialogue: 0,0:04:50.27,0:04:56.11,Default,,0000,0000,0000,,about: If you had complete control over a\Npaint factory. What would you do to damage
Dialogue: 0,0:04:56.11,0:04:59.47,Default,,0000,0000,0000,,it? No one is going to get hurt.\NEverything's safe. It's a thought
Dialogue: 0,0:04:59.47,0:05:05.63,Default,,0000,0000,0000,,experiment, right? What would you do to\Ndamage it? Most people can't answer this
Dialogue: 0,0:05:05.63,0:05:09.74,Default,,0000,0000,0000,,question. And on certain types of\Nprocesses I can't answer this question.
Dialogue: 0,0:05:09.74,0:05:12.79,Default,,0000,0000,0000,,But other types I've worked with before\Nand I can answer this question. And I
Dialogue: 0,0:05:12.79,0:05:17.53,Default,,0000,0000,0000,,encourage you to to ask it. But if you\Nlike and you want to learn more go and see
Dialogue: 0,0:05:17.53,0:05:24.07,Default,,0000,0000,0000,,Marmusha's talk - I think it's tomorrow.\NThink of my talk as a frame for her talk.
Dialogue: 0,0:05:24.07,0:05:28.11,Default,,0000,0000,0000,,She's going to be talking about how to\Ndamage a chemical process. And what you
Dialogue: 0,0:05:28.11,0:05:32.09,Default,,0000,0000,0000,,need to do as an engineer to do that. And\Nthe reason she's doing that is to build a
Dialogue: 0,0:05:32.09,0:05:36.29,Default,,0000,0000,0000,,better process in the future. You have to\Nbreak a few things to make them work a
Dialogue: 0,0:05:36.29,0:05:41.38,Default,,0000,0000,0000,,little bit better. Okay. So what's the\Npoint in industrial control systems
Dialogue: 0,0:05:41.38,0:05:47.75,Default,,0000,0000,0000,,security? It's not credit card data. It's\Nnot privacy. No disrespect to my privacy
Dialogue: 0,0:05:47.75,0:05:52.24,Default,,0000,0000,0000,,friends in the room. I have the deepest\Nlove and respect for the work that you do.
Dialogue: 0,0:05:52.24,0:05:58.31,Default,,0000,0000,0000,,But confidentially ... confidentiality is\Nthe lowest priority for us in industrial
Dialogue: 0,0:05:58.31,0:06:04.83,Default,,0000,0000,0000,,systems. It would go: Availability,\Nintegrity, confidentiality. And you might
Dialogue: 0,0:06:04.83,0:06:10.97,Default,,0000,0000,0000,,even swap integrity and availability in\Nmany cases. So, you have to protect the
Dialogue: 0,0:06:10.97,0:06:16.77,Default,,0000,0000,0000,,sensor data or the control signals.\NEverything else is maybe a vulnerability
Dialogue: 0,0:06:16.77,0:06:20.21,Default,,0000,0000,0000,,on the path to getting this. But it's not\Nthe most important thing that we're trying
Dialogue: 0,0:06:20.21,0:06:25.60,Default,,0000,0000,0000,,to protect. So that's why I'm attacking\Nswitches. That's where the process is,
Dialogue: 0,0:06:25.60,0:06:32.64,Default,,0000,0000,0000,,right? Now these may not be core switches.\NThey're often a little bit further down in
Dialogue: 0,0:06:32.64,0:06:37.07,Default,,0000,0000,0000,,the chain. They're field devices, right.\NSo you might find them in any of these
Dialogue: 0,0:06:37.07,0:06:44.59,Default,,0000,0000,0000,,locations. And this last example is not\Nnecessarily important be cause oil and gas
Dialogue: 0,0:06:44.59,0:06:49.27,Default,,0000,0000,0000,,is important - but it's important because\Nit gives you the general format of all
Dialogue: 0,0:06:49.27,0:06:53.30,Default,,0000,0000,0000,,industrial systems. You have sensor\Nnetwork. And sensor data is traveling back
Dialogue: 0,0:06:53.30,0:06:58.61,Default,,0000,0000,0000,,and forth. And you have control signal\Ndata. That's it, basically. You might have
Dialogue: 0,0:06:58.61,0:07:01.35,Default,,0000,0000,0000,,different control signals on different\Nprotocols and you might have different
Dialogue: 0,0:07:01.35,0:07:05.41,Default,,0000,0000,0000,,sensors on different protocols, giving you\Ndifferent values like pressure or heat or
Dialogue: 0,0:07:05.41,0:07:15.89,Default,,0000,0000,0000,,whatever. But most processes follow\Nbasically this format. Okay. I don't do
Dialogue: 0,0:07:15.89,0:07:19.51,Default,,0000,0000,0000,,SCADA 101. There are other people who do\Nthis. I'm trying to do a little bit, to
Dialogue: 0,0:07:19.51,0:07:25.76,Default,,0000,0000,0000,,set the reference for this talk, but\Nusually I avoid it. So basically there's
Dialogue: 0,0:07:25.76,0:07:30.82,Default,,0000,0000,0000,,not much authentication or integrity in\Nindustrial systems protocols. There's not
Dialogue: 0,0:07:30.82,0:07:36.37,Default,,0000,0000,0000,,much cryptography. You would expect there\Nto be, maybe. I'm continually surprised
Dialogue: 0,0:07:36.37,0:07:40.32,Default,,0000,0000,0000,,that I don't find any. And when I do find\Nit, it's badly implemented and barely
Dialogue: 0,0:07:40.32,0:07:48.23,Default,,0000,0000,0000,,works. So once you have compromised a\Nswitch or another part of the network you
Dialogue: 0,0:07:48.23,0:07:51.93,Default,,0000,0000,0000,,can perform man-in-the-middle attacks on\Nthe process. Or you can create malicious
Dialogue: 0,0:07:51.93,0:07:56.40,Default,,0000,0000,0000,,firmwares on these different switches. And\Nthat's what I'm trying to prevent. I'm
Dialogue: 0,0:07:56.40,0:08:00.03,Default,,0000,0000,0000,,trying to find some of the different\Nmethods that people can use to produce
Dialogue: 0,0:08:00.03,0:08:09.80,Default,,0000,0000,0000,,these firmwares - and then get the vendors\Nto fix them, right. Okay. These are some
Dialogue: 0,0:08:09.80,0:08:14.42,Default,,0000,0000,0000,,of the protocols. If you are new to this\Nspace, if you want to do some more work in
Dialogue: 0,0:08:14.42,0:08:17.55,Default,,0000,0000,0000,,this area, but you don't know what to work\Non, take a picture of the slide or go and
Dialogue: 0,0:08:17.55,0:08:21.32,Default,,0000,0000,0000,,find it later. And choose one of these\Nprotocols and go and work on it. We need
Dialogue: 0,0:08:21.32,0:08:24.25,Default,,0000,0000,0000,,people to go to these different\Norganizations. Some of them are
Dialogue: 0,0:08:24.25,0:08:27.50,Default,,0000,0000,0000,,proprietary, some of them are open and\Ncomplain that there is not enough
Dialogue: 0,0:08:27.50,0:08:32.25,Default,,0000,0000,0000,,cryptography going on in this space. And\Nyes you can use VPNs. But believe me, I
Dialogue: 0,0:08:32.25,0:08:43.72,Default,,0000,0000,0000,,often don't find them. Okay. These are the\Nswitches, the specific versions of the
Dialogue: 0,0:08:43.72,0:08:46.60,Default,,0000,0000,0000,,firmware, in case you're here for\Nvulnerabilities instead of just me
Dialogue: 0,0:08:46.60,0:08:52.02,Default,,0000,0000,0000,,waffling on about the basics. If you want\Nto go and look these up, if you're a
Dialogue: 0,0:08:52.02,0:08:57.91,Default,,0000,0000,0000,,penetration tester working in this space,\Nyou can go and find them all online. And
Dialogue: 0,0:08:57.91,0:09:02.21,Default,,0000,0000,0000,,you can get a feeling for the kind of\Ncoding practices that go into these
Dialogue: 0,0:09:02.21,0:09:07.44,Default,,0000,0000,0000,,different devices. Now I've tried to\Nchoose the vulnerabilities that I'm
Dialogue: 0,0:09:07.44,0:09:14.71,Default,,0000,0000,0000,,presenting very carefully. To take you\Ngently from web app vulnerabilities into a
Dialogue: 0,0:09:14.71,0:09:19.95,Default,,0000,0000,0000,,little bit deeper into the firmware. So\Nthe first one we'll be looking at is
Dialogue: 0,0:09:19.95,0:09:24.71,Default,,0000,0000,0000,,Siemens. And again, I'm not picking on any\Nparticular vendor. In fact I'm very proud
Dialogue: 0,0:09:24.71,0:09:30.31,Default,,0000,0000,0000,,of Siemens. They're probably here again.\NThey're here many years. And they fixed
Dialogue: 0,0:09:30.31,0:09:35.20,Default,,0000,0000,0000,,these vulnerabilities within three months.\NAnd I think that was awesome - especially
Dialogue: 0,0:09:35.20,0:09:41.50,Default,,0000,0000,0000,,in the space that I work in. The average\Npatch-time in SCADA and ICS is 18 months.
Dialogue: 0,0:09:41.50,0:09:45.50,Default,,0000,0000,0000,,So I think Siemens deserves a round of\Napplause for getting these fixed.
Dialogue: 0,0:09:45.50,0:09:52.87,Default,,0000,0000,0000,,{\i1}Applaus{\i0}\NSo without further ado let's have some
Dialogue: 0,0:09:52.87,0:09:58.59,Default,,0000,0000,0000,,fun, right. So MD5, you go to the web page\Nfor this switch. This is the management
Dialogue: 0,0:09:58.59,0:10:03.35,Default,,0000,0000,0000,,page of a switch, right. And you interact\Nwith this webpage. And you have a look at
Dialogue: 0,0:10:03.35,0:10:12.58,Default,,0000,0000,0000,,it. And on the client side they do MD5 of\Nthe password. Okay. That's fascinating. I
Dialogue: 0,0:10:12.58,0:10:17.29,Default,,0000,0000,0000,,don't think that's particularly secure.\NBut it's done in roughly the same format
Dialogue: 0,0:10:17.29,0:10:20.64,Default,,0000,0000,0000,,as that Linux command. So I use the Linux\Ncommand instead of the JavaScript just to
Dialogue: 0,0:10:20.64,0:10:26.06,Default,,0000,0000,0000,,make it easier for everyone. You have the\Nusername at the beginning and the password
Dialogue: 0,0:10:26.06,0:10:30.04,Default,,0000,0000,0000,,is in the middle. And then you have this\Nnonce that's at the end, a number you use
Dialogue: 0,0:10:30.04,0:10:34.47,Default,,0000,0000,0000,,once, right. I was surprised to see the\Nnonce, and it's even called a nonce,
Dialogue: 0,0:10:34.47,0:10:37.14,Default,,0000,0000,0000,,right. So somebody had done a little bit\Nof homework on their cryptography. And
Dialogue: 0,0:10:37.14,0:10:41.15,Default,,0000,0000,0000,,they understood that they wanted to use,\Nyou know, this number used once to prevent
Dialogue: 0,0:10:41.15,0:10:45.34,Default,,0000,0000,0000,,replay of the hash every time. Okay,\Nthat's some pretty good work.
Dialogue: 0,0:10:45.34,0:10:49.20,Default,,0000,0000,0000,,Unfortunately this is MD5 and this is\Nprotecting your electric utilities and
Dialogue: 0,0:10:49.20,0:10:56.07,Default,,0000,0000,0000,,your water and your sewage systems. And\Nyou can brute force this in a few seconds,
Dialogue: 0,0:10:56.07,0:11:00.20,Default,,0000,0000,0000,,if the passwords are less than eight\Ncharacters. and if they're around 15 it
Dialogue: 0,0:11:00.20,0:11:04.46,Default,,0000,0000,0000,,might take you 20 minutes or something.\NYou can do this from PCAPs, from network
Dialogue: 0,0:11:04.46,0:11:08.30,Default,,0000,0000,0000,,traffic captures. And then you have the\Ncleartext password that you can use
Dialogue: 0,0:11:08.30,0:11:16.42,Default,,0000,0000,0000,,forever after, with that switch. So, off\Nto a bad start, in my opinion. So these
Dialogue: 0,0:11:16.42,0:11:22.77,Default,,0000,0000,0000,,are the nonces that we're looking at. I'm\Nglad to hear you laughing. It makes me, it
Dialogue: 0,0:11:22.77,0:11:27.42,Default,,0000,0000,0000,,warms the heart, right. So you can see\Nthat they are incrementing and that they
Dialogue: 0,0:11:27.42,0:11:37.75,Default,,0000,0000,0000,,are hex. Yeah. What else can you say about\Nthis? The last half is different than the
Dialogue: 0,0:11:37.75,0:11:45.87,Default,,0000,0000,0000,,first half. Not only is it incrementing,\Nit is sequential. If you pull them quickly
Dialogue: 0,0:11:45.87,0:11:53.26,Default,,0000,0000,0000,,enough. For those of you who also do a bit\Nof reverse engineering you might recognize
Dialogue: 0,0:11:53.26,0:11:58.13,Default,,0000,0000,0000,,the first half as well. Anybody in the\Nroom see any patterns in the first half of
Dialogue: 0,0:11:58.13,0:12:09.95,Default,,0000,0000,0000,,the of the nonces? No? Hmm? Very good, IP\Naddress. Mac address would have been a
Dialogue: 0,0:12:09.95,0:12:13.52,Default,,0000,0000,0000,,good guess as well. I thought it was at\Nfirst. And I got very confused when I went
Dialogue: 0,0:12:13.52,0:12:17.34,Default,,0000,0000,0000,,to look for the IP address. Because I went\Nto the switch itself. And the switches IP
Dialogue: 0,0:12:17.34,0:12:25.08,Default,,0000,0000,0000,,address was not this in hex. It's the\Nclientside address. Which I just couldn't
Dialogue: 0,0:12:25.08,0:12:29.38,Default,,0000,0000,0000,,believe, right? Like, it seems like it\Nmakes a sort of sense if you're trying to
Dialogue: 0,0:12:29.38,0:12:33.58,Default,,0000,0000,0000,,keep session IDs in state. And it's like\Noh I want a different session for every IP
Dialogue: 0,0:12:33.58,0:12:39.48,Default,,0000,0000,0000,,address. And then I'll just use time, I\Nuse uptime in hex as the rest of my
Dialogue: 0,0:12:39.48,0:12:45.16,Default,,0000,0000,0000,,session ID, right? You know, the entire IP\Nspace and time that can't be brute force.
Dialogue: 0,0:12:45.16,0:12:52.25,Default,,0000,0000,0000,,It has a kind of crazy logic to it, right.\NUnfortunately it can be. And you can get
Dialogue: 0,0:12:52.25,0:12:56.73,Default,,0000,0000,0000,,the uptime from the device using SNMP. And\Nof course if you don't want to use SNMP
Dialogue: 0,0:12:56.73,0:13:04.47,Default,,0000,0000,0000,,you can get old-school and use the TCP-\Nsequence-ID numbers. So, not a lot of
Dialogue: 0,0:13:04.47,0:13:09.55,Default,,0000,0000,0000,,entropy there, I guess, I would say. And I\Nthink their lawyers agreed when they put
Dialogue: 0,0:13:09.55,0:13:17.64,Default,,0000,0000,0000,,out the comments on this. All right. Not\Nonly can you perform session hijacking.
Dialogue: 0,0:13:17.64,0:13:21.05,Default,,0000,0000,0000,,And if you are attacking switches I'd like\Nto point out that session hijacking is not
Dialogue: 0,0:13:21.05,0:13:25.23,Default,,0000,0000,0000,,necessarily a great attack in this\Nenvironment. Think about it like you would
Dialogue: 0,0:13:25.23,0:13:29.70,Default,,0000,0000,0000,,at home, right. How often do you log into\Nyour router? In fact even more importantly
Dialogue: 0,0:13:29.70,0:13:33.25,Default,,0000,0000,0000,,how often do you upgrade the firmware on\Nyour router? Everyone who has upgraded the
Dialogue: 0,0:13:33.25,0:13:37.94,Default,,0000,0000,0000,,firmware on their router ever raise your\Nhand. Just for an experiment. Thank
Dialogue: 0,0:13:37.94,0:13:42.14,Default,,0000,0000,0000,,goodness, right. But wait, keep them up\Njust for a minute. Everybody who's updated
Dialogue: 0,0:13:42.14,0:13:45.67,Default,,0000,0000,0000,,it this year, keep your hand up. Everybody\Nelse put them down. Everybody who has
Dialogue: 0,0:13:45.67,0:13:50.42,Default,,0000,0000,0000,,updated in the last six months ... okay\N... So that gives you a sense of how long
Dialogue: 0,0:13:50.42,0:13:55.06,Default,,0000,0000,0000,,these vulnerabilities can be in play on an\Nindustrial system's environment. If you
Dialogue: 0,0:13:55.06,0:14:01.80,Default,,0000,0000,0000,,multiply that by about 10, right. Okay, so\Nyou can simply upload a firmware image to
Dialogue: 0,0:14:01.80,0:14:06.14,Default,,0000,0000,0000,,a Siemens Scalance device with this\Nversion number without authentication. You
Dialogue: 0,0:14:06.14,0:14:15.70,Default,,0000,0000,0000,,just need to know the URL. Cross-site\Nrequest forgery, right. I just say CSRF
Dialogue: 0,0:14:15.70,0:14:20.22,Default,,0000,0000,0000,,all the time. I don't even remember what\Nit stands for. So you can upload or you
Dialogue: 0,0:14:20.22,0:14:23.38,Default,,0000,0000,0000,,can download a logfile. Not that useful\Nbut you get a sense of what's going on on
Dialogue: 0,0:14:23.38,0:14:27.19,Default,,0000,0000,0000,,the switch. You know what usernames might\Nbe present, whatever. Incidentally all of
Dialogue: 0,0:14:27.19,0:14:32.05,Default,,0000,0000,0000,,these switches by default or at least this\None only have two usernames, right. So
Dialogue: 0,0:14:32.05,0:14:37.15,Default,,0000,0000,0000,,it's "admin" and "operator" I think on\Nthis switch. Or maybe it's not. But
Dialogue: 0,0:14:37.15,0:14:42.83,Default,,0000,0000,0000,,anyway, there's two usernames "admin" and\N"manager"? I know I get them mixed up now.
Dialogue: 0,0:14:42.83,0:14:47.13,Default,,0000,0000,0000,,But the configuration includes password\Nhashes. I'm actually not even entirely
Dialogue: 0,0:14:47.13,0:14:50.62,Default,,0000,0000,0000,,convinced they're hashes because when you\Nincrease the length of your password it
Dialogue: 0,0:14:50.62,0:14:55.61,Default,,0000,0000,0000,,increases. But I'll leave that for future\Nresearchers to examine. You can download
Dialogue: 0,0:14:55.61,0:14:59.24,Default,,0000,0000,0000,,the firmware image from the device, which\Nis nice. So you just make a request. You
Dialogue: 0,0:14:59.24,0:15:03.11,Default,,0000,0000,0000,,just post an HTTP-request to this device.\NAnd it gives you the firmware that it is
Dialogue: 0,0:15:03.11,0:15:07.82,Default,,0000,0000,0000,,running back. That's not that big a deal,\Nright. Because you're just viewing data on
Dialogue: 0,0:15:07.82,0:15:14.93,Default,,0000,0000,0000,,the switch. But you can upload firmware\Nand configuration to this device. Which is
Dialogue: 0,0:15:14.93,0:15:18.54,Default,,0000,0000,0000,,an authentication bypass in and of itself.\NBut it's also interesting because I can
Dialogue: 0,0:15:18.54,0:15:22.43,Default,,0000,0000,0000,,take a configuration file from one of the\Ndevices that I have at home with a known
Dialogue: 0,0:15:22.43,0:15:27.49,Default,,0000,0000,0000,,password. I can upload a new configuration\Nfile with a password that I know. I can
Dialogue: 0,0:15:27.49,0:15:31.50,Default,,0000,0000,0000,,use the device to do whatever I want to\Ndo. And later I can re upload the old
Dialogue: 0,0:15:31.50,0:15:35.56,Default,,0000,0000,0000,,configuration file that I got from the\Ndevice, so no one ever even realizes what's
Dialogue: 0,0:15:35.56,0:15:45.73,Default,,0000,0000,0000,,been changed, right. So. I think that's a\Ndisappointing state of affairs. And I
Dialogue: 0,0:15:45.73,0:15:49.34,Default,,0000,0000,0000,,wrote a script to do this. So that you\Nwouldn't have to when you are doing
Dialogue: 0,0:15:49.34,0:15:53.92,Default,,0000,0000,0000,,penetration tests of these device. And I\Ngave you a little ASCII menu because
Dialogue: 0,0:15:53.92,0:15:58.41,Default,,0000,0000,0000,,sometimes I get bored. Cambridge is a\Nsmall town and there's not much to do in
Dialogue: 0,0:15:58.41,0:16:05.64,Default,,0000,0000,0000,,the evening. So feel free to go and\Nexamine my github-repository where I put
Dialogue: 0,0:16:05.64,0:16:11.91,Default,,0000,0000,0000,,up some of this stuff. I'm Blackswanburst\Non Github, and on Twitter. So like I say,
Dialogue: 0,0:16:11.91,0:16:15.36,Default,,0000,0000,0000,,Siemens are some of my favorite people. So\NI'm going to finish up with them. This is
Dialogue: 0,0:16:15.36,0:16:19.98,Default,,0000,0000,0000,,old day, if you like all that you have\Njust seen. But I want you to keep in mind
Dialogue: 0,0:16:19.98,0:16:24.23,Default,,0000,0000,0000,,that these vulnerabilities will still be\Npresent in the wild for another two or
Dialogue: 0,0:16:24.23,0:16:28.98,Default,,0000,0000,0000,,three years. And I encourage you to go and\Nhave a look at your systems, if you have
Dialogue: 0,0:16:28.98,0:16:34.17,Default,,0000,0000,0000,,any of these devices. And check them out.\NAnd upgrade the firmware. I also hope this
Dialogue: 0,0:16:34.17,0:16:38.54,Default,,0000,0000,0000,,encourages you that if you haven't done\Nmuch in industrial systems and SCADA you
Dialogue: 0,0:16:38.54,0:16:42.27,Default,,0000,0000,0000,,don't have to be intimidated by all of the\Nengineering and the terminology, and the
Dialogue: 0,0:16:42.27,0:16:47.00,Default,,0000,0000,0000,,verb beotch(?).. There is plenty for any\Nof you in this room to do in the
Dialogue: 0,0:16:47.00,0:16:51.70,Default,,0000,0000,0000,,industrial systems space. You need to\Nspend a little time speaking to engineers
Dialogue: 0,0:16:51.70,0:16:56.90,Default,,0000,0000,0000,,and translating your vulnerabilities into\Nsomething meaningful for them. But that's
Dialogue: 0,0:16:56.90,0:17:00.25,Default,,0000,0000,0000,,just a matter of spending more time with\Nthem and getting to know them. And I think
Dialogue: 0,0:17:00.25,0:17:03.74,Default,,0000,0000,0000,,that's valuable too because they have a\Nlot of experience. They care very deeply
Dialogue: 0,0:17:03.74,0:17:08.31,Default,,0000,0000,0000,,about safety. And I've learned quite a lot\Nof things from engineers. My general point
Dialogue: 0,0:17:08.31,0:17:13.60,Default,,0000,0000,0000,,here is I'd like you to stop defending\Nbanks and websites and other stuff. We
Dialogue: 0,0:17:13.60,0:17:18.10,Default,,0000,0000,0000,,need your help in industrial systems, in\Nthe utilities. We could really do with
Dialogue: 0,0:17:18.10,0:17:22.18,Default,,0000,0000,0000,,living in a safer world rather than one\Nwhere you're just protecting other
Dialogue: 0,0:17:22.18,0:17:32.48,Default,,0000,0000,0000,,people's money. So we're gonna move on to\Nthe GE Multilin line. I worked on a GE
Dialogue: 0,0:17:32.48,0:17:38.83,Default,,0000,0000,0000,,ML800 but these vulnerabilities affect\Nseven of the nine switches in this family.
Dialogue: 0,0:17:38.83,0:17:43.41,Default,,0000,0000,0000,,Seven because one of the other switches is\Nan unmanaged switch. If you're a hardware
Dialogue: 0,0:17:43.41,0:17:47.88,Default,,0000,0000,0000,,person maybe you want to go and play\Naround with those but not so much my thing
Dialogue: 0,0:17:47.88,0:17:51.13,Default,,0000,0000,0000,,and the other one uses a different\Nfirmware image but seven of the nine
Dialogue: 0,0:17:51.13,0:17:58.02,Default,,0000,0000,0000,,switches use a similar firmware image GE\Noffers a worldwide 10 year warranty. So
Dialogue: 0,0:17:58.02,0:18:01.95,Default,,0000,0000,0000,,let's see if that includes fixing\Nvulnerabilities. I think it should. What
Dialogue: 0,0:18:01.95,0:18:10.65,Default,,0000,0000,0000,,do you think. No? Couple noes couple of\Nyeses, undecided. All right. CCC is
Dialogue: 0,0:18:10.65,0:18:17.85,Default,,0000,0000,0000,,undecided on something that's novel. Let's\Nstart with some new vulnerabilities. Cross
Dialogue: 0,0:18:17.85,0:18:22.75,Default,,0000,0000,0000,,site scripting. Reflected, I grant you but\Nstill cross site scripting and I want you
Dialogue: 0,0:18:22.75,0:18:25.53,Default,,0000,0000,0000,,to pay attention to the details. I'm not\Ngoing to go slow for you and ask you to
Dialogue: 0,0:18:25.53,0:18:29.16,Default,,0000,0000,0000,,think . I know it's morning, I know it's\Ntough but I am going to ask you to think.
Dialogue: 0,0:18:29.16,0:18:36.97,Default,,0000,0000,0000,,See flash up there flash.php and the third\None. Yes, it runs flash in your browser.
Dialogue: 0,0:18:36.97,0:18:42.47,Default,,0000,0000,0000,,So if you know something about Flash come\Nand have a look at the switch some time. I
Dialogue: 0,0:18:42.47,0:18:47.75,Default,,0000,0000,0000,,didn't go for active script attacks. There are\Nso many attacks surface on this device. I
Dialogue: 0,0:18:47.75,0:18:52.46,Default,,0000,0000,0000,,just I sometimes don't even know how I'm\Ngoing to finish looking at all of them. So
Dialogue: 0,0:18:52.46,0:18:55.78,Default,,0000,0000,0000,,I just work with the web interface to\Nbegin with. So you have this cross site
Dialogue: 0,0:18:55.78,0:19:00.68,Default,,0000,0000,0000,,scripting times eight and I want you to\Nnotice in the last section there
Dialogue: 0,0:19:00.68,0:19:05.97,Default,,0000,0000,0000,,arbitrarily supplied URL parameters. I\Ndon't know about you but I think that's
Dialogue: 0,0:19:05.97,0:19:10.18,Default,,0000,0000,0000,,funny right. You can just make up\Nparameters to stick your cross site
Dialogue: 0,0:19:10.18,0:19:20.48,Default,,0000,0000,0000,,scripting in. {\i1}laughs{\i0} It's unbelievable\Nright. Yeah. Anyways what does that look
Dialogue: 0,0:19:20.48,0:19:28.34,Default,,0000,0000,0000,,like. It looks like that, they have an\Nerror data page. OK maybe I'm using a
Dialogue: 0,0:19:28.34,0:19:33.37,Default,,0000,0000,0000,,browser that they don't approve or\Nsomething but it deserves looking at. And
Dialogue: 0,0:19:33.37,0:19:39.47,Default,,0000,0000,0000,,you can do quite a lot of things with\Njavascript on the client side these days.
Dialogue: 0,0:19:39.47,0:19:44.48,Default,,0000,0000,0000,,Disturbing. Anyways I'm not a big fan of\NXSS so I'm going to move on to things that
Dialogue: 0,0:19:44.48,0:19:52.69,Default,,0000,0000,0000,,I think are worth my time. So if you fetch\Nthe initial web page of this switch before
Dialogue: 0,0:19:52.69,0:20:01.38,Default,,0000,0000,0000,,you've even logged in you get this config.\NSo this is pretty authentication. No
Dialogue: 0,0:20:01.38,0:20:06.85,Default,,0000,0000,0000,,authentication, right. Now keep in mind that\Nthese switches are designed for process
Dialogue: 0,0:20:06.85,0:20:14.61,Default,,0000,0000,0000,,data, right. It's not carrying traffic to\Nimages of cats. It's supposed to be for
Dialogue: 0,0:20:14.61,0:20:22.63,Default,,0000,0000,0000,,engineering. So what happens if I add a\Nnocache parameter and I make it say 500000
Dialogue: 0,0:20:22.63,0:20:30.03,Default,,0000,0000,0000,,digits long. I should just be able to\Ncrash the web server. Right. Maybe maybe.
Dialogue: 0,0:20:30.03,0:20:41.27,Default,,0000,0000,0000,,But you would not expect it to reboot the\Nswitch. And it takes a minute or so for
Dialogue: 0,0:20:41.27,0:20:44.80,Default,,0000,0000,0000,,the switch to reboot which is actually\Nreally impressive comes up pretty quickly.
Dialogue: 0,0:20:44.80,0:20:50.95,Default,,0000,0000,0000,,But you know obviously you can repeat\Nthis. So I wanted to examine that a lot
Dialogue: 0,0:20:50.95,0:20:56.39,Default,,0000,0000,0000,,further. I wanted to know more about that\Nthat crash what was rebooting the switch.
Dialogue: 0,0:20:56.39,0:20:59.29,Default,,0000,0000,0000,,But like I say I'm not a very good reverse\Nengineer. So you're going to go on a
Dialogue: 0,0:20:59.29,0:21:02.59,Default,,0000,0000,0000,,little journey with me where I learned a\Ncouple of things about reverse engineering
Dialogue: 0,0:21:02.59,0:21:06.16,Default,,0000,0000,0000,,and I had to change my approach from\Nlooking at the webapp style loans to
Dialogue: 0,0:21:06.16,0:21:12.47,Default,,0000,0000,0000,,moving into this other stuff. So why is\Nwhy is it DoS even interesting. You'll
Dialogue: 0,0:21:12.47,0:21:18.32,Default,,0000,0000,0000,,remember that I mentioned Misha's talk. So\Nthe reason I mention her talk, this is it
Dialogue: 0,0:21:18.32,0:21:23.69,Default,,0000,0000,0000,,right. Denial of Service on a Website. Who\Ncares it's tearing posters down as xkcd
Dialogue: 0,0:21:23.69,0:21:28.95,Default,,0000,0000,0000,,once famously explained to us but in the\Nindustrial system's environment it's very
Dialogue: 0,0:21:28.95,0:21:33.98,Default,,0000,0000,0000,,different. It can be very serious right. A\Nsimplistic example is you have an
Dialogue: 0,0:21:33.98,0:21:38.75,Default,,0000,0000,0000,,application that has a heartbeat and if\Nyou stop that heartbeat it might go into
Dialogue: 0,0:21:38.75,0:21:44.06,Default,,0000,0000,0000,,some sort of safety state it might for\Nexample scram a reactor. There is a famous
Dialogue: 0,0:21:44.06,0:21:50.85,Default,,0000,0000,0000,,denial of service on PLCs that did scram a\Nreactor in real life. Does anybody know
Dialogue: 0,0:21:50.85,0:21:58.65,Default,,0000,0000,0000,,what H2S is? Any oil and gas engineers in\Nthe room? Okay so H2S alerts not reaching
Dialogue: 0,0:21:58.65,0:22:02.86,Default,,0000,0000,0000,,their destinations is pretty serious\Nbusiness right. For those of you who are
Dialogue: 0,0:22:02.86,0:22:07.85,Default,,0000,0000,0000,,not aware of H2S it's a byproduct of\Nproducing oil and gas and inhaled in very
Dialogue: 0,0:22:07.85,0:22:12.85,Default,,0000,0000,0000,,very small amounts you can go unconscious\Nand in sort of larger amounts. Respiratory
Dialogue: 0,0:22:12.85,0:22:18.48,Default,,0000,0000,0000,,failure. So if you take CA safety\Nseriously if you ever work on these rigs
Dialogue: 0,0:22:18.48,0:22:23.14,Default,,0000,0000,0000,,in these environments you learn to care\Nabout the wind sock. Right one of these
Dialogue: 0,0:22:23.14,0:22:26.62,Default,,0000,0000,0000,,alerts goes out. An alarm goes off. There\Nare many different alarms you have to
Dialogue: 0,0:22:26.62,0:22:31.20,Default,,0000,0000,0000,,memorize how they all sound on a rig and\Nthen react to them and when you hear the
Dialogue: 0,0:22:31.20,0:22:35.33,Default,,0000,0000,0000,,H2S alert you look up at the wind sock to\Nkeep an eye on where the wind is and
Dialogue: 0,0:22:35.33,0:22:40.42,Default,,0000,0000,0000,,trying to avoid being downwind of wherever\Nthe leak is. So a simple denial of service
Dialogue: 0,0:22:40.42,0:22:43.51,Default,,0000,0000,0000,,that we would not care about in a web\Napplication environment in this
Dialogue: 0,0:22:43.51,0:22:47.94,Default,,0000,0000,0000,,environment can be very serious. I'm not\Nsaying it always is. It just can be
Dialogue: 0,0:22:47.94,0:22:53.35,Default,,0000,0000,0000,,right. So denial of service goes up in our\Nlist of problems especially when we're
Dialogue: 0,0:22:53.35,0:22:58.27,Default,,0000,0000,0000,,looking at networking devices. Okay so\Nthat's that's it for the denial of
Dialogue: 0,0:22:58.27,0:23:01.55,Default,,0000,0000,0000,,service. But like I say we're going to\Nlook at some other stuff. In fact the
Dialogue: 0,0:23:01.55,0:23:07.32,Default,,0000,0000,0000,,story with the switch began with a\Nconcerned citizen about three or four
Dialogue: 0,0:23:07.32,0:23:12.28,Default,,0000,0000,0000,,years ago I found 10000 industrial systems\Non the Internet as part of my master's
Dialogue: 0,0:23:12.28,0:23:17.99,Default,,0000,0000,0000,,thesis and I was pretty uncomfortable with\Nthat. So I sent that data to various
Dialogue: 0,0:23:17.99,0:23:23.89,Default,,0000,0000,0000,,computer emergency response teams around\Nthe world. I believe it was 52 of them
Dialogue: 0,0:23:23.89,0:23:26.86,Default,,0000,0000,0000,,right. Not all of them were critical\Ninfrastructure. A lot of them were small
Dialogue: 0,0:23:26.86,0:23:31.37,Default,,0000,0000,0000,,stuff but maybe 1 in 100. I was told or in\None particular country when they got back
Dialogue: 0,0:23:31.37,0:23:38.40,Default,,0000,0000,0000,,to me one in 20 were considered critical\Ninfrastructure. And after that you have a
Dialogue: 0,0:23:38.40,0:23:42.54,Default,,0000,0000,0000,,sort of reputation among the computer\Nemergency response teams of the world. So
Dialogue: 0,0:23:42.54,0:23:47.58,Default,,0000,0000,0000,,people send you stuff you get anonymous\Ne-mails from someone called Concerned
Dialogue: 0,0:23:47.58,0:23:53.33,Default,,0000,0000,0000,,Citizen. Thank you very much. They sent me\Na firmware upgrade pcap of this particular
Dialogue: 0,0:23:53.33,0:23:57.35,Default,,0000,0000,0000,,device. I suspect that they worked at one\Nof the utilities and they wanted me to see
Dialogue: 0,0:23:57.35,0:24:05.56,Default,,0000,0000,0000,,how upgrading the firmware of this GE switch\Nwas performed. So it all began with a pcap.
Dialogue: 0,0:24:05.56,0:24:11.29,Default,,0000,0000,0000,,So I ran TCP trace to carve out all the\Nfiles and see what was going on and you
Dialogue: 0,0:24:11.29,0:24:16.59,Default,,0000,0000,0000,,could see instantly that there was an FTP\Nsession later looking at the switch I see
Dialogue: 0,0:24:16.59,0:24:21.12,Default,,0000,0000,0000,,that you can also upgrade them over TFTP\Nso the management of the switch happens in
Dialogue: 0,0:24:21.12,0:24:26.84,Default,,0000,0000,0000,,HTTPs and is encrypted but the firmware\Nupload goes across FTP right so you can
Dialogue: 0,0:24:26.84,0:24:33.70,Default,,0000,0000,0000,,just carve the file out a little bit of\Nnetwork forensics I guess. So instantly I
Dialogue: 0,0:24:33.70,0:24:36.95,Default,,0000,0000,0000,,could see that this one is complete and\Nthe ports on the end of the numbers give
Dialogue: 0,0:24:36.95,0:24:40.66,Default,,0000,0000,0000,,me a clue of what's going on in the larger\Nstream. This one seems interesting. Let's
Dialogue: 0,0:24:40.66,0:24:48.24,Default,,0000,0000,0000,,have a look at it. So. I tried running\Nfile and binwalk I don't know about you
Dialogue: 0,0:24:48.24,0:24:52.86,Default,,0000,0000,0000,,but I believe that hacking is a journey of\Nunderstanding and facts hacking is
Dialogue: 0,0:24:52.86,0:24:57.74,Default,,0000,0000,0000,,understanding a system better than it\Nunderstands itself and nudging it to do
Dialogue: 0,0:24:57.74,0:25:03.95,Default,,0000,0000,0000,,what you want right. And I also feel that\NI should understand my tools. I don't
Dialogue: 0,0:25:03.95,0:25:07.42,Default,,0000,0000,0000,,really understand my tools until I know\Nwhere they're going to fail me or they
Dialogue: 0,0:25:07.42,0:25:11.04,Default,,0000,0000,0000,,have failed me in the past and in this\Nparticular case I think binwalk is a
Dialogue: 0,0:25:11.04,0:25:15.15,Default,,0000,0000,0000,,fantastic tool and file is a fantastic\Ntool. But they didn't tell me anything and
Dialogue: 0,0:25:15.15,0:25:18.75,Default,,0000,0000,0000,,that was that was a journey of discovery\Nfor me. So that was nice. It was like OK
Dialogue: 0,0:25:18.75,0:25:21.70,Default,,0000,0000,0000,,binwalk doesn't always give me everything.\NI think I was running an older version and
Dialogue: 0,0:25:21.70,0:25:25.18,Default,,0000,0000,0000,,I think it would handle it now. But the\Npoint is after been walked didn't give me
Dialogue: 0,0:25:25.18,0:25:29.95,Default,,0000,0000,0000,,anything just resort to the old school\Nstuff right. Go strings and I found these
Dialogue: 0,0:25:29.95,0:25:34.05,Default,,0000,0000,0000,,deflate and inflate copywrite strings and\NI could tell that a certain portion of the
Dialogue: 0,0:25:34.05,0:25:43.67,Default,,0000,0000,0000,,file was compressed. This is just from the\Npcap. Remember this whole story. So I
Dialogue: 0,0:25:43.67,0:25:49.04,Default,,0000,0000,0000,,tried to deflate the whole thing. That\Ndidn't work again. I just did something
Dialogue: 0,0:25:49.04,0:25:54.56,Default,,0000,0000,0000,,simple get a python script that checks\Nevery byte to see which parts of the file
Dialogue: 0,0:25:54.56,0:26:00.83,Default,,0000,0000,0000,,don't produce ZLIB errors when you try and\Ndecompress them and you figure out what
Dialogue: 0,0:26:00.83,0:26:09.17,Default,,0000,0000,0000,,sectors of this file are compressed. So\Nyou go to your friend dd and you carve out
Dialogue: 0,0:26:09.17,0:26:15.76,Default,,0000,0000,0000,,this section of the file right. So we have\Nthis larger firmware image with this
Dialogue: 0,0:26:15.76,0:26:21.31,Default,,0000,0000,0000,,little compressed section and we have now\Ncut this little compressed section out. I
Dialogue: 0,0:26:21.31,0:26:24.43,Default,,0000,0000,0000,,suppose I could have loaded this up into\Npython and use ZLIB to decompress it. But
Dialogue: 0,0:26:24.43,0:26:27.56,Default,,0000,0000,0000,,at the time I was still trying to use\Ncommand line tools and someone said I'll
Dialogue: 0,0:26:27.56,0:26:35.35,Default,,0000,0000,0000,,just concatenate the gzip bytes on it.\NGzip inherits from inflate and deflate. So
Dialogue: 0,0:26:35.35,0:26:39.10,Default,,0000,0000,0000,,if you just concatenate the bytes it\Nshould still handle it. So I did that and
Dialogue: 0,0:26:39.10,0:26:43.92,Default,,0000,0000,0000,,I got a decompressed binary. When you ran\Nstrings on that it started to make a lot
Dialogue: 0,0:26:43.92,0:26:48.75,Default,,0000,0000,0000,,more sense and you could find the opcodes\Nin it where previously it didn't make any
Dialogue: 0,0:26:48.75,0:26:53.91,Default,,0000,0000,0000,,sense at all. So once you've got an image\Nlike that what do you do. Well if you're
Dialogue: 0,0:26:53.91,0:26:58.25,Default,,0000,0000,0000,,me you just grep for bugs. I think I\Nlearned that from Ilija. If he's here in
Dialogue: 0,0:26:58.25,0:27:05.59,Default,,0000,0000,0000,,the room thank you. Thank you very much. I\Nasked him like a year or two ago. How do
Dialogue: 0,0:27:05.59,0:27:10.76,Default,,0000,0000,0000,,you how do you find so many bugs. And he\Nsaid: "Oh, I just, you know, I grep for
Dialogue: 0,0:27:10.76,0:27:16.51,Default,,0000,0000,0000,,them, I use find." {\i1}laughs{\i0} And so I\Nstarted thinking about firmware images.
Dialogue: 0,0:27:16.51,0:27:19.64,Default,,0000,0000,0000,,Like if I was going to grep for a bug in a\Nfirmware image what would it be. And my
Dialogue: 0,0:27:19.64,0:27:23.84,Default,,0000,0000,0000,,answer is hardcoded credentials and\Ndefault keys because you find them every
Dialogue: 0,0:27:23.84,0:27:29.31,Default,,0000,0000,0000,,single time so I have this command aliased\Non my machine and I just grep for it and I
Dialogue: 0,0:27:29.31,0:27:35.27,Default,,0000,0000,0000,,find private keys and this is how you too\Ncan end up with a private key collection.
Dialogue: 0,0:27:35.27,0:27:40.46,Default,,0000,0000,0000,,So, there you go.
Dialogue: 0,0:27:40.46,0:27:50.24,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:27:50.24,0:27:53.77,Default,,0000,0000,0000,,Yeah they're hardcoded keys,\Nbut what are they for. It doesn't
Dialogue: 0,0:27:53.77,0:27:57.82,Default,,0000,0000,0000,,stop there. You know you've got the keys,\Nbut what do they do, right? That was the
Dialogue: 0,0:27:57.82,0:28:02.50,Default,,0000,0000,0000,,next step of the journey for me. Two of\Nthem you can see one sencrypted with a
Dialogue: 0,0:28:02.50,0:28:05.74,Default,,0000,0000,0000,,password; we'll come back to that one\Nlater. Let's start with the one on the
Dialogue: 0,0:28:05.74,0:28:15.86,Default,,0000,0000,0000,,left. If you load this key up into\Nwireshark. and you use it to decrypt the
Dialogue: 0,0:28:15.86,0:28:22.76,Default,,0000,0000,0000,,SSL you have a self decrypting pcap.\NRemember at the beginning it was using
Dialogue: 0,0:28:22.76,0:28:29.59,Default,,0000,0000,0000,,HTTPS to manage the device and upload this\Nfirmware image. So if you happen to have
Dialogue: 0,0:28:29.59,0:28:37.21,Default,,0000,0000,0000,,this firmware image you can decrypt all\Nthe traffic. No forward secrecy, right?
Dialogue: 0,0:28:37.21,0:28:41.55,Default,,0000,0000,0000,,Now you don't have to be lucky and have\Nconcerned citizens send you an email. You
Dialogue: 0,0:28:41.55,0:28:46.49,Default,,0000,0000,0000,,can download this image from the GE website\Nand you can carve the keys out of the
Dialogue: 0,0:28:46.49,0:28:50.10,Default,,0000,0000,0000,,image in the same way that I did and\Ndecrypt the SSL traffic of any pcap that
Dialogue: 0,0:28:50.10,0:29:01.88,Default,,0000,0000,0000,,is sent to you. Now the passwords\Nunderneath that are in clear text. You can
Dialogue: 0,0:29:01.88,0:29:08.04,Default,,0000,0000,0000,,see them highlighted down here. Password\NManager and user manager. You can see them
Dialogue: 0,0:29:08.04,0:29:12.75,Default,,0000,0000,0000,,up there as well and you can see that\Nwe've decrypted the SSL with that key. So
Dialogue: 0,0:29:12.75,0:29:16.56,Default,,0000,0000,0000,,default keys, right? Is it a big deal? I\Nbelieve the vendors in this case say you
Dialogue: 0,0:29:16.56,0:29:21.19,Default,,0000,0000,0000,,can upload your own key to the device. For\Nthose of you who aren't used to working in
Dialogue: 0,0:29:21.19,0:29:24.29,Default,,0000,0000,0000,,embedded it sometimes is difficult to\Ngenerate a key on the device because you
Dialogue: 0,0:29:24.29,0:29:27.84,Default,,0000,0000,0000,,don't have enough memory or you don't have\Nenough entropy or you don't have enough
Dialogue: 0,0:29:27.84,0:29:32.27,Default,,0000,0000,0000,,processing power. That's the usual\Nexcuses. And they're true I shouldn't say
Dialogue: 0,0:29:32.27,0:29:36.09,Default,,0000,0000,0000,,excuses those those things are true. But\Nyou could of course generate it on the
Dialogue: 0,0:29:36.09,0:29:39.85,Default,,0000,0000,0000,,client side and upload it to the device\Nand that's what they allow you to do with
Dialogue: 0,0:29:39.85,0:29:44.79,Default,,0000,0000,0000,,this switch which is great but where is\Nyour encrypted channel in which to upload
Dialogue: 0,0:29:44.79,0:29:52.80,Default,,0000,0000,0000,,this key? {\i1}laughs{\i0} So you can use the serial\Ndevice and make sure visually that there's no man
Dialogue: 0,0:29:52.80,0:29:55.34,Default,,0000,0000,0000,,in the middle. But if you're doing this\Nremotely – and I'd like you to keep in
Dialogue: 0,0:29:55.34,0:29:59.46,Default,,0000,0000,0000,,mind that most substations are remote –\Nif anyone here works in a utility are you
Dialogue: 0,0:29:59.46,0:30:03.53,Default,,0000,0000,0000,,going to drive to every substation, plug\Nin a serial cable to change the keys on
Dialogue: 0,0:30:03.53,0:30:07.85,Default,,0000,0000,0000,,all these devices? It's the sort of thing\Nyou need to know in advance right? So the
Dialogue: 0,0:30:07.85,0:30:12.10,Default,,0000,0000,0000,,problem with key management, particularly\Nwith SSL and the industrial systems
Dialogue: 0,0:30:12.10,0:30:19.05,Default,,0000,0000,0000,,environment, is that you have to manage\Nthe keys. And these particular keys, well
Dialogue: 0,0:30:19.05,0:30:23.67,Default,,0000,0000,0000,,the certificates are self signed so you\Ncan't revoke them. And besides industrial
Dialogue: 0,0:30:23.67,0:30:27.19,Default,,0000,0000,0000,,systems are never connected to the\NInternet. So it wouldn't have made any
Dialogue: 0,0:30:27.19,0:30:32.30,Default,,0000,0000,0000,,difference. So these are the kind of\Nproblems we're dealing with in this space.
Dialogue: 0,0:30:32.30,0:30:35.27,Default,,0000,0000,0000,,And that's why I'm trying to encourage\Nyou. Whether you do crypto or privacy or
Dialogue: 0,0:30:35.27,0:30:37.64,Default,,0000,0000,0000,,whatever spend a little time in the\Nembedded space, just for bit: there's
Dialogue: 0,0:30:37.64,0:30:46.13,Default,,0000,0000,0000,,plenty of easy work. OK. So what about the\Nsecond key. It requires a password. I
Dialogue: 0,0:30:46.13,0:30:50.99,Default,,0000,0000,0000,,didn't feel like brute forcing it. Maybe\Nyou do. I don't know. I tried all the
Dialogue: 0,0:30:50.99,0:30:54.34,Default,,0000,0000,0000,,strings in the image. A classic technique,\Njust in case someone had a hard coded the
Dialogue: 0,0:30:54.34,0:30:56.58,Default,,0000,0000,0000,,password. I mean the hard coded\Ncredentials were there but not the hard
Dialogue: 0,0:30:56.58,0:31:00.46,Default,,0000,0000,0000,,coded password. So I guess I gotta start\Nreversing, and as I previously said I suck
Dialogue: 0,0:31:00.46,0:31:06.38,Default,,0000,0000,0000,,at reversing. That's why I come to CCC, so\NI can learn, right? But I did find this
Dialogue: 0,0:31:06.38,0:31:11.97,Default,,0000,0000,0000,,PowerPC ROM image. and I think its running\NeCos and redboot and I haven't even gotten
Dialogue: 0,0:31:11.97,0:31:15.33,Default,,0000,0000,0000,,down to doing hardware stuff: taking it\Napart, having look at, it but I probably
Dialogue: 0,0:31:15.33,0:31:19.20,Default,,0000,0000,0000,,will in the future. So there's the image\NI'm slowly starting to learn my way around
Dialogue: 0,0:31:19.20,0:31:27.14,Default,,0000,0000,0000,,and figure out what's going on. So I had a\Nlook at the image and I figured out that
Dialogue: 0,0:31:27.14,0:31:32.10,Default,,0000,0000,0000,,this key is used for SSH, right? Well it\Nwould be the other encrypted thing. But I
Dialogue: 0,0:31:32.10,0:31:36.26,Default,,0000,0000,0000,,couldn't enable SSH on the device. I try\Nand enable SSH on the device and I'm
Dialogue: 0,0:31:36.26,0:31:39.10,Default,,0000,0000,0000,,logged in as manager by the way. which is\Nhighest level user on this particular
Dialogue: 0,0:31:39.10,0:31:43.58,Default,,0000,0000,0000,,device, and I put it in the passwords that\NI know and a bunch of other passwords and
Dialogue: 0,0:31:43.58,0:31:47.59,Default,,0000,0000,0000,,they don't work. Like I said, I tried all\Nthe strings in the image. So apparently to
Dialogue: 0,0:31:47.59,0:31:51.72,Default,,0000,0000,0000,,enable ssh, I need a password for\Nsomething. Now maybe I'm just
Dialogue: 0,0:31:51.72,0:31:55.53,Default,,0000,0000,0000,,misunderstanding or I'm not so clear on\Nwhat's going on but I don't know about
Dialogue: 0,0:31:55.53,0:31:59.07,Default,,0000,0000,0000,,you. I kind of feel like if I buy a device\Nthat's supposed to be used for a safety
Dialogue: 0,0:31:59.07,0:32:03.44,Default,,0000,0000,0000,,critical process I should be allowed to\Nuse SSH without having to call up the
Dialogue: 0,0:32:03.44,0:32:11.12,Default,,0000,0000,0000,,vendor and get some special magic\Npassword. So considering I don't like that
Dialogue: 0,0:32:11.12,0:32:17.42,Default,,0000,0000,0000,,approach. What if I patched my own key\Ninto the image right. I don't know the
Dialogue: 0,0:32:17.42,0:32:22.20,Default,,0000,0000,0000,,password of their key but I know the\Npassword of a key I can generate. So I
Dialogue: 0,0:32:22.20,0:32:27.29,Default,,0000,0000,0000,,just need to make sure it's roughly the\Nright size and try and patch it in. Then
Dialogue: 0,0:32:27.29,0:32:29.60,Default,,0000,0000,0000,,I've got some problems with compression\Nbecause I've got to reverse the whole
Dialogue: 0,0:32:29.60,0:32:33.57,Default,,0000,0000,0000,,process that I just described to you patch\Nit into the larger binary. Will there be
Dialogue: 0,0:32:33.57,0:32:44.20,Default,,0000,0000,0000,,any CRC or firmware signing? I don't know,\Nright. So the uploaded image is not a
Dialogue: 0,0:32:44.20,0:32:50.53,Default,,0000,0000,0000,,valid image for this device. That's\Ncorrect: I messed with it. But I got this
Dialogue: 0,0:32:50.53,0:32:54.44,Default,,0000,0000,0000,,error and it gave me a clue. It gave me a\Nclue that I did indeed have some of my
Dialogue: 0,0:32:54.44,0:33:02.41,Default,,0000,0000,0000,,CRCs wrong so when I altered the image\Nagain I got to this state. So you're
Dialogue: 0,0:33:02.41,0:33:05.51,Default,,0000,0000,0000,,learning all the time by having a real\Ndevice. Now some of my friends they do
Dialogue: 0,0:33:05.51,0:33:10.05,Default,,0000,0000,0000,,static analysis and they don't buy these\Ndevices. I decided to buy this one. I
Dialogue: 0,0:33:10.05,0:33:15.75,Default,,0000,0000,0000,,found one on eBay. It wasn't very\Nexpensive. I mean it depends on your range
Dialogue: 0,0:33:15.75,0:33:20.18,Default,,0000,0000,0000,,for expensive. But if you're helping\Ndefend industrial systems I thought it was
Dialogue: 0,0:33:20.18,0:33:26.88,Default,,0000,0000,0000,,worth the money. So I bought it and this\Nenables me to try firmware images out and
Dialogue: 0,0:33:26.88,0:33:31.21,Default,,0000,0000,0000,,I can slowly start to figure out what I\Nneed to patch on these firmware images to
Dialogue: 0,0:33:31.21,0:33:37.32,Default,,0000,0000,0000,,do whatever I want. Luckily I just tried\Nto patch mine to have SSH because I
Dialogue: 0,0:33:37.32,0:33:43.80,Default,,0000,0000,0000,,thought people deserve to have SSH. So\Nthat's an Adler 32 up there on the left
Dialogue: 0,0:33:43.80,0:33:50.27,Default,,0000,0000,0000,,and the other CRC is on the bottom so that\NAdler 32 and some adjustment of file
Dialogue: 0,0:33:50.27,0:33:54.42,Default,,0000,0000,0000,,length although zeros in that line just\Nabove it eventually got me to the point
Dialogue: 0,0:33:54.42,0:33:59.57,Default,,0000,0000,0000,,where it believes it's a corrupted binary.\NAnd then we have this CRC on the end that
Dialogue: 0,0:33:59.57,0:34:08.21,Default,,0000,0000,0000,,we need to have a look at. Now I'm a big\Nfan of suspense. I love suspense. I'm
Dialogue: 0,0:34:08.21,0:34:14.85,Default,,0000,0000,0000,,going to leave that one is a cliffhanger\Nand an exercise for you watching. So I
Dialogue: 0,0:34:14.85,0:34:18.10,Default,,0000,0000,0000,,said I was going to talk about GE ML800\Nbut I'm also going to talk about
Dialogue: 0,0:34:18.10,0:34:21.22,Default,,0000,0000,0000,,Garrettcom. Luckily it's not very\Ndifficult. Garrettcom is the original
Dialogue: 0,0:34:21.22,0:34:27.48,Default,,0000,0000,0000,,equipment manufacturer for the GE ML800\Nseries. I noticed that because the
Dialogue: 0,0:34:27.48,0:34:31.30,Default,,0000,0000,0000,,certificate I found attached to those\Nprivate keys said Garrettcom in it and I
Dialogue: 0,0:34:31.30,0:34:35.79,Default,,0000,0000,0000,,went and looked at their firmware images\Nand they have similar CRC similar file
Dialogue: 0,0:34:35.79,0:34:39.71,Default,,0000,0000,0000,,structures similar everything so I believe\Nthat they are affected by the cross site
Dialogue: 0,0:34:39.71,0:34:45.93,Default,,0000,0000,0000,,scripting, the denial of service, and\Nhardcoded keys. I understand from some
Dialogue: 0,0:34:45.93,0:34:50.53,Default,,0000,0000,0000,,people that they have been in contact with\NGE to try and fix some of this stuff but
Dialogue: 0,0:34:50.53,0:34:57.96,Default,,0000,0000,0000,,their response to GE was mainly "Sorry,\Nthis is the end of life on this device".
Dialogue: 0,0:34:57.96,0:35:02.89,Default,,0000,0000,0000,,That's fine. I understand you're running a\Nbusiness but you're selling equipment to
Dialogue: 0,0:35:02.89,0:35:08.34,Default,,0000,0000,0000,,people who manage utilities that we all\Ndepend on. If Sony goes bankrupt because
Dialogue: 0,0:35:08.34,0:35:13.80,Default,,0000,0000,0000,,they get hacked that's one thing right.\NBut you can't just dissolve a utility and
Dialogue: 0,0:35:13.80,0:35:18.67,Default,,0000,0000,0000,,start again. As my friend Klaus points out\Nregularly – fantastic insights into the
Dialogue: 0,0:35:18.67,0:35:23.15,Default,,0000,0000,0000,,industrial system world, Klaus and Vanessa\N– you can't just dissolve the utility and
Dialogue: 0,0:35:23.15,0:35:25.97,Default,,0000,0000,0000,,start again. You still have the same\Ninfrastructure you still have the same
Dialogue: 0,0:35:25.97,0:35:31.25,Default,,0000,0000,0000,,workers. It doesn't work that way. You\Ncan't bail out utilities that we depend
Dialogue: 0,0:35:31.25,0:35:38.33,Default,,0000,0000,0000,,on. So sorry. End of Life... I don't even\Nunderstand why people buy these devices
Dialogue: 0,0:35:38.33,0:35:43.13,Default,,0000,0000,0000,,and this code without code escrow. When\Nyou buy the code make sure you have the
Dialogue: 0,0:35:43.13,0:35:48.70,Default,,0000,0000,0000,,code in perpetuity for these systems so\Nthat you can fix them when something like
Dialogue: 0,0:35:48.70,0:35:53.86,Default,,0000,0000,0000,,this or something worse happens. If I'm\Nyour worst nightmare, you have real
Dialogue: 0,0:35:53.86,0:35:59.19,Default,,0000,0000,0000,,problems because there are very dark\Npeople in the world actually damaging
Dialogue: 0,0:35:59.19,0:36:05.46,Default,,0000,0000,0000,,furnaces in Germany. So me disclosing keys\Non stage is scary for you. You need to get
Dialogue: 0,0:36:05.46,0:36:12.69,Default,,0000,0000,0000,,a grip. So, garrettcom?\NHere's your key too.
Dialogue: 0,0:36:12.69,0:36:20.10,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:36:20.10,0:36:25.63,Default,,0000,0000,0000,,The strings come from the images.\NDevelopers are funny people really. I like
Dialogue: 0,0:36:25.63,0:36:32.11,Default,,0000,0000,0000,,this. I just put them up because they're\Nfunny. Some people had some hard times, I
Dialogue: 0,0:36:32.11,0:36:36.49,Default,,0000,0000,0000,,guess, writing some of this code. And my\Nrespect to them! They do great work but
Dialogue: 0,0:36:36.49,0:36:43.16,Default,,0000,0000,0000,,you know, there's a couple of things we\Ncan improve on security in these devices.
Dialogue: 0,0:36:43.16,0:36:47.84,Default,,0000,0000,0000,,So I once had the opportunity to stand in\Nfront of six different vendors at the same
Dialogue: 0,0:36:47.84,0:36:53.44,Default,,0000,0000,0000,,time their computer emergency response\Nteams at a conference and I said to them,
Dialogue: 0,0:36:53.44,0:36:59.66,Default,,0000,0000,0000,,"Will any of you commit to an average\Npatch time for vulnerabilities of three
Dialogue: 0,0:36:59.66,0:37:05.35,Default,,0000,0000,0000,,months?" An average patch time, because it\Nmight take 8 months, as it so far has
Dialogue: 0,0:37:05.35,0:37:10.13,Default,,0000,0000,0000,,taken in the case of GE and Garrettcom, to\Nwork on these issues. It might take a long\N
Dialogue: 0,0:37:10.13,0:37:15.05,Default,,0000,0000,0000,,time in some cases but as an average patch\Ntime I think 3 months for things that we
Dialogue: 0,0:37:15.05,0:37:20.44,Default,,0000,0000,0000,,all depend on is reasonable. So I asked\Nthese six different teams in the same\N
Dialogue: 0,0:37:20.44,0:37:29.41,Default,,0000,0000,0000,,room. If any of them would commit to this\Nand I heard silence for 30 seconds. So my
Dialogue: 0,0:37:29.41,0:37:35.22,Default,,0000,0000,0000,,friend decided to call this the silence of\Nthe vendors right. And I think that's that
Dialogue: 0,0:37:35.22,0:37:42.03,Default,,0000,0000,0000,,sums it up. I'd like to see better patch\Ntimes. I'd like to see a computer
Dialogue: 0,0:37:42.03,0:37:45.20,Default,,0000,0000,0000,,emergency response teams in each of these\Nvendors and I'd like to see someone
Dialogue: 0,0:37:45.20,0:37:53.60,Default,,0000,0000,0000,,responsible for security in each of these\Ndifferent utilities. I can dream, right? I
Dialogue: 0,0:37:53.60,0:37:57.37,Default,,0000,0000,0000,,think that key management... the current\Npractice industrial systems is to take
Dialogue: 0,0:37:57.37,0:38:02.68,Default,,0000,0000,0000,,some insecure protocol and wrap it in SSL\Nor TLS which is why we need the help of
Dialogue: 0,0:38:02.68,0:38:10.18,Default,,0000,0000,0000,,you privacy people because TLS and SSL\Nare not the be all and end all. They often
Dialogue: 0,0:38:10.18,0:38:16.43,Default,,0000,0000,0000,,sort of go the wrong way, right. For\Nexample you can use TLS to do integrity
Dialogue: 0,0:38:16.43,0:38:20.68,Default,,0000,0000,0000,,without encryption so you can verify that\Nevery message has reached its destination\N
Dialogue: 0,0:38:20.68,0:38:25.92,Default,,0000,0000,0000,,intact but it is not encrypted. And this\Nmeans that you can still do intrusion
Dialogue: 0,0:38:25.92,0:38:32.53,Default,,0000,0000,0000,,detection analysis of the packets. That's\Nreally good. But nobody uses that in SSL
Dialogue: 0,0:38:32.53,0:38:36.67,Default,,0000,0000,0000,,in other ways right. I'm a big fan of\NShodan and use Shodan for a variety of
Dialogue: 0,0:38:36.67,0:38:41.45,Default,,0000,0000,0000,,different things usually to get a sense of\Nthe Internet as a whole, right? Let me
Dialogue: 0,0:38:41.45,0:38:44.73,Default,,0000,0000,0000,,back up a little bit. When I was at\NCambridge I went to Darwin college and
Dialogue: 0,0:38:44.73,0:38:47.69,Default,,0000,0000,0000,,because you're at Darwin college you read\Nup a bit on Darwin and you think about how
Dialogue: 0,0:38:47.69,0:38:51.87,Default,,0000,0000,0000,,Darwin thought and I think the Internet is\Nkind of like that. When it was built by
Dialogue: 0,0:38:51.87,0:38:56.87,Default,,0000,0000,0000,,the IETF and various people, who did\Nfantastic work, they imagined it one way
Dialogue: 0,0:38:56.87,0:39:01.45,Default,,0000,0000,0000,,and then we inherited it and it grew and\Nit became an ecosystem and stuff happens
Dialogue: 0,0:39:01.45,0:39:05.43,Default,,0000,0000,0000,,out there that you wouldn't expect. And so\Nthat's why I like Shodan. It's kind of
Dialogue: 0,0:39:05.43,0:39:09.87,Default,,0000,0000,0000,,like being a natural scientist: what's a\Nsurvey of the world, what kind of machines\N
Dialogue: 0,0:39:09.87,0:39:13.43,Default,,0000,0000,0000,,are out there, what versions are they\Nrunning, when do people update their SSL..\N
Dialogue: 0,0:39:13.43,0:39:17.56,Default,,0000,0000,0000,,err, you know, their certificates do they\Ndo it before or after the certificate is\N
Dialogue: 0,0:39:17.56,0:39:22.60,Default,,0000,0000,0000,,invalid. Do they always upgrade the\Nalgorithm. Do they increase the key size.\N
Dialogue: 0,0:39:22.60,0:39:26.38,Default,,0000,0000,0000,,You know how do things change right you\Nneed to sort of study it as a whole and
Dialogue: 0,0:39:26.38,0:39:30.44,Default,,0000,0000,0000,,that's my point when it comes to just\Ntaking SSL and slapping it over a
Dialogue: 0,0:39:30.44,0:39:37.76,Default,,0000,0000,0000,,protocol. It's not quite that simple. So\Nagain we need your help. Where can we go\N
Dialogue: 0,0:39:37.76,0:39:42.29,Default,,0000,0000,0000,,with these attacks. And you remember at\Nthe beginning I pointed out the underpants
Dialogue: 0,0:39:42.29,0:39:49.77,Default,,0000,0000,0000,,gnome. The emperor wears no clothes.\NAltering switch configurations is a big
Dialogue: 0,0:39:49.77,0:39:57.41,Default,,0000,0000,0000,,deal because you can exfiltrate process\Ndata. That gives you a map of the process
Dialogue: 0,0:39:57.41,0:40:02.50,Default,,0000,0000,0000,,because industrial systems are bespoke.\NEach one of them is different. It does run\N
Dialogue: 0,0:40:02.50,0:40:06.54,Default,,0000,0000,0000,,different traffic and we are lucky to work\Non security in this space because our
Dialogue: 0,0:40:06.54,0:40:10.88,Default,,0000,0000,0000,,users are numerate and literate and they\Ncare about safety. They don't always
Dialogue: 0,0:40:10.88,0:40:14.24,Default,,0000,0000,0000,,understand security but they do care about\Nsafety. So if you can make it a safety
Dialogue: 0,0:40:14.24,0:40:18.23,Default,,0000,0000,0000,,concern they care. There are also\Nengineers that many of these utilities who
Dialogue: 0,0:40:18.23,0:40:24.22,Default,,0000,0000,0000,,look at the network 24/7. Not all of them\Nbut some of them. Can you imagine a home
Dialogue: 0,0:40:24.22,0:40:28.90,Default,,0000,0000,0000,,network or something else with that kind\Nof user base. We're lucky we should be
Dialogue: 0,0:40:28.90,0:40:35.03,Default,,0000,0000,0000,,taking advantage of that user base. So\Ngetting back to the point you know denial
Dialogue: 0,0:40:35.03,0:40:38.98,Default,,0000,0000,0000,,of service attacks to disrupt the process\Ngo and see Marmusha's talk. This will all
Dialogue: 0,0:40:38.98,0:40:43.04,Default,,0000,0000,0000,,make a lot more sense when you go and see\Nher talk. Basically any man in the middle
Dialogue: 0,0:40:43.04,0:40:47.99,Default,,0000,0000,0000,,attack can disrupt alter or drop traffic\Nat this point. If you can affect the
Dialogue: 0,0:40:47.99,0:40:51.74,Default,,0000,0000,0000,,switches and the substation. And\Nexfiltrating in the data gives you a map
Dialogue: 0,0:40:51.74,0:40:58.11,Default,,0000,0000,0000,,of the process which leads towards further\Npotential damage for the utilities. Now
Dialogue: 0,0:40:58.11,0:41:01.41,Default,,0000,0000,0000,,it's not always that simple people will\Nget up on stage and they will tell you I
Dialogue: 0,0:41:01.41,0:41:07.31,Default,,0000,0000,0000,,am awesome and this is how it's done and\Nit's easy to blow shit up. It's not true.
Dialogue: 0,0:41:07.31,0:41:10.25,Default,,0000,0000,0000,,It takes a little bit of thought it takes\Na little bit of work. I am certainly not
Dialogue: 0,0:41:10.25,0:41:15.56,Default,,0000,0000,0000,,awesome. I am just a quality assurance\Nperson from a former vendor. I just
Dialogue: 0,0:41:15.56,0:41:22.51,Default,,0000,0000,0000,,decided to get into security and keep\Ngoing with it. So you can't always perform
Dialogue: 0,0:41:22.51,0:41:25.39,Default,,0000,0000,0000,,these man in the middle attacks. People\Nwill say you can. But the reason you can't
Dialogue: 0,0:41:25.39,0:41:30.80,Default,,0000,0000,0000,,is real-time system constraints. Some\Nsystems will stop receiving traffic five
Dialogue: 0,0:41:30.80,0:41:34.54,Default,,0000,0000,0000,,milliseconds or microseconds later and\Nignore anything. If a value doesn't arrive\N
Dialogue: 0,0:41:34.54,0:41:39.21,Default,,0000,0000,0000,,in this time it doesn't care. So the idea\Nthat you can route the traffic out to some
Dialogue: 0,0:41:39.21,0:41:43.59,Default,,0000,0000,0000,,other country and then back in and disrupt\Nthe process is bollocks. Sometimes you
Dialogue: 0,0:41:43.59,0:41:48.03,Default,,0000,0000,0000,,have to alter the firmware to achieve\Nthat. That depends on the process but I'm\N
Dialogue: 0,0:41:48.03,0:41:52.83,Default,,0000,0000,0000,,just trying to give you a sense of how\Nperforming actual attacks give you a sense
Dialogue: 0,0:41:52.83,0:41:56.12,Default,,0000,0000,0000,,of what the limits are, what the\Nlogistical burdens are for the attacker
Dialogue: 0,0:41:56.12,0:42:04.94,Default,,0000,0000,0000,,and that's important stuff for us to know.\NAll right. Little bit of an overview.\N
Dialogue: 0,0:42:04.94,0:42:11.81,Default,,0000,0000,0000,,Drunk session IDs. brute forcing\NMD5+NONCE, cross site request forgery for\N
Dialogue: 0,0:42:11.81,0:42:17.42,Default,,0000,0000,0000,,firmware upload (of all things),\Nreflected cross-site scripting (8 cases of
Dialogue: 0,0:42:17.42,0:42:23.05,Default,,0000,0000,0000,,it) pre authentication denial of service,\Nhardcoded keys times 2 in a firmware
Dialogue: 0,0:42:23.05,0:42:28.73,Default,,0000,0000,0000,,image, SSL without forward secrecy, self\Nsigned certificates so there's no revoking
Dialogue: 0,0:42:28.73,0:42:32.28,Default,,0000,0000,0000,,there's no managing of the keys on these\Ndevices right. Not to mention utility
Dialogue: 0,0:42:32.28,0:42:35.99,Default,,0000,0000,0000,,workers are busy already. They may not\Nhave time to manage all of these devices
Dialogue: 0,0:42:35.99,0:42:40.25,Default,,0000,0000,0000,,we might need to rethink that approach\Nright. Clear text passwords under SSL
Dialogue: 0,0:42:40.25,0:42:44.05,Default,,0000,0000,0000,,because well no one can break SSL unless\Nyou hard code the key in the firmware
Dialogue: 0,0:42:44.05,0:42:49.54,Default,,0000,0000,0000,,that's downloadable from the internet.\NEnable ssh with a password and three
Dialogue: 0,0:42:49.54,0:42:55.29,Default,,0000,0000,0000,,quarter of a year waiting for fixes for\Nsome of this stuff. I'm not happy with
Dialogue: 0,0:42:55.29,0:43:00.70,Default,,0000,0000,0000,,that. I think that we could live in a much\Nbetter, much safer world. And to do so we
Dialogue: 0,0:43:00.70,0:43:07.91,Default,,0000,0000,0000,,need to talk very seriously about some of\Nthese issues. Don't take my opinion for
Dialogue: 0,0:43:07.91,0:43:11.70,Default,,0000,0000,0000,,it. Listen to some other people. The best\Nthing about doing industrial systems work\N
Dialogue: 0,0:43:11.70,0:43:15.48,Default,,0000,0000,0000,,is the diversity of approach. You know I\Nlove that there are so many other people\N
Dialogue: 0,0:43:15.48,0:43:20.08,Default,,0000,0000,0000,,doing SCADA and ICS. And I love that\Nthey're going different directions. So in
Dialogue: 0,0:43:20.08,0:43:26.03,Default,,0000,0000,0000,,the future I plan to be on another stage\Nwith some friends and show you some more.
Dialogue: 0,0:43:26.03,0:43:30.45,Default,,0000,0000,0000,,Thank you for listening mustache fans and\Nas a parting thought. More tax money is
Dialogue: 0,0:43:30.45,0:43:35.35,Default,,0000,0000,0000,,spent on surveillance than on\Ndefending common utilities.
Dialogue: 0,0:43:35.35,0:43:44.39,Default,,0000,0000,0000,,{\i1}Applaus{\i0}
Dialogue: 0,0:43:44.39,0:43:51.16,Default,,0000,0000,0000,,Herald: Thank you. It made me a scary\NSunday morning. They got a utility *<<
Dialogue: 0,0:43:51.16,0:43:58.12,Default,,0000,0000,0000,,guess, mostly incomprehensable* down the\Nroad. OK. We'll have some questions taken
Dialogue: 0,0:43:58.12,0:44:06.46,Default,,0000,0000,0000,,please. As the session is recorded and\Nstreamed anything you say, say it into a
Dialogue: 0,0:44:06.46,0:44:17.05,Default,,0000,0000,0000,,mic. Any questions up? Wow, it is Sunday\Nmorning.
Dialogue: 0,0:44:17.05,0:44:18.03,Default,,0000,0000,0000,,Éireann: Number three, sure
Dialogue: 0,0:44:18.03,0:44:21.28,Default,,0000,0000,0000,,Herald: everybody understood everything?\NYou're kidding me.
Dialogue: 0,0:44:21.28,0:44:23.57,Default,,0000,0000,0000,,Éireann: I've got one right here\NHerald: here is a question.
Dialogue: 0,0:44:23.57,0:44:30.09,Default,,0000,0000,0000,,Question: Hey thanks I enjoyed your talk\Nand I think it's very important to raise
Dialogue: 0,0:44:30.09,0:44:37.66,Default,,0000,0000,0000,,awareness. But I think it's not to raise\Nawareness. Not much in this community, but
Dialogue: 0,0:44:37.66,0:44:43.88,Default,,0000,0000,0000,,within the engineering community and I see\Nit a lot of times and many engineers
Dialogue: 0,0:44:43.88,0:44:49.73,Default,,0000,0000,0000,,having lots of problems doing that for\Nseveral reasons. There is maybe the
Dialogue: 0,0:44:49.73,0:44:55.24,Default,,0000,0000,0000,,engineer who is thinking about this but\Nhas its miniatures in the back has to deal
Dialogue: 0,0:44:55.24,0:45:03.07,Default,,0000,0000,0000,,with service personnel which know how to\Nwork a hammer and a screwdriver and on the
Dialogue: 0,0:45:03.07,0:45:11.45,Default,,0000,0000,0000,,other side, engineers have to work with\Ncustomers which more those lazy people.
Dialogue: 0,0:45:11.45,0:45:16.31,Default,,0000,0000,0000,,And so that's how these things happen. And\NI think it's more important to raise
Dialogue: 0,0:45:16.31,0:45:22.00,Default,,0000,0000,0000,,awareness of these kinds of things in the\Nengineering community.
Dialogue: 0,0:45:22.00,0:45:24.73,Default,,0000,0000,0000,,Éireann: So just to repeat a little bit\Nfor anybody else that couldn't hear it or
Dialogue: 0,0:45:24.73,0:45:29.17,Default,,0000,0000,0000,,for the recording it's very important to\Nwork with the engineers some of the
Dialogue: 0,0:45:29.17,0:45:32.47,Default,,0000,0000,0000,,engineers understand the problem. But\Ntypically management or lower level
Dialogue: 0,0:45:32.47,0:45:37.68,Default,,0000,0000,0000,,service personnel don't always understand\Nthe problem. And it's not important to
Dialogue: 0,0:45:37.68,0:45:41.69,Default,,0000,0000,0000,,raise the awareness in the hacker\Ncommunity. But more with the engineers is
Dialogue: 0,0:45:41.69,0:45:46.30,Default,,0000,0000,0000,,what you were saying. Right. OK.\NAbsolutely true. Completely agree with
Dialogue: 0,0:45:46.30,0:45:50.92,Default,,0000,0000,0000,,you. I don't just come to these\Nconferences and present to you guys. I go
Dialogue: 0,0:45:50.92,0:45:54.43,Default,,0000,0000,0000,,and I present to the engineers too. And in\Nfact a couple of engineers have come to
Dialogue: 0,0:45:54.43,0:45:58.60,Default,,0000,0000,0000,,this conference because we did work at\Nother conferences to see what the hacker
Dialogue: 0,0:45:58.60,0:46:01.74,Default,,0000,0000,0000,,community is about and learn things from\Nthe hacker community because this is a
Dialogue: 0,0:46:01.74,0:46:05.36,Default,,0000,0000,0000,,place where you can learn if you're just\Nnot afraid of getting pwned a couple of
Dialogue: 0,0:46:05.36,0:46:10.100,Default,,0000,0000,0000,,times right. And it happens to me too\Nright. I learned a lot from getting
Dialogue: 0,0:46:10.100,0:46:14.25,Default,,0000,0000,0000,,compromised on my machine and watching\Nsomeone do something. Anyways back to the
Dialogue: 0,0:46:14.25,0:46:18.38,Default,,0000,0000,0000,,point I don't just work with engineers or\Nhackers. I also work with C-level
Dialogue: 0,0:46:18.38,0:46:21.92,Default,,0000,0000,0000,,executives so I'm on a sabbatical from\NIOActive at the moment. at the Cambridge
Dialogue: 0,0:46:21.92,0:46:26.47,Default,,0000,0000,0000,,Center for Risk studies, and I'm working\Nwith the insurance people which has its
Dialogue: 0,0:46:26.47,0:46:31.44,Default,,0000,0000,0000,,challenges shall we say. But some of them\Nare very intelligent people and they want
Dialogue: 0,0:46:31.44,0:46:34.67,Default,,0000,0000,0000,,to understand what's going on with hacking\Nattacks and they want to approach this
Dialogue: 0,0:46:34.67,0:46:40.84,Default,,0000,0000,0000,,from a slightly different angle. My stake\Nin that is to be sure that when the
Dialogue: 0,0:46:40.84,0:46:45.48,Default,,0000,0000,0000,,insurance people do get involved that they\Nactually ask for fixes and improve stuff.
Dialogue: 0,0:46:45.48,0:46:49.81,Default,,0000,0000,0000,,So yes I do my best to raise awareness\Nwherever I can. And I'm not alone. You can
Dialogue: 0,0:46:49.81,0:46:53.77,Default,,0000,0000,0000,,help me.\NQuestioner: Thank you
Dialogue: 0,0:46:53.77,0:46:58.02,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:46:58.02,0:47:05.57,Default,,0000,0000,0000,,Herald: OK, there's another question here.\NNumber two. Oh, and up there too, yes we
Dialogue: 0,0:47:05.57,0:47:09.38,Default,,0000,0000,0000,,saw you. OK number two was first I think.\NGo ahead
Dialogue: 0,0:47:09.38,0:47:13.57,Default,,0000,0000,0000,,Question: {\i1}incomprehensible{\i0}. So you\Nmentioned a couple of things, err a couple
Dialogue: 0,0:47:13.57,0:47:18.44,Default,,0000,0000,0000,,of vulnerabilities and I was wondering\Nwhat you would think an ideal system would
Dialogue: 0,0:47:18.44,0:47:24.15,Default,,0000,0000,0000,,look like. You mentioned key provisioning\Nof course putting certificates. I assume
Dialogue: 0,0:47:24.15,0:47:28.47,Default,,0000,0000,0000,,that they were different certificates for\Ndifferent devices rather than the same
Dialogue: 0,0:47:28.47,0:47:37.43,Default,,0000,0000,0000,,certificate for all devices. Okay that's a bad\Nthing. And and also sort of the way how
Dialogue: 0,0:47:37.43,0:47:44.84,Default,,0000,0000,0000,,the software update management works. So\Nhow would you if you could give them some
Dialogue: 0,0:47:44.84,0:47:48.95,Default,,0000,0000,0000,,advice how to design a system\Nhow would you do it?
Dialogue: 0,0:47:48.95,0:47:55.42,Default,,0000,0000,0000,,Éireann: Okay. So first of all I wouldn't\Nhard code the keys as you as you discussed
Dialogue: 0,0:47:55.42,0:48:01.86,Default,,0000,0000,0000,,to be in every device the same. It's one\Nthing to put in your documentation hey you
Dialogue: 0,0:48:01.86,0:48:07.63,Default,,0000,0000,0000,,should update the keys but I mean if I can\Npatch binary file with a key then there's
Dialogue: 0,0:48:07.63,0:48:11.09,Default,,0000,0000,0000,,no reason you couldn't do that on the\Nwebsite where you download the firmware
Dialogue: 0,0:48:11.09,0:48:15.16,Default,,0000,0000,0000,,image right. Just as an example as a\Nthought experiment sort of makes that
Dialogue: 0,0:48:15.16,0:48:18.42,Default,,0000,0000,0000,,clear. The upgrade path for these devices\Nis download the firmware image from the
Dialogue: 0,0:48:18.42,0:48:25.28,Default,,0000,0000,0000,,website to some machine and then carry it,\Nbecause all these systems are airgapped.
Dialogue: 0,0:48:25.28,0:48:29.23,Default,,0000,0000,0000,,to some other location and then upload it\Nonto the switch right with hardcoded
Dialogue: 0,0:48:29.23,0:48:33.87,Default,,0000,0000,0000,,credentials. So first off whenever you\Nprovision a switch initially you provision
Dialogue: 0,0:48:33.87,0:48:36.92,Default,,0000,0000,0000,,all of the credentials for that device.\NThat's standard practice of many routers
Dialogue: 0,0:48:36.92,0:48:41.90,Default,,0000,0000,0000,,and other pieces of equipment today. And I\Nwould think less about defending and
Dialogue: 0,0:48:41.90,0:48:46.23,Default,,0000,0000,0000,,securing the device than on being\Nable to regularly check its integrity,
Dialogue: 0,0:48:46.23,0:48:48.54,Default,,0000,0000,0000,,the integrity of the firmware that is\Nrunning and the integrity of the
Dialogue: 0,0:48:48.54,0:48:54.29,Default,,0000,0000,0000,,configuration. So I'd focus on that and I'd\Nfocus on being able to recover the switch
Dialogue: 0,0:48:54.29,0:48:57.74,Default,,0000,0000,0000,,after it's been attacked. So you reverse\Nyour thinking. You assume that one day
Dialogue: 0,0:48:57.74,0:49:01.31,Default,,0000,0000,0000,,someone is going to crack your firmware\Nsigning and crack this and crack that and
Dialogue: 0,0:49:01.31,0:49:05.93,Default,,0000,0000,0000,,you focus on how can I quickly upload a\Nnew firmware image that is known to be
Dialogue: 0,0:49:05.93,0:49:12.25,Default,,0000,0000,0000,,good and verify that the one that is\Nuploaded is good to this device.
Dialogue: 0,0:49:12.25,0:49:16.06,Default,,0000,0000,0000,,Questioner: Thank you.\NHerald: There was a question up there on
Dialogue: 0,0:49:16.06,0:49:18.77,Default,,0000,0000,0000,,the balcony.\NSignal angel: Yes we have two questions
Dialogue: 0,0:49:18.77,0:49:25.55,Default,,0000,0000,0000,,here on the net. So the first one is how\Nwould you solve the end of life issue.
Dialogue: 0,0:49:25.55,0:49:29.90,Default,,0000,0000,0000,,Sometimes {\i1}incomprehensible{\i0} clients just\Ngets really outdated.
Dialogue: 0,0:49:29.90,0:49:33.42,Default,,0000,0000,0000,,Éireann: That's absolutely true and it is\Nslightly unfair of me to be a hard on the
Dialogue: 0,0:49:33.42,0:49:38.35,Default,,0000,0000,0000,,vendors. But it's my job to take the\Ndebate a little bit too far the other way.
Dialogue: 0,0:49:38.35,0:49:43.23,Default,,0000,0000,0000,,So how would I solve the end of life issue\Nis the question from the internet. I don't
Dialogue: 0,0:49:43.23,0:49:47.76,Default,,0000,0000,0000,,know. I think that's not a technical\Nproblem it's a societal problem. Like when
Dialogue: 0,0:49:47.76,0:49:55.97,Default,,0000,0000,0000,,we buy bridges they are bridges until they\Nfall down. When we buy roads they stay
Dialogue: 0,0:49:55.97,0:49:59.13,Default,,0000,0000,0000,,there until they go away. I mean there is\Nprobably some end of life issues in there
Dialogue: 0,0:49:59.13,0:50:04.96,Default,,0000,0000,0000,,but it's almost more of a contractual\Nlegal issue and someone should study that.
Dialogue: 0,0:50:04.96,0:50:08.34,Default,,0000,0000,0000,,There are people studying that but it's\Nnot my area of expertise but I'll try and
Dialogue: 0,0:50:08.34,0:50:12.97,Default,,0000,0000,0000,,answer as best I can. I think code escrow\Nis a good way to go when you buy some of
Dialogue: 0,0:50:12.97,0:50:18.08,Default,,0000,0000,0000,,these devices you say I want the code for\Nthis device in the future. I want to have
Dialogue: 0,0:50:18.08,0:50:22.37,Default,,0000,0000,0000,,access to it. If your company goes\Nbankrupt I need you to give up the source
Dialogue: 0,0:50:22.37,0:50:26.33,Default,,0000,0000,0000,,code for these devices when you go\Nbankrupt or when you disappear or when
Dialogue: 0,0:50:26.33,0:50:30.38,Default,,0000,0000,0000,,it's the end of life. There are a couple\Nof manufacturers out there doing open
Dialogue: 0,0:50:30.38,0:50:35.20,Default,,0000,0000,0000,,source switches. There's a company called\NOpen gear who are awesome. They gave me a
Dialogue: 0,0:50:35.20,0:50:39.79,Default,,0000,0000,0000,,switch to play with that I haven't had\Ntime to look at yet. I think that's amazing
Dialogue: 0,0:50:39.79,0:50:42.70,Default,,0000,0000,0000,,right. And their code is open source and\Nyou can go and examine it. So you would
Dialogue: 0,0:50:42.70,0:50:46.31,Default,,0000,0000,0000,,have the code anyway. Those are two\Ndifferent approaches. I think there are
Dialogue: 0,0:50:46.31,0:50:49.98,Default,,0000,0000,0000,,others you can solve this problem\Ntechnically or legally or socially but as
Dialogue: 0,0:50:49.98,0:50:55.87,Default,,0000,0000,0000,,a society we depend on these utilities and\Nthat code should not just vanish when it's
Dialogue: 0,0:50:55.87,0:51:05.37,Default,,0000,0000,0000,,difficult or costly to keep it upgraded.\N{\i1}applause{\i0}
Dialogue: 0,0:51:05.37,0:51:08.09,Default,,0000,0000,0000,,Herald: There was a second\Nquestion from the Internet.
Dialogue: 0,0:51:08.09,0:51:14.18,Default,,0000,0000,0000,,Signal angel: Yes, so the second one is:\Nwhat should a non-technical person in
Dialogue: 0,0:51:14.18,0:51:19.89,Default,,0000,0000,0000,,the respect of {\i1}incomprehensible{\i0} set non-\Ntechnical person sent to manage small town
Dialogue: 0,0:51:19.89,0:51:25.44,Default,,0000,0000,0000,,utility do as best practice?\NÉireann: I think the first and most
Dialogue: 0,0:51:25.44,0:51:29.93,Default,,0000,0000,0000,,important thing is to look for attacks.\NI'm sorry I should probably repeat that
Dialogue: 0,0:51:29.93,0:51:33.61,Default,,0000,0000,0000,,question just to be sure. What should\Nsomeone in a small town who manages
Dialogue: 0,0:51:33.61,0:51:37.42,Default,,0000,0000,0000,,utility do to defend themselves and\Nprotect himself. So the first thing is
Dialogue: 0,0:51:37.42,0:51:43.13,Default,,0000,0000,0000,,look for attacks. Even if you spend a few\Nhours a week looking for something you
Dialogue: 0,0:51:43.13,0:51:46.25,Default,,0000,0000,0000,,script something up or you hire some\Ncollege kid to come in and script
Dialogue: 0,0:51:46.25,0:51:49.58,Default,,0000,0000,0000,,something and look for things on your\Nnetwork and ask questions and yes they're
Dialogue: 0,0:51:49.58,0:51:52.28,Default,,0000,0000,0000,,going to be a pain in the ass and is going\Nto be difficult. But you're going to learn
Dialogue: 0,0:51:52.28,0:51:55.60,Default,,0000,0000,0000,,things about your network and you might\Ndetect some attacks. The first problem in
Dialogue: 0,0:51:55.60,0:52:01.06,Default,,0000,0000,0000,,utilities is no one is responsible for\Nsecurity. It's not my job. It's kind of
Dialogue: 0,0:52:01.06,0:52:05.48,Default,,0000,0000,0000,,the mantra so for a small utility find\Nsomeone whose job it is if you're a very
Dialogue: 0,0:52:05.48,0:52:09.13,Default,,0000,0000,0000,,small utility there's probably some other\Nsmall utilities near you and you can hire
Dialogue: 0,0:52:09.13,0:52:13.79,Default,,0000,0000,0000,,a resource together to come and visit your\Ndifferent utilities and help you out. The
Dialogue: 0,0:52:13.79,0:52:17.38,Default,,0000,0000,0000,,second one is watch your relationship with\Nyour vendor when you purchase this
Dialogue: 0,0:52:17.38,0:52:21.22,Default,,0000,0000,0000,,equipment you spend a lot of money on it.\NSpend a little bit of time doing
Dialogue: 0,0:52:21.22,0:52:25.07,Default,,0000,0000,0000,,penetration tests. Yes I like it when you\Nhire me but you don't have to hire me.
Dialogue: 0,0:52:25.07,0:52:28.07,Default,,0000,0000,0000,,There are plenty of other people you can\Nhire who will have a look at the device
Dialogue: 0,0:52:28.07,0:52:31.77,Default,,0000,0000,0000,,and find the simple vulnerabilities. So\Nwhen you purchase something make sure you
Dialogue: 0,0:52:31.77,0:52:35.47,Default,,0000,0000,0000,,test it for security purposes and that's\Nvery important because you can even put
Dialogue: 0,0:52:35.47,0:52:40.88,Default,,0000,0000,0000,,into your contract if you fail the\Nsecurity tests we will pay you less money.
Dialogue: 0,0:52:40.88,0:52:44.48,Default,,0000,0000,0000,,And the vendors are not going to react\Nto security until you do that. So that's
Dialogue: 0,0:52:44.48,0:52:51.43,Default,,0000,0000,0000,,the second answer. And I wish I had a\Nthird to make it very neat but I don't.
Dialogue: 0,0:52:51.43,0:52:55.73,Default,,0000,0000,0000,,Herald: OK. There was one more\Nquestion at mic 4 I think
Dialogue: 0,0:52:55.73,0:52:58.50,Default,,0000,0000,0000,,Questioner: Yes hi thank you for\Nyour time.
Dialogue: 0,0:52:58.50,0:53:03.54,Default,,0000,0000,0000,,Herald: Talk into the mike please. Thank\Nyou for your talk. Q Hi. I'm kind of a
Dialogue: 0,0:53:03.54,0:53:12.74,Default,,0000,0000,0000,,newbie to the C3 community and I am not\Nsure about the question I want to ask you.
Dialogue: 0,0:53:12.74,0:53:16.58,Default,,0000,0000,0000,,Probably many people understand in this\Nroom but I don't know if I would like to
Dialogue: 0,0:53:16.58,0:53:23.78,Default,,0000,0000,0000,,ask you what exactly do you\Nmean by arbitrary firmware.
Dialogue: 0,0:53:23.78,0:53:28.80,Default,,0000,0000,0000,,Éireann: No problem. So the question was\NWhat do you mean by arbitrary firmware. I
Dialogue: 0,0:53:28.80,0:53:34.35,Default,,0000,0000,0000,,mean the firmware that I have altered that\Nwas not manufactured by the vendor to do
Dialogue: 0,0:53:34.35,0:53:39.23,Default,,0000,0000,0000,,whatever I want. How do you trust that\Nthis switch sends all the packets that it
Dialogue: 0,0:53:39.23,0:53:45.05,Default,,0000,0000,0000,,should send. What if it's, you know, my\Nhandle is BSB right. What if it drops
Dialogue: 0,0:53:45.05,0:53:51.23,Default,,0000,0000,0000,,every packet that has BSB in the packet.\NRight. You can rewrite a firmware image to
Dialogue: 0,0:53:51.23,0:53:54.95,Default,,0000,0000,0000,,do whatever the device can do and in some\Ncases more things than the device usually
Dialogue: 0,0:53:54.95,0:53:59.96,Default,,0000,0000,0000,,does to damage itself for example. So an\Narbitrary firmware is one in which anyone
Dialogue: 0,0:53:59.96,0:54:03.49,Default,,0000,0000,0000,,writes the firmware and there is no\Nchecking to be sure that this is the image
Dialogue: 0,0:54:03.49,0:54:08.49,Default,,0000,0000,0000,,that you want on this device whether it's\Nprovided by the vendor or the community
Dialogue: 0,0:54:08.49,0:54:13.24,Default,,0000,0000,0000,,right. You still want checking that this\Nis the correct code or the code that you
Dialogue: 0,0:54:13.24,0:54:18.31,Default,,0000,0000,0000,,wanted anyway. Right.\NHerald: Okay thank you. Is that a question
Dialogue: 0,0:54:18.31,0:54:22.49,Default,,0000,0000,0000,,here mic 1? OK go ahead.\NQuestioner: Yes please. In your
Dialogue: 0,0:54:22.49,0:54:29.74,Default,,0000,0000,0000,,hypothetical question, you asked what\Ndamage could I do in that paint factory.
Dialogue: 0,0:54:29.74,0:54:39.69,Default,,0000,0000,0000,,But you can also reverse it. What kind of\Ncompany secrets can I obtain for example,
Dialogue: 0,0:54:39.69,0:54:45.86,Default,,0000,0000,0000,,your favorite recipe for your hot\Nchocolate or the recipes of Coca-Cola.
Dialogue: 0,0:54:45.86,0:54:52.84,Default,,0000,0000,0000,,They are vulnerable as well aren't they.\NÉireann: Yes. So the question just again
Dialogue: 0,0:54:52.84,0:54:56.56,Default,,0000,0000,0000,,for everyone else. You don't just have to\Ntalk about damage in a paint factory or
Dialogue: 0,0:54:56.56,0:55:01.82,Default,,0000,0000,0000,,any industrial system. You can also talk\Nabout intellectual property and protecting
Dialogue: 0,0:55:01.82,0:55:07.31,Default,,0000,0000,0000,,the recipes that we use to bake cookies or\Nmake beer or whatever pharmaceuticals
Dialogue: 0,0:55:07.31,0:55:12.64,Default,,0000,0000,0000,,whatever. And that's a fantastic question\Nand I'm glad you brought it up a couple of
Dialogue: 0,0:55:12.64,0:55:15.81,Default,,0000,0000,0000,,years ago when I was doing... well, more\Nthan a couple of years like eight years
Dialogue: 0,0:55:15.81,0:55:19.25,Default,,0000,0000,0000,,ago, when I was doing industrial system\Nsecurity I realized I wasn't getting a lot
Dialogue: 0,0:55:19.25,0:55:23.49,Default,,0000,0000,0000,,of traction. It was before stuxnet, I was\Na quality assurance guy. Everybody thought
Dialogue: 0,0:55:23.49,0:55:34.31,Default,,0000,0000,0000,,I was fucking crazy right. Stuxnet,\Ncareer. It's wrong. It's really wrong. But
Dialogue: 0,0:55:34.31,0:55:39.58,Default,,0000,0000,0000,,the point is I tried to take that\Napproach. I tried to say you have a
Dialogue: 0,0:55:39.58,0:55:43.02,Default,,0000,0000,0000,,process in which you manufacture something\Nand you make money by the fact that that
Dialogue: 0,0:55:43.02,0:55:47.98,Default,,0000,0000,0000,,process is relatively secret and if you\Ndon't care about defending your workers
Dialogue: 0,0:55:47.98,0:55:52.59,Default,,0000,0000,0000,,from being damaged then at least care\Nabout the intellectual property because
Dialogue: 0,0:55:52.59,0:55:56.06,Default,,0000,0000,0000,,I'll get security in by some sort of back\Ndoor right. I'm a little bit of a security
Dialogue: 0,0:55:56.06,0:56:00.20,Default,,0000,0000,0000,,Machiavellian. I'll find a way to get\Nsecurity into the system somehow. So I
Dialogue: 0,0:56:00.20,0:56:05.35,Default,,0000,0000,0000,,tried to say intellectual property you\Nshould be protected. And I found that they
Dialogue: 0,0:56:05.35,0:56:09.32,Default,,0000,0000,0000,,didn't care so much. I mean maybe you'll\Nhave more luck maybe post-stuxnet that
Dialogue: 0,0:56:09.32,0:56:14.07,Default,,0000,0000,0000,,that's a better argument. I hope you do.\NBut it is an important question as well.
Dialogue: 0,0:56:14.07,0:56:18.72,Default,,0000,0000,0000,,Right. It's not, it's not just potential\Nfor damage. I think there's a lot more
Dialogue: 0,0:56:18.72,0:56:25.46,Default,,0000,0000,0000,,espionage going on on these networks than\Nthere is damage and sabotage. Herald: Okay
Dialogue: 0,0:56:25.46,0:56:32.07,Default,,0000,0000,0000,,we'll take one more question on mike four.\NQuestioner: Thank you okay. My question
Dialogue: 0,0:56:32.07,0:56:38.32,Default,,0000,0000,0000,,concerns the concepts of software defined\Nnetworking and open flow. So when I first
Dialogue: 0,0:56:38.32,0:56:44.88,Default,,0000,0000,0000,,heard about software defined networking I\Nthought well this is a huge security issue
Dialogue: 0,0:56:44.88,0:56:50.59,Default,,0000,0000,0000,,and there may be huge vulnerabilities.\NAfter your joke I think this might
Dialogue: 0,0:56:50.59,0:56:56.42,Default,,0000,0000,0000,,actually be a good idea to dumb down the\Nswitches and put the intelligence
Dialogue: 0,0:56:56.42,0:57:01.90,Default,,0000,0000,0000,,somewhere locked up in a safe place.\NWhat's your opinion on that. Can they
Dialogue: 0,0:57:01.90,0:57:05.84,Default,,0000,0000,0000,,actually improve security.\NÉireann: Yes. So the question is what role
Dialogue: 0,0:57:05.84,0:57:09.97,Default,,0000,0000,0000,,could software defined networking play in\Nthese sorts of environments. And is it a
Dialogue: 0,0:57:09.97,0:57:15.21,Default,,0000,0000,0000,,good idea from a security perspective.\NAnytime someone has a revolution in
Dialogue: 0,0:57:15.21,0:57:19.24,Default,,0000,0000,0000,,computing we also have to update our\Nsecurity paradigm. So I think with
Dialogue: 0,0:57:19.24,0:57:23.04,Default,,0000,0000,0000,,software defined networking it's not\Nwhether it's good or bad it's that you
Dialogue: 0,0:57:23.04,0:57:28.34,Default,,0000,0000,0000,,defend that network differently than you\Ndefend one of these networks. So it's not
Dialogue: 0,0:57:28.34,0:57:31.40,Default,,0000,0000,0000,,so much that as good as good or bad it's\Nneutral if you know how to defend your
Dialogue: 0,0:57:31.40,0:57:34.78,Default,,0000,0000,0000,,network. I don't care what it is. As long\Nas someone is looking to defend it and
Dialogue: 0,0:57:34.78,0:57:38.99,Default,,0000,0000,0000,,cares about how the flows are working. So\NI think software defined networking in
Dialogue: 0,0:57:38.99,0:57:42.45,Default,,0000,0000,0000,,these environments could be a very good\Nthing but the refresh rate on these
Dialogue: 0,0:57:42.45,0:57:45.80,Default,,0000,0000,0000,,devices is not that high. So I don't think\Nwe'll see it there for a little while even
Dialogue: 0,0:57:45.80,0:57:50.86,Default,,0000,0000,0000,,though it might be a good thing\Nphilosophically. It takes 5 10 15 20 years
Dialogue: 0,0:57:50.86,0:57:56.41,Default,,0000,0000,0000,,to refresh these networks so it'll be a little\Nwhile. But it's not good or bad. It's just
Dialogue: 0,0:57:56.41,0:57:59.91,Default,,0000,0000,0000,,learn to defend what you got is the\Nproblem right.
Dialogue: 0,0:57:59.91,0:58:06.49,Default,,0000,0000,0000,,Questioner: Okay thanks a lot.\NHerald: Okay okay let's give a big hand
Dialogue: 0,0:58:06.49,0:58:09.64,Default,,0000,0000,0000,,for Éireann and thank you.\NÉireann: Thank you
Dialogue: 0,0:58:09.64,0:58:13.32,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:58:13.32,0:58:24.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\NJoin, and help us!