[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:18.26,Default,,0000,0000,0000,,{\i1}36c3 prerol music{\i0}
Dialogue: 0,0:00:18.26,0:00:26.16,Default,,0000,0000,0000,,Herald: So, Siemens recently decided to\Nadd some security feature to the PLC. And
Dialogue: 0,0:00:26.16,0:00:32.80,Default,,0000,0000,0000,,today we have Tobias and Ali and they will\Nbe sort of.. telling us what they managed
Dialogue: 0,0:00:32.80,0:00:40.72,Default,,0000,0000,0000,,to find. This PLC. They both come from\NRuhr Universität Bochum. Tobias is a
Dialogue: 0,0:00:40.72,0:00:46.16,Default,,0000,0000,0000,,recent acquisition as a doctoral student.\NAnd Ali is a postdoc. So, uh, let's give
Dialogue: 0,0:00:46.16,0:00:48.36,Default,,0000,0000,0000,,them a hand.
Dialogue: 0,0:00:48.36,0:00:56.82,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:59.65,0:01:03.56,Default,,0000,0000,0000,,Ali: Hmm, where is our slide?\NTobias: Presentation mode?
Dialogue: 0,0:01:09.75,0:01:17.21,Default,,0000,0000,0000,,Ali: Yes. OK. Welcome to our talk. A deep\Ndive into on concentrate code execution in
Dialogue: 0,0:01:17.21,0:01:23.76,Default,,0000,0000,0000,,Siemens S7 PLCs. My name is Ali Abbasi and\Nas mentioned before, I'm a postdoc at
Dialogue: 0,0:01:23.76,0:01:28.16,Default,,0000,0000,0000,,chair of System Security at Ruhr\NUniversity Boch and here's my colleague.
Dialogue: 0,0:01:28.16,0:01:34.40,Default,,0000,0000,0000,,Tobias: I am Tobias or Tobi. I'm very\Nglad to be here. It's my fifth time at the
Dialogue: 0,0:01:34.40,0:01:38.64,Default,,0000,0000,0000,,Congress and now finally able to give back\Nin a way. So I'm very excited about that.
Dialogue: 0,0:01:39.76,0:01:46.88,Default,,0000,0000,0000,,So let's get into it. So first about the\Nplan of the talk. We want to give you a
Dialogue: 0,0:01:46.88,0:01:51.36,Default,,0000,0000,0000,,little bit of a background of what PLCs,\Nwhich is programmable logic controllers
Dialogue: 0,0:01:51.36,0:01:56.64,Default,,0000,0000,0000,,are all about, why we might want to use\Nthem and in what kind of setting. And then
Dialogue: 0,0:01:56.64,0:02:02.60,Default,,0000,0000,0000,,we want to go into the specifics of PLCs\Nin the Siemens case. First we look a bit
Dialogue: 0,0:02:02.60,0:02:07.04,Default,,0000,0000,0000,,at the hardware and then at the software\Nafterwards and the different findings that
Dialogue: 0,0:02:07.04,0:02:11.20,Default,,0000,0000,0000,,we had. At the end, we would show a\Ndemonstration of what we're able to
Dialogue: 0,0:02:11.20,0:02:18.96,Default,,0000,0000,0000,,achieve and conclude with some remarks. So\Nfirst of all, process automation. So we
Dialogue: 0,0:02:18.96,0:02:25.28,Default,,0000,0000,0000,,all know it. Or maybe we do it ourselves\Nor we know somebody who does it. We put in
Dialogue: 0,0:02:25.28,0:02:32.48,Default,,0000,0000,0000,,some devices in our smart home, if we call\Nit smart already. And we try to automate
Dialogue: 0,0:02:32.48,0:02:38.72,Default,,0000,0000,0000,,different targets on different things to\Nmake our lives easier. Things like turning
Dialogue: 0,0:02:38.72,0:02:43.20,Default,,0000,0000,0000,,up and down the heat. We might not want to\Ndo that our own. We might not want to
Dialogue: 0,0:02:43.20,0:02:49.04,Default,,0000,0000,0000,,overheat or under heat. And what we do is\Nbasically have some sensory systems inside
Dialogue: 0,0:02:49.04,0:02:55.20,Default,,0000,0000,0000,,our homes, as well as some devices that\Ninteract with those sensors. In this case,
Dialogue: 0,0:02:55.20,0:03:00.56,Default,,0000,0000,0000,,we might have a thermostat and a heater\Nand we want to adjust our temperature
Dialogue: 0,0:03:00.56,0:03:06.88,Default,,0000,0000,0000,,based on the thermostat. They're pretty\Nsimplistic solutions like this for a smart
Dialogue: 0,0:03:06.88,0:03:12.96,Default,,0000,0000,0000,,home. But what we do if we have very\Ncomplex control loops for example. Here we
Dialogue: 0,0:03:12.96,0:03:20.24,Default,,0000,0000,0000,,can see on the left bottom corner a pretty\Ncomplex looking picture, some operating
Dialogue: 0,0:03:21.20,0:03:26.64,Default,,0000,0000,0000,,operators sitting in front of what we call\Nan HMI a human machine interface, which is
Dialogue: 0,0:03:26.64,0:03:30.32,Default,,0000,0000,0000,,basically an aggregation of all the\Ninformation of things that go on in a
Dialogue: 0,0:03:30.32,0:03:36.56,Default,,0000,0000,0000,,factory, for example. We need different\Nsensors and this factory and we need to
Dialogue: 0,0:03:36.56,0:03:41.04,Default,,0000,0000,0000,,steer different motors and stuff like\Nthis. So we need things in the middle to
Dialogue: 0,0:03:41.04,0:03:46.40,Default,,0000,0000,0000,,kind of control all of this. And we do\Nthis using PLCs and we can see a setup how
Dialogue: 0,0:03:46.40,0:03:50.26,Default,,0000,0000,0000,,it could look like. So basically have a\Nset of inputs as we talked about and a set
Dialogue: 0,0:03:50.26,0:03:54.24,Default,,0000,0000,0000,,of outputs. And we have some logic going\Non in the middle. And what we typically
Dialogue: 0,0:03:54.24,0:03:59.84,Default,,0000,0000,0000,,deploy is a PLC a programable logic\Ncontroller and some logic in the middle.
Dialogue: 0,0:03:59.84,0:04:04.88,Default,,0000,0000,0000,,There are different technologies that can\Nbe used, for example, structure, text or
Dialogue: 0,0:04:04.88,0:04:11.44,Default,,0000,0000,0000,,letter logic which gets downloaded onto\Nthe PLC and then which steers outputs
Dialogue: 0,0:04:11.44,0:04:16.16,Default,,0000,0000,0000,,based on the inputs that it gets. You can\Nsee some applications of this kind of
Dialogue: 0,0:04:16.16,0:04:21.67,Default,,0000,0000,0000,,thing. For example, a chemical power\Nplant, chemical plant, an electric grid or
Dialogue: 0,0:04:21.67,0:04:28.48,Default,,0000,0000,0000,,some manufacturing. Some of those\Ncomponents are pretty critical to the
Dialogue: 0,0:04:28.48,0:04:33.19,Default,,0000,0000,0000,,workings. Even either we see it in the\Neveryday lives and sometimes we don't
Dialogue: 0,0:04:33.19,0:04:39.56,Default,,0000,0000,0000,,really see it. But they are in the\Nsteering, everything in the background and
Dialogue: 0,0:04:39.56,0:04:44.22,Default,,0000,0000,0000,,we really don't want those systems to get\Ncompromised. For example, if you went onto
Dialogue: 0,0:04:44.22,0:04:48.45,Default,,0000,0000,0000,,Google and looked something about\Ndisasters and chemical plants, you could
Dialogue: 0,0:04:48.45,0:04:53.07,Default,,0000,0000,0000,,see melted down plants just because of\Nsome mis.. malfunction in the system or
Dialogue: 0,0:04:53.07,0:04:58.82,Default,,0000,0000,0000,,so. And we really don't want this to\Nhappen. Neither an accidental but also not
Dialogue: 0,0:04:58.82,0:05:03.53,Default,,0000,0000,0000,,a malicious basis. And this is why we want\Nto secure all the processes going on in
Dialogue: 0,0:05:03.53,0:05:09.86,Default,,0000,0000,0000,,factories and the like. We've seen some of\Nthe recent attacks. So it started kind of
Dialogue: 0,0:05:09.86,0:05:16.98,Default,,0000,0000,0000,,in 1999 with a first initial\Nreconnaissance based mainly. And then we
Dialogue: 0,0:05:16.98,0:05:22.04,Default,,0000,0000,0000,,had some more advanced attacks in 2010,\Nfor example, where we saw Stuxnet, which
Dialogue: 0,0:05:22.04,0:05:26.26,Default,,0000,0000,0000,,was very much really intricate operation.\NIf you think about it on a technical
Dialogue: 0,0:05:26.26,0:05:31.69,Default,,0000,0000,0000,,level, what all went into it. What\Ndifferent skill sets were involved. It's
Dialogue: 0,0:05:31.69,0:05:38.05,Default,,0000,0000,0000,,pretty impressive. And then in the more\Nrecent time we had some issues in the
Dialogue: 0,0:05:38.05,0:05:45.40,Default,,0000,0000,0000,,Ukrainian power grid, which in 2015\Nand '16 just before Christmas, some lights
Dialogue: 0,0:05:45.40,0:05:51.75,Default,,0000,0000,0000,,went out for quite a while in some cities\Nthere. So quite a bit of impact. So to
Dialogue: 0,0:05:51.75,0:05:57.50,Default,,0000,0000,0000,,give you a bit of impact, a background on\NSiemens PLCs here when it comes to market
Dialogue: 0,0:05:57.50,0:06:01.91,Default,,0000,0000,0000,,shares. We can see that together with\NRockwood Automation, Siemens actually has
Dialogue: 0,0:06:01.91,0:06:06.37,Default,,0000,0000,0000,,more than 50 percent market share in the\Nmarket. And obviously, if we take out some
Dialogue: 0,0:06:06.37,0:06:10.42,Default,,0000,0000,0000,,devices that introduce some security, it\Nwould be interesting to look at those with
Dialogue: 0,0:06:10.42,0:06:15.56,Default,,0000,0000,0000,,the biggest market share. This is what we\Ndid here in the Siemens case. Here we can
Dialogue: 0,0:06:15.56,0:06:22.03,Default,,0000,0000,0000,,see the actual PLCs that we will focus on\Nin this talk, which is the Siemens S7-1200
Dialogue: 0,0:06:22.03,0:06:26.72,Default,,0000,0000,0000,,PLC. It's one of the smaller PLCs, not\Nquite the smallest, there is the logo as
Dialogue: 0,0:06:26.72,0:06:33.42,Default,,0000,0000,0000,,well, which is more of a playing around\Nexample, but this is the one that it's
Dialogue: 0,0:06:33.42,0:06:39.30,Default,,0000,0000,0000,,still pretty accessible to researchers in\Nterms of costs. So it's like 250 for the
Dialogue: 0,0:06:39.30,0:06:44.56,Default,,0000,0000,0000,,PLC. Then if you need a power supply, it\Ncan add the same. So as long as you don't
Dialogue: 0,0:06:44.56,0:06:50.21,Default,,0000,0000,0000,,break too many, spoiler, we broke quite\Nsome or you don't drop them or something
Dialogue: 0,0:06:50.21,0:06:55.52,Default,,0000,0000,0000,,like this, then you're pretty fine so you\Ncan kind of get the resources to play with
Dialogue: 0,0:06:55.52,0:07:00.29,Default,,0000,0000,0000,,those devices. We have different\Napplications and we talked about them
Dialogue: 0,0:07:00.29,0:07:08.19,Default,,0000,0000,0000,,before. So here is what an unboxing of a\NSiemens 7 1200 PLC would look like. We
Dialogue: 0,0:07:08.19,0:07:13.66,Default,,0000,0000,0000,,have the top view here on the left\Npicture. It's only one of different PCBs
Dialogue: 0,0:07:13.66,0:07:19.36,Default,,0000,0000,0000,,which are layered on to each other in this\Ncase. But the real magic goes on in the
Dialogue: 0,0:07:19.36,0:07:25.72,Default,,0000,0000,0000,,top PCB, which is the green one that we\Nsee here. Looking at it a bit more in more
Dialogue: 0,0:07:25.72,0:07:31.20,Default,,0000,0000,0000,,detail. We have the top view on the left\Nside, which shows the different components
Dialogue: 0,0:07:31.20,0:07:36.57,Default,,0000,0000,0000,,that really make the PLC. Take, for\Nexample, the ARM CPU that we have or
Dialogue: 0,0:07:36.57,0:07:41.68,Default,,0000,0000,0000,,different input outputs that we can\Nconnect to a PLC, as we talked about
Dialogue: 0,0:07:41.68,0:07:47.69,Default,,0000,0000,0000,,before, which they need in order to steer\Ndifferent parts of the system. And then we
Dialogue: 0,0:07:47.69,0:07:56.23,Default,,0000,0000,0000,,have the flash chip on the top side as\Nwell, which is a big flash chip holding
Dialogue: 0,0:07:56.23,0:08:04.17,Default,,0000,0000,0000,,the firmware off the actual PLCs, which we\Nwill talk about a bit more in detail
Dialogue: 0,0:08:04.17,0:08:09.84,Default,,0000,0000,0000,,later. On the flip side, we have on the\Nright picture the bottom side of the first
Dialogue: 0,0:08:09.84,0:08:15.38,Default,,0000,0000,0000,,layer PCB. And as we can see here, this is\Nwhere the bootloader chip resides, which
Dialogue: 0,0:08:15.38,0:08:21.87,Default,,0000,0000,0000,,is an SPI flashchip of four megabytes\Nowning the code of the Siemens PLC
Dialogue: 0,0:08:21.87,0:08:29.04,Default,,0000,0000,0000,,bootloader. Here we wanted to have a\Ndetailed view on what the actual
Dialogue: 0,0:08:29.04,0:08:33.24,Default,,0000,0000,0000,,processing unit inside this board actually\Nlooks like and what you can do if you want
Dialogue: 0,0:08:33.24,0:08:38.86,Default,,0000,0000,0000,,really want to find out you can do some\Ndecapping. And that's what we see here.
Dialogue: 0,0:08:38.86,0:08:46.02,Default,,0000,0000,0000,,The result of this, we can see that at the\Ncore of it, it's a renaissance ARM
Dialogue: 0,0:08:46.02,0:08:52.71,Default,,0000,0000,0000,,Cortex-R4 for from 2010. And if you\Nafterwards are more juggling with the
Dialogue: 0,0:08:52.71,0:08:58.08,Default,,0000,0000,0000,,software side of things, you may also want\Nto find out the actual revision number,
Dialogue: 0,0:08:58.08,0:09:04.97,Default,,0000,0000,0000,,what it supports inside the ARM standard.\NAnd what you can do there is use a special
Dialogue: 0,0:09:04.97,0:09:13.44,Default,,0000,0000,0000,,instruction which resides in the ARM\Ninstruction set and you can decode the
Dialogue: 0,0:09:13.44,0:09:17.38,Default,,0000,0000,0000,,different bits on it, which we did here,\Nwhich you can see here for reference. So
Dialogue: 0,0:09:17.38,0:09:22.79,Default,,0000,0000,0000,,if you really want to know what's going\Non, you can take apart those bits and make
Dialogue: 0,0:09:22.79,0:09:26.36,Default,,0000,0000,0000,,sure you're actually working with the\Nhardware that you expect to be working
Dialogue: 0,0:09:26.36,0:09:32.35,Default,,0000,0000,0000,,with. So here's where we come to the\Nmemory part of the hardware and this is
Dialogue: 0,0:09:32.35,0:09:39.32,Default,,0000,0000,0000,,where I leave you over to Ali.\NAli: Thanks. Now that Tobias like unboxed
Dialogue: 0,0:09:39.32,0:09:45.89,Default,,0000,0000,0000,,the PLC for us now I'm going to talk about\Nquirks and features in the PLC. So as
Dialogue: 0,0:09:45.89,0:09:53.28,Default,,0000,0000,0000,,mentioned before, it's Cortex-R4 revision\N3. It's a big endian instruction set and
Dialogue: 0,0:09:53.28,0:10:00.63,Default,,0000,0000,0000,,it's also only have MPU. So there is no\Nvisual memory basically, there are
Dialogue: 0,0:10:00.63,0:10:04.79,Default,,0000,0000,0000,,multiple ram sizes depending on which year\Nyou bought it or which variant of the S7
Dialogue: 0,0:10:04.79,0:10:10.99,Default,,0000,0000,0000,,1200 you buy and also multiple SPI flash\Nand multiple different types of NAND
Dialogue: 0,0:10:10.99,0:10:15.42,Default,,0000,0000,0000,,flashes. The most significant one\Ndifference is like in the RAM, which
Dialogue: 0,0:10:15.42,0:10:20.20,Default,,0000,0000,0000,,sometimes they use Wingbond and sometimes\Nthey use Micron Technologies, recently
Dialogue: 0,0:10:20.20,0:10:30.82,Default,,0000,0000,0000,,Micron Technologies RAM. It is LPDDR1 RAM.\NWe expect the SPI Flash for bootloader. So
Dialogue: 0,0:10:30.82,0:10:37.24,Default,,0000,0000,0000,,again, depending on the variance between\None to four megabytes SPI flash, it
Dialogue: 0,0:10:37.24,0:10:43.84,Default,,0000,0000,0000,,contains different banks of each sized 512\Nkbytes. And basically what the bootloader
Dialogue: 0,0:10:43.84,0:10:48.80,Default,,0000,0000,0000,,does is that's beside the typical actions\Nof the bootloader, which is like
Dialogue: 0,0:10:48.80,0:10:54.34,Default,,0000,0000,0000,,configuring your hardware is like\Nverifying the integrity of the firmware
Dialogue: 0,0:10:54.34,0:11:01.84,Default,,0000,0000,0000,,before it being loaded. So we actually\Nneed some X-ray tomography of the PLC. So
Dialogue: 0,0:11:01.84,0:11:08.65,Default,,0000,0000,0000,,it's basically 3D. So the PCB is basically\Nrotating here because we wanted to also do
Dialogue: 0,0:11:08.65,0:11:13.68,Default,,0000,0000,0000,,some hardware reverse engineering part.\NAnd somebody in university had something,
Dialogue: 0,0:11:13.68,0:11:20.41,Default,,0000,0000,0000,,so we didn't have to go to our dentist for\NX-ray. So here is like a quick 15 minutes
Dialogue: 0,0:11:20.41,0:11:26.40,Default,,0000,0000,0000,,X-ray, which is not that good. But once\Nyou go in deep, eventually what you will
Dialogue: 0,0:11:26.40,0:11:30.96,Default,,0000,0000,0000,,have is like this and you can actually\Njust it's like a software animation. You
Dialogue: 0,0:11:30.96,0:11:36.32,Default,,0000,0000,0000,,can go inside PCB and see all the layers.\NIt's like amazing. So it's up for PCB
Dialogue: 0,0:11:36.32,0:11:42.48,Default,,0000,0000,0000,,layer. And so besides, VCC and GND, you\Nneed two layers of PCB connection
Dialogue: 0,0:11:42.48,0:11:50.00,Default,,0000,0000,0000,,basically. So let's look at the start up\Nprocess. Again. Start up as usual. Some
Dialogue: 0,0:11:50.00,0:11:53.84,Default,,0000,0000,0000,,hardware configuration happens. So\Nvectoring trap controller, for example,
Dialogue: 0,0:11:55.12,0:12:01.60,Default,,0000,0000,0000,,like lots of this handlers for different\Nmodes in ARM and then CRC check some of
Dialogue: 0,0:12:01.60,0:12:06.24,Default,,0000,0000,0000,,the bootloader itself, which is easily\Nbypassed over because you can just
Dialogue: 0,0:12:06.24,0:12:11.52,Default,,0000,0000,0000,,overwrite the CRC. Then the bootloader,\Nespecially in the 2017, 2018 variant of
Dialogue: 0,0:12:11.52,0:12:18.96,Default,,0000,0000,0000,,the Siemens PLC, allows you to overwrite\Nthe SPI flash. And also eventually we
Dialogue: 0,0:12:18.96,0:12:25.12,Default,,0000,0000,0000,,check the CRC checksum of the firmware\Nbefore basically loading it. The size of
Dialogue: 0,0:12:25.12,0:12:28.96,Default,,0000,0000,0000,,the bootloader itself is like 128 kbyte,\Nit is really even less than that because
Dialogue: 0,0:12:28.96,0:12:35.09,Default,,0000,0000,0000,,half of it is just like 0xff. Siemens\Nmultiple times changed, they had different
Dialogue: 0,0:12:35.09,0:12:39.37,Default,,0000,0000,0000,,version. I think in two years we saw three\Nvariants or four variants of the
Dialogue: 0,0:12:39.37,0:12:44.72,Default,,0000,0000,0000,,bootloader. So it was evolving. It was not\Nsomething that's everybody forgotten about
Dialogue: 0,0:12:44.72,0:12:51.99,Default,,0000,0000,0000,,it. So generally as mentioned, so you have\Npart this first stage of hardware
Dialogue: 0,0:12:51.99,0:12:59.76,Default,,0000,0000,0000,,initialization and then basically bringing\Nthe bootloader to the RAM and basically
Dialogue: 0,0:12:59.76,0:13:03.84,Default,,0000,0000,0000,,checking the bootloader CRC checksum. So\Nmake sure that it's not manipulated, which
Dialogue: 0,0:13:03.84,0:13:08.40,Default,,0000,0000,0000,,again is it can be bypassed. And then a\Nsecond stage of the hardware
Dialogue: 0,0:13:08.40,0:13:12.83,Default,,0000,0000,0000,,initialization happens. And then at this\Nmoment, it waits for a specific command
Dialogue: 0,0:13:12.83,0:13:16.63,Default,,0000,0000,0000,,for half a second. And if it receives this\Ncommand it goes to another mode, which
Dialogue: 0,0:13:16.63,0:13:22.10,Default,,0000,0000,0000,,we'll discuss later. Otherwise, it\Nbasically prepares some CRC checksum table
Dialogue: 0,0:13:22.10,0:13:25.73,Default,,0000,0000,0000,,for the firmware and then it tries to\Nload the firmware and then eventually
Dialogue: 0,0:13:25.73,0:13:30.79,Default,,0000,0000,0000,,just removes the memory barrier the stage\N1 instruction those who knows about ARM.
Dialogue: 0,0:13:30.79,0:13:34.85,Default,,0000,0000,0000,,And basically map the firmware \Nto the memory.
Dialogue: 0,0:13:34.85,0:13:38.62,Default,,0000,0000,0000,,So the name of the operating system, it
Dialogue: 0,0:13:38.62,0:13:44.24,Default,,0000,0000,0000,,was not mentioned before, it's ADONIS. We\Nknow it from different from different
Dialogue: 0,0:13:44.24,0:13:49.100,Default,,0000,0000,0000,,ways, actually. So first in the\Nreferences, in the firmware, we see lots
Dialogue: 0,0:13:49.100,0:13:54.55,Default,,0000,0000,0000,,of references to ADONIS, but that was not\Nenough for us. So if we actually looked
Dialogue: 0,0:13:54.55,0:13:59.20,Default,,0000,0000,0000,,around to see if like there is any\Nreference to it, and well linkedin is one
Dialogue: 0,0:13:59.20,0:14:04.92,Default,,0000,0000,0000,,good open source like reference. And he\Nwas like one employee actually talk about
Dialogue: 0,0:14:04.92,0:14:09.84,Default,,0000,0000,0000,,Siemens developer who talk about like\Nworking in ADONIS. I don't know why he put
Dialogue: 0,0:14:09.84,0:14:15.36,Default,,0000,0000,0000,,the Windows and Linux beside ADONIS, but I\Ncan say is that like you work on this. And
Dialogue: 0,0:14:15.36,0:14:20.56,Default,,0000,0000,0000,,so it was not enough for us. So maybe some\Nsome of us we don't know. And we look
Dialogue: 0,0:14:20.56,0:14:25.44,Default,,0000,0000,0000,,again further and further and we find this\Nthing which was the best indicator. So
Dialogue: 0,0:14:25.44,0:14:30.24,Default,,0000,0000,0000,,Siemens developer engineer mentioned that\Nhe worked on kernel software
Dialogue: 0,0:14:30.24,0:14:34.48,Default,,0000,0000,0000,,development for ADONIS real time operating\Nsystem, which is a good sign for us. It
Dialogue: 0,0:14:34.48,0:14:39.20,Default,,0000,0000,0000,,means that we are right. So now that we\Nknow about the naming and we sure about
Dialogue: 0,0:14:39.20,0:14:46.16,Default,,0000,0000,0000,,that. Let's look at the components. So\Nit's actually a start in basically
Dialogue: 0,0:14:46.16,0:14:53.68,Default,,0000,0000,0000,,0x00040040 and basically then initializing\Nthe kernel and then lots of routines for
Dialogue: 0,0:14:53.68,0:14:57.54,Default,,0000,0000,0000,,initializing different components of the\Noperating system. I don't think Siemens
Dialogue: 0,0:14:57.54,0:15:02.96,Default,,0000,0000,0000,,actually generalize it in this way. We\Ndon't have such thing in the firmware,
Dialogue: 0,0:15:02.96,0:15:07.68,Default,,0000,0000,0000,,but we actually did it like that. So we\Ngeneralize it to two groups. Some of them
Dialogue: 0,0:15:07.68,0:15:11.36,Default,,0000,0000,0000,,are core services like ADONIS real time\Noperating system services, and some of
Dialogue: 0,0:15:11.36,0:15:15.60,Default,,0000,0000,0000,,them are related to the like automation\Npart. So those people who are like in the
Dialogue: 0,0:15:15.60,0:15:22.40,Default,,0000,0000,0000,,automation part, like writing ladder logic\Nand stuff like that, those commands and on
Dialogue: 0,0:15:22.40,0:15:26.56,Default,,0000,0000,0000,,function codes which are relevant in\NSiemens, they actually know this are like
Dialogue: 0,0:15:26.56,0:15:32.48,Default,,0000,0000,0000,,more automated related services. So you\Nhave PROFINET, AWP or automated web
Dialogue: 0,0:15:32.48,0:15:39.92,Default,,0000,0000,0000,,programing MC7 JIT parser basically for\Nthe latter logic or different kind of SD
Dialogue: 0,0:15:39.92,0:15:46.40,Default,,0000,0000,0000,,like basically their own JIT compiler\Ninside the PLC. And you also have the OMS
Dialogue: 0,0:15:46.40,0:15:51.12,Default,,0000,0000,0000,,this configuration system which is very\Nrelated again to the automation part, core
Dialogue: 0,0:15:51.12,0:15:58.64,Default,,0000,0000,0000,,core part of the automation system and of\Ncourse alarm central all your and stuff
Dialogue: 0,0:15:58.64,0:16:04.32,Default,,0000,0000,0000,,like that related to automation. In the\Noperating system part, so lots of these
Dialogue: 0,0:16:04.32,0:16:11.04,Default,,0000,0000,0000,,usual things. So file system. So PDCFS,\Nwhich Tobias talks later about, it. The
Dialogue: 0,0:16:11.04,0:16:18.48,Default,,0000,0000,0000,,TCP/IP stack, some C / C++ libraries,\Nwhich is not from Siemens, it's from
Dialogue: 0,0:16:18.48,0:16:23.12,Default,,0000,0000,0000,,Dinkumware and MiniWeb Server \Nand MWSL Parser
Dialogue: 0,0:16:23.12,0:16:25.47,Default,,0000,0000,0000,,or MiniWeb Scripting Language parser
Dialogue: 0,0:16:25.47,0:16:30.16,Default,,0000,0000,0000,,and lots of different subcomponents which\Nis usual in operating system like any
Dialogue: 0,0:16:30.16,0:16:36.64,Default,,0000,0000,0000,,operating system you can find. Also, there\Nare some references to CoreSight. I don't
Dialogue: 0,0:16:36.64,0:16:40.72,Default,,0000,0000,0000,,know how many of you know of CoreSight or\Nhow much you work on ARM, but the basic
Dialogue: 0,0:16:40.72,0:16:46.40,Default,,0000,0000,0000,,CoreSight is something similar to Intel\Nprocess tracing or Intel PT for tracing
Dialogue: 0,0:16:46.40,0:16:52.64,Default,,0000,0000,0000,,applications and can be used for getting\Ncode-coverage, for example. And the
Dialogue: 0,0:16:52.64,0:16:58.72,Default,,0000,0000,0000,,hardware part is very well documented by\NThomas Weber in this year, is not yet.
Dialogue: 0,0:16:58.72,0:17:04.00,Default,,0000,0000,0000,,This year or so. This year, Black Hat\NAsia, but I have to warn you, because I
Dialogue: 0,0:17:04.00,0:17:08.56,Default,,0000,0000,0000,,received some emails, some people ask\Nabout that. If you connect to it, the PLC
Dialogue: 0,0:17:08.56,0:17:12.88,Default,,0000,0000,0000,,have someone to debugging feature which\Ndetects that it's being debuged via JTAG
Dialogue: 0,0:17:13.84,0:17:18.96,Default,,0000,0000,0000,,and overwrite the NAND-Flash with random\Nstuff. So you brick the PLC, so just
Dialogue: 0,0:17:18.96,0:17:23.84,Default,,0000,0000,0000,,connected it at your own risk.\NNext is let's look
Dialogue: 0,0:17:23.84,0:17:27.53,Default,,0000,0000,0000,,at the CoreSight just quickly,\NCoreSight basically have like
Dialogue: 0,0:17:28.18,0:17:30.88,Default,,0000,0000,0000,,before I go here,\NI have to mention that Ralf Philipp
Dialogue: 0,0:17:30.88,0:17:37.60,Default,,0000,0000,0000,,also have a good talk in 0 nights about\NCoreSight tracing. So I would recommend
Dialogue: 0,0:17:37.60,0:17:41.92,Default,,0000,0000,0000,,you guys go look at that as well.\NGenerally, CoreSight have like 3
Dialogue: 0,0:17:41.92,0:17:46.80,Default,,0000,0000,0000,,major parts or components: sources, links\Nand sinks and sinks is basically the part
Dialogue: 0,0:17:46.80,0:17:51.28,Default,,0000,0000,0000,,which you actually get the trace\Ninformation and sources are the part which
Dialogue: 0,0:17:51.28,0:17:56.63,Default,,0000,0000,0000,,you tell is a featuring the CPU, which you\Nask what kind of sources you want to get
Dialogue: 0,0:17:56.63,0:18:03.20,Default,,0000,0000,0000,,the data from and then links basically\Nconvert these sources. I have to mention
Dialogue: 0,0:18:03.20,0:18:08.23,Default,,0000,0000,0000,,that like lots, it's very useful for\NFuzzing as well too. I guess some people,
Dialogue: 0,0:18:08.23,0:18:12.56,Default,,0000,0000,0000,,very few, but some people are working on\Nthat things. On coverage guided fuzzing
Dialogue: 0,0:18:12.56,0:18:16.48,Default,,0000,0000,0000,,via CoreSight, ARM CoreSight. So it's\Npossible similar implementation is
Dialogue: 0,0:18:16.48,0:18:25.68,Default,,0000,0000,0000,,happened in Intel PT for example KAFL,\NWinAFL or Hongfuzz. So sources, basically
Dialogue: 0,0:18:25.68,0:18:30.64,Default,,0000,0000,0000,,they have like three different components\NSTM, PTM, ETM. ETM version 4 is the latest
Dialogue: 0,0:18:30.64,0:18:37.60,Default,,0000,0000,0000,,version of it. And basically you have also\Nlinks which connects different sources to
Dialogue: 0,0:18:37.60,0:18:45.44,Default,,0000,0000,0000,,different like different or single sources\Nto different or single basically sinks.
Dialogue: 0,0:18:46.08,0:18:52.20,Default,,0000,0000,0000,,And then you have funnels for CoreSight,\Nsorry sinks, sorry. You have sinks, which
Dialogue: 0,0:18:52.20,0:18:56.14,Default,,0000,0000,0000,,is basically a different kind. So there\Nare some integrity to the CPU which is 4
Dialogue: 0,0:18:56.14,0:19:02.56,Default,,0000,0000,0000,,kilobytes ring buffer SRAM or you have\Nlike system memory or even TPIU or just
Dialogue: 0,0:19:02.56,0:19:09.42,Default,,0000,0000,0000,,for example JTAG DP Port High Speed JTAG\Nport. So now that cleared sink,
Dialogue: 0,0:19:09.42,0:19:14.80,Default,,0000,0000,0000,,like the CoreSight, we actually queried S7\Nfor existence of CoreSight and as you can
Dialogue: 0,0:19:14.80,0:19:21.23,Default,,0000,0000,0000,,see, like in the software part is already\Nimplemented. So they actually have some
Dialogue: 0,0:19:21.23,0:19:26.96,Default,,0000,0000,0000,,references in their software that they are\Nutilizing or configuring the CoreSight in
Dialogue: 0,0:19:26.96,0:19:32.72,Default,,0000,0000,0000,,the PLCs. And basically we can see that\Nthe ETM version is not the latest version
Dialogue: 0,0:19:32.72,0:19:39.52,Default,,0000,0000,0000,,it is ETM version 3. Now that I've talked\Nto you about CoreSight, Tobi can talk
Dialogue: 0,0:19:39.52,0:19:43.20,Default,,0000,0000,0000,,about firmware dumps.\NTobi: So let's get to something that I'm
Dialogue: 0,0:19:43.20,0:19:49.48,Default,,0000,0000,0000,,very much more familiar with and feel it's\Neasier for me to handle it is firmware
Dialogue: 0,0:19:49.48,0:19:53.44,Default,,0000,0000,0000,,dumps or software in general, but firmware\Ndumps, I think it's close as you can get
Dialogue: 0,0:19:53.44,0:19:59.84,Default,,0000,0000,0000,,to what I like when talking to a PLC or\Ntrying to understand a PLC. So in the
Dialogue: 0,0:19:59.84,0:20:06.96,Default,,0000,0000,0000,,Siemens case, we have a 13 megabytes\Nbinary and at the beginning it's not as
Dialogue: 0,0:20:06.96,0:20:14.80,Default,,0000,0000,0000,,many, but as if you twiddle around with a\Nbit and apply some IDA python functions
Dialogue: 0,0:20:14.80,0:20:19.44,Default,,0000,0000,0000,,and stuff like this. You can get to like\N84 000 functions, which is
Dialogue: 0,0:20:19.44,0:20:25.92,Default,,0000,0000,0000,,not something you want to really look at\Neverything manually. Also, like 84 000
Dialogue: 0,0:20:25.92,0:20:31.84,Default,,0000,0000,0000,,function firmware image doesn't really get\Nthe sexiest firmware on planet, right? I
Dialogue: 0,0:20:31.84,0:20:38.00,Default,,0000,0000,0000,,guess so. But this is what I what I looked\Nat and what we were looking a bit more in
Dialogue: 0,0:20:38.00,0:20:43.20,Default,,0000,0000,0000,,the next couple of minutes or so. As you\Ncan see, we have different names up there.
Dialogue: 0,0:20:44.00,0:20:48.80,Default,,0000,0000,0000,,We have one name which is called\N_some_get_some_max_size. So this is my
Dialogue: 0,0:20:49.52,0:20:53.76,Default,,0000,0000,0000,,internal way of saying I don't really have\Nan idea of what's really going on in this
Dialogue: 0,0:20:53.76,0:20:58.40,Default,,0000,0000,0000,,function, but we can also see some more\Nmeaningful functions. So we understood
Dialogue: 0,0:20:58.40,0:21:03.92,Default,,0000,0000,0000,,some parts a bit more. Some parts of it\Nless, but I gave it a cursory look in most
Dialogue: 0,0:21:03.92,0:21:11.36,Default,,0000,0000,0000,,places. So now let's get in to a lot of\Naddress related stuff, so we expected a
Dialogue: 0,0:21:11.36,0:21:16.88,Default,,0000,0000,0000,,lot of details, which are very interesting\Nif you start looking at firmware code, and
Dialogue: 0,0:21:16.88,0:21:21.12,Default,,0000,0000,0000,,I will explain along the way why that\Nmight be interesting. So first of all,
Dialogue: 0,0:21:21.12,0:21:26.32,Default,,0000,0000,0000,,what you have to know is that coretex are\Nfor gives you bank registers. This is
Dialogue: 0,0:21:26.32,0:21:32.80,Default,,0000,0000,0000,,basically a feature that's implemented to\Nlower software overhead and allow more
Dialogue: 0,0:21:32.80,0:21:40.56,Default,,0000,0000,0000,,seamless modes, which is for the internal\NCPU. And what we get is banks stacks per
Dialogue: 0,0:21:41.12,0:21:47.36,Default,,0000,0000,0000,,execution mode. So if we want to know what\Nis kind of going on in the state of the
Dialogue: 0,0:21:47.36,0:21:51.20,Default,,0000,0000,0000,,filmware at a given point we may want to\Nlook at the different stacks of the
Dialogue: 0,0:21:51.20,0:21:56.88,Default,,0000,0000,0000,,different modes at any given point. And\Nthis is the addresses that we expected for
Dialogue: 0,0:21:56.88,0:22:02.64,Default,,0000,0000,0000,,this. And you could use that if you as a\Nstarting point, if you started reverse
Dialogue: 0,0:22:02.64,0:22:07.52,Default,,0000,0000,0000,,engineering, things like that. Now, we\Nwill have some address, some tables with
Dialogue: 0,0:22:07.52,0:22:16.08,Default,,0000,0000,0000,,addresses. And the first one is RAM\Nmappings, which show you what kind of
Dialogue: 0,0:22:16.08,0:22:23.12,Default,,0000,0000,0000,,functionality or what you might expect\Nwhen looking at firmware code, which is
Dialogue: 0,0:22:23.12,0:22:28.16,Default,,0000,0000,0000,,interfacing with different parts of\Nmemory. So if you initially go and look at
Dialogue: 0,0:22:28.16,0:22:33.12,Default,,0000,0000,0000,,some ARM code, you may just see a random\Naccess to some place in memory and you may
Dialogue: 0,0:22:33.12,0:22:39.04,Default,,0000,0000,0000,,want to know what it's actually doing. And\Nit looks very uneventful of it's just an
Dialogue: 0,0:22:39.04,0:22:45.20,Default,,0000,0000,0000,,address and it gets gets queued and\Nyou don't really know what's going on. So,
Dialogue: 0,0:22:45.20,0:22:49.68,Default,,0000,0000,0000,,for example, if you looked at an address\Nwithin the text section, you would expect
Dialogue: 0,0:22:49.68,0:22:55.12,Default,,0000,0000,0000,,there to reside code if you wanted to see\Nsome global static data, you would want to
Dialogue: 0,0:22:55.12,0:22:59.04,Default,,0000,0000,0000,,look at the data or the BSS section. And\Nthen finally, if you wanted to look at
Dialogue: 0,0:22:59.04,0:23:04.40,Default,,0000,0000,0000,,heap memory or how channels are set up\Nthere, you would look in the uninitialize
Dialogue: 0,0:23:04.40,0:23:09.76,Default,,0000,0000,0000,,section and it goes on like this for\Ndifferent sections. Another very
Dialogue: 0,0:23:09.76,0:23:14.48,Default,,0000,0000,0000,,interesting thing to look at, if you tried\Nto reverse engineer firmware images is
Dialogue: 0,0:23:14.48,0:23:20.48,Default,,0000,0000,0000,,that you kind of want to know what the\Nhardware is that a given piece of code is,
Dialogue: 0,0:23:22.00,0:23:29.76,Default,,0000,0000,0000,,is interfacing with. And in this case we\Ndumped some regions or reverse engineered
Dialogue: 0,0:23:29.76,0:23:35.12,Default,,0000,0000,0000,,what some regions are for what is called\Nmemory mapped I/O. And the way ARM is
Dialogue: 0,0:23:35.12,0:23:39.36,Default,,0000,0000,0000,,talking to a firmware is basically to\Nqueue a magic value inside the address
Dialogue: 0,0:23:39.36,0:23:43.04,Default,,0000,0000,0000,,space and then it gets something back,\Nwhich is not at all what it has been
Dialogue: 0,0:23:43.04,0:23:48.56,Default,,0000,0000,0000,,written there before. So it's basically an\Naddress which gets wired through to the
Dialogue: 0,0:23:48.56,0:23:53.60,Default,,0000,0000,0000,,periphery the hardware periphery on the\Nsame system on a chip. And here we can see
Dialogue: 0,0:23:53.60,0:23:57.36,Default,,0000,0000,0000,,that we have different hardware\Nperipherals residing on it. For example,
Dialogue: 0,0:23:58.00,0:24:03.04,Default,,0000,0000,0000,,we can talk to the Siemens PLC via\Ndifferent serial protocols and those
Dialogue: 0,0:24:03.04,0:24:08.80,Default,,0000,0000,0000,,protocols might be SPI or I²C. And we have\Non the left side, kind of in the middle
Dialogue: 0,0:24:08.80,0:24:15.84,Default,,0000,0000,0000,,top what took part of it, have some region\Npertaining to that. And then if you saw
Dialogue: 0,0:24:15.84,0:24:21.92,Default,,0000,0000,0000,,some other code talking to timers, for\Nexample, you would know you are in timer
Dialogue: 0,0:24:21.92,0:24:26.29,Default,,0000,0000,0000,,land at the moment or like in the \Nscheduler or whatever it would be.
Dialogue: 0,0:24:26.29,0:24:27.52,Default,,0000,0000,0000,,Finally, we have
Dialogue: 0,0:24:27.52,0:24:33.68,Default,,0000,0000,0000,,some MPU configurations which are memory\Nprotection unit configurations, as Ali
Dialogue: 0,0:24:33.68,0:24:38.88,Default,,0000,0000,0000,,introduced earlier. So what we can see is\Nthat Siemens is actually applying some of
Dialogue: 0,0:24:38.88,0:24:44.08,Default,,0000,0000,0000,,those configurations to protect parts of\Nmemory. What we can see, for example, is
Dialogue: 0,0:24:44.08,0:24:49.36,Default,,0000,0000,0000,,where whenever the XN so the execute never\Nbit is set, code is not to be executed
Dialogue: 0,0:24:49.36,0:24:53.84,Default,,0000,0000,0000,,within this address region or we have a\Nread only region. We really don't want to
Dialogue: 0,0:24:53.84,0:24:59.28,Default,,0000,0000,0000,,have it overwritten. So it's interesting\Nthat they started playing this in
Dialogue: 0,0:24:59.28,0:25:06.24,Default,,0000,0000,0000,,practice. Here we can see what actually\Nhappens when the firmware itself boots up.
Dialogue: 0,0:25:06.24,0:25:11.84,Default,,0000,0000,0000,,So it turns out the firmware doesn't\Nreally want to depend too much on what the
Dialogue: 0,0:25:11.84,0:25:16.72,Default,,0000,0000,0000,,bootloader did. Probably it's different\Nteams doing different things. And to keep
Dialogue: 0,0:25:16.72,0:25:22.37,Default,,0000,0000,0000,,this interface as small as possible, they\Nkind of redo some of the stuff that the
Dialogue: 0,0:25:22.37,0:25:27.04,Default,,0000,0000,0000,,bootloader code also does. It sets up the\Nvector table for handling interrupts and
Dialogue: 0,0:25:27.04,0:25:31.68,Default,,0000,0000,0000,,similar things like that. Then if we get\Npast this initial stage, we actually want
Dialogue: 0,0:25:31.68,0:25:36.96,Default,,0000,0000,0000,,to boot the ADONIS kernel which Ali talked\Nabout before. So first of all, there is an
Dialogue: 0,0:25:36.96,0:25:42.16,Default,,0000,0000,0000,,array of function pointers that gets\Ncalled one for like every piece of
Dialogue: 0,0:25:42.16,0:25:47.20,Default,,0000,0000,0000,,functionality that we saw on this overview\Nof the different components of ADONIS. So
Dialogue: 0,0:25:47.20,0:25:51.04,Default,,0000,0000,0000,,if you wanted to look at what kind of\Ncomponents are there or functional
Dialogue: 0,0:25:51.04,0:25:55.68,Default,,0000,0000,0000,,components are there. This is a very\Ninteresting list of functions, function
Dialogue: 0,0:25:55.68,0:26:01.52,Default,,0000,0000,0000,,handlers to... to examine and also sets up\Nsome management structures and stuff like
Dialogue: 0,0:26:01.52,0:26:07.84,Default,,0000,0000,0000,,this one a typical operating system would\Nhave to set up. So now we look at more of
Dialogue: 0,0:26:07.84,0:26:14.48,Default,,0000,0000,0000,,the different components of ADONIS. First\None is the file system, so PLCs is part of
Dialogue: 0,0:26:14.48,0:26:20.24,Default,,0000,0000,0000,,the specifications. Sometimes it's how\Nresilient is it against temperatures, how
Dialogue: 0,0:26:20.24,0:26:26.48,Default,,0000,0000,0000,,low of a temperature can I have this PLC\Nreside in without losing functionality?
Dialogue: 0,0:26:26.48,0:26:33.36,Default,,0000,0000,0000,,And in this case, what they also want to\Nprovide is some safety against interrupts
Dialogue: 0,0:26:33.36,0:26:38.16,Default,,0000,0000,0000,,in power supply. So they developed a\Nproprietary file system which is called
Dialogue: 0,0:26:38.16,0:26:42.64,Default,,0000,0000,0000,,"Powered Down Consistency Files System",\Nwhich they implement in the firmware. And
Dialogue: 0,0:26:44.08,0:26:56.16,Default,,0000,0000,0000,,we can also see one of the work\Nexperience entries of one of the previous
Dialogue: 0,0:26:56.16,0:27:03.36,Default,,0000,0000,0000,,Siemens employees who stated that he or\Nshe worked on this file system. We have
Dialogue: 0,0:27:03.36,0:27:07.68,Default,,0000,0000,0000,,another part of a very critical part of\Nthe functionality, of course, we want to
Dialogue: 0,0:27:07.68,0:27:14.56,Default,,0000,0000,0000,,talk to the PLC, it wants to talk to us\Nin.. and one of the ways is fiercely
Dialogue: 0,0:27:14.56,0:27:19.28,Default,,0000,0000,0000,,TCP/IP. And this is to expose the Web\Nserver, for example, and different other
Dialogue: 0,0:27:19.28,0:27:26.00,Default,,0000,0000,0000,,components. And in this case, it turns out\Nthat Siemens doesn't implement their own,
Dialogue: 0,0:27:26.00,0:27:31.15,Default,,0000,0000,0000,,which probably is a good idea not to do\Nthat. They use the
Dialogue: 0,0:27:31.15,0:27:34.94,Default,,0000,0000,0000,,InterNiche Technologies TCP/IP stack\Nin version 3.1.
Dialogue: 0,0:27:34.94,0:27:37.76,Default,,0000,0000,0000,,If you are\Ngood at Googling you can find some source
Dialogue: 0,0:27:37.76,0:27:41.60,Default,,0000,0000,0000,,code and you can actually map this to the\Nfirmware and how it works. So it could
Dialogue: 0,0:27:41.60,0:27:48.88,Default,,0000,0000,0000,,give you some wrapper functions, something\Nlike creating sockets and stuff like this
Dialogue: 0,0:27:48.88,0:27:53.57,Default,,0000,0000,0000,,and could make it easier for you to find\Nthose in the firmware image. We also have
Dialogue: 0,0:27:53.57,0:28:00.67,Default,,0000,0000,0000,,one of the very critical components of\Neach firmware is update. If it allows an
Dialogue: 0,0:28:00.67,0:28:06.65,Default,,0000,0000,0000,,update and the Siemens PLC allows updates,\Nthere are different modes. One of the
Dialogue: 0,0:28:06.65,0:28:12.25,Default,,0000,0000,0000,,modes is, just you drag and drop an UPD\Nfile, an update file to the web server and
Dialogue: 0,0:28:12.25,0:28:18.89,Default,,0000,0000,0000,,it will start checking firmware, integrity\Nand signatures and so on. And the second
Dialogue: 0,0:28:18.89,0:28:24.71,Default,,0000,0000,0000,,way is doing it via an SD card, which has\Na great total of twenty four megabytes and
Dialogue: 0,0:28:24.71,0:28:30.81,Default,,0000,0000,0000,,it's for the low price of 250 euros. You\Ncan can get it. I think you can not really
Dialogue: 0,0:28:30.81,0:28:39.26,Default,,0000,0000,0000,,beat that, that ratio. If you actually\Ndecompress this kind of UPD file, you get
Dialogue: 0,0:28:39.26,0:28:43.14,Default,,0000,0000,0000,,another representation of it in memory.\NAnd we did some reverse engineering on
Dialogue: 0,0:28:43.14,0:28:47.39,Default,,0000,0000,0000,,that and we have different fields not sure\Nif you can see them now, but you can
Dialogue: 0,0:28:47.39,0:28:53.71,Default,,0000,0000,0000,,expect what it is. It's different offsets\Ninto the actual binary file. It's it's an
Dialogue: 0,0:28:53.71,0:28:57.95,Default,,0000,0000,0000,,entry point into the firmware magic header\Nto make sure something is not too screwed
Dialogue: 0,0:28:57.95,0:29:03.77,Default,,0000,0000,0000,,up and a CRC over the whole thing for\Nexample. We also extracted some of the
Dialogue: 0,0:29:03.77,0:29:11.70,Default,,0000,0000,0000,,addresses inside the firmware image, which\Nhelps you find a first foothold into what
Dialogue: 0,0:29:11.70,0:29:17.72,Default,,0000,0000,0000,,the logic is dealing with and give you\Nsome addresses for you to refer this to
Dialogue: 0,0:29:17.72,0:29:23.38,Default,,0000,0000,0000,,later. The next component that we want to\Ntouch on is Miniweb, which is the web
Dialogue: 0,0:29:23.38,0:29:30.04,Default,,0000,0000,0000,,server. It kind of exposes to you the\Ndifferent internal parts of the PLC and
Dialogue: 0,0:29:30.04,0:29:35.36,Default,,0000,0000,0000,,what the state of different GPIOs, general\Npurpose input outputs, is. The inputs and
Dialogue: 0,0:29:35.36,0:29:41.83,Default,,0000,0000,0000,,the outputs and what the health of the PLC\Nis itself and the way that it exposes this
Dialogue: 0,0:29:41.83,0:29:49.61,Default,,0000,0000,0000,,is using the MWSL language Miniweb\Nscripting language. It's as we will see on
Dialogue: 0,0:29:49.61,0:29:55.13,Default,,0000,0000,0000,,the next over the next slide and we'll\Ntalk to them about that in a little bit
Dialogue: 0,0:29:55.13,0:30:01.89,Default,,0000,0000,0000,,more detail. We have a be started, has the\Nservice as well from one of the function
Dialogue: 0,0:30:01.89,0:30:08.58,Default,,0000,0000,0000,,handlers of the ADONIS initialization\Nfunctions that I referred to a little bit
Dialogue: 0,0:30:08.58,0:30:13.73,Default,,0000,0000,0000,,before. So now let's get to some\Nundocumented http handlers, which I think
Dialogue: 0,0:30:13.73,0:30:18.24,Default,,0000,0000,0000,,are very interesting. I think my favorites\Nare "lilililili" and "lololololo"..
Dialogue: 0,0:30:18.24,0:30:20.39,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:30:20.39,0:30:25.18,Default,,0000,0000,0000,,.. and if you should put those together in\Na clever way, maybe somebody is musically
Dialogue: 0,0:30:25.18,0:30:33.23,Default,,0000,0000,0000,,gifted and can make a song out of it. I\Nwould be very interested to hear that. So
Dialogue: 0,0:30:33.23,0:30:37.58,Default,,0000,0000,0000,,now let's get to the MWSL the Miniweb\Nscripting language. So it basically
Dialogue: 0,0:30:37.58,0:30:42.68,Default,,0000,0000,0000,,exposes the internal functionality by\Nallowing you to inject into an html page
Dialogue: 0,0:30:42.68,0:30:47.34,Default,,0000,0000,0000,,by a templating different configuration\Nparameters and stuff like this. For
Dialogue: 0,0:30:47.34,0:30:53.92,Default,,0000,0000,0000,,example, as we can see here on the top\Nright corner, you can see the CPU load of
Dialogue: 0,0:30:53.92,0:30:59.41,Default,,0000,0000,0000,,the system at a given time. It doesn't\Nreally seem to perform any output
Dialogue: 0,0:30:59.41,0:31:05.70,Default,,0000,0000,0000,,encoding, so it kind of trusting what\Ncomes out. So there may be clever ways
Dialogue: 0,0:31:05.70,0:31:12.90,Default,,0000,0000,0000,,to... to do some web related trickery with\Nthis and also the parsing of this
Dialogue: 0,0:31:12.90,0:31:19.43,Default,,0000,0000,0000,,tokenization is kind of complex. I looked\Ninto it a bit and this implementation
Dialogue: 0,0:31:19.43,0:31:24.75,Default,,0000,0000,0000,,could also be interesting to look at, but\Nwe will get to those kinds of
Dialogue: 0,0:31:24.75,0:31:30.41,Default,,0000,0000,0000,,aspects a bit later. With this, we're\Ngoing to get to our actual findings and
Dialogue: 0,0:31:30.41,0:31:33.93,Default,,0000,0000,0000,,talk about those a bit more. And this is\Nwhere Ali will take over.
Dialogue: 0,0:31:34.60,0:31:43.12,Default,,0000,0000,0000,,Ali: Thanks, Tobi. So. So now we talk\Nabout the capabilities which exist in the
Dialogue: 0,0:31:43.12,0:31:48.96,Default,,0000,0000,0000,,bootloader, which allows us to have\Nunconstrained code execution. So basically
Dialogue: 0,0:31:48.96,0:31:54.64,Default,,0000,0000,0000,,this feature is available in the uart. So\Nyou need physical access to the device.
Dialogue: 0,0:31:55.60,0:32:00.88,Default,,0000,0000,0000,,But once you have this physical access,\Nyou can basically, as Tobias later
Dialogue: 0,0:32:00.88,0:32:05.12,Default,,0000,0000,0000,,describes, we can actually bypass the\Nsecurity ecosystem which developed by
Dialogue: 0,0:32:05.12,0:32:11.21,Default,,0000,0000,0000,,Siemens in their product. So you need uart\Naccess as it's documented here, you have
Dialogue: 0,0:32:11.21,0:32:20.24,Default,,0000,0000,0000,,TX, RX and GND in the PLC and the uart\Nactually in previous research was
Dialogue: 0,0:32:20.24,0:32:25.84,Default,,0000,0000,0000,,documented as well. Every address which I\Nam talking about here or mentioned in this
Dialogue: 0,0:32:25.84,0:32:31.44,Default,,0000,0000,0000,,presentation are for bootloader version 4\Nto 1. As I mentioned earlier, Siemens
Dialogue: 0,0:32:31.44,0:32:38.24,Default,,0000,0000,0000,,actively modified the bootloader. So I\Nthink in two years we saw like 2, 3
Dialogue: 0,0:32:38.24,0:32:44.64,Default,,0000,0000,0000,,modifications or different versions of\Ntheir bootloader coming up. So this
Dialogue: 0,0:32:44.64,0:32:50.16,Default,,0000,0000,0000,,exactly is based on that's half a second\Nwaiting for a specific command after a
Dialogue: 0,0:32:50.16,0:32:56.32,Default,,0000,0000,0000,,second hardware configuration happens. It\Napplies to Siemens S7-1200 including
Dialogue: 0,0:32:56.32,0:33:02.80,Default,,0000,0000,0000,,SiPLUS and S7-200 SMART. Actually,\Nsomebody from Kaspersky. IS security
Dialogue: 0,0:33:02.80,0:33:08.00,Default,,0000,0000,0000,,mentioned it. We didn't know even about\Nit. We just investigated a S7-1200. But
Dialogue: 0,0:33:08.00,0:33:14.40,Default,,0000,0000,0000,,Siemens later updated that advisory that\Nalso applies to other products as well. So
Dialogue: 0,0:33:14.40,0:33:19.39,Default,,0000,0000,0000,,let's talk about this, a special access\Nfeature. So as you mentioned, one of the
Dialogue: 0,0:33:19.39,0:33:22.82,Default,,0000,0000,0000,,things the bootloader does is actually\Ninitialize the hardware after this
Dialogue: 0,0:33:22.82,0:33:27.36,Default,,0000,0000,0000,,hardware it's basically copy some of the\Ncontents of the bootloader itself to a
Dialogue: 0,0:33:27.36,0:33:36.00,Default,,0000,0000,0000,,memory segment called IRAM, basically. And\Nthen PLC basically waits half a second for
Dialogue: 0,0:33:36.00,0:33:39.68,Default,,0000,0000,0000,,a specific command. And once it's\Nreceived, this specific command it
Dialogue: 0,0:33:39.68,0:33:44.16,Default,,0000,0000,0000,,responds with a specific string and it's\Nall happening over the uart. So it's if
Dialogue: 0,0:33:44.16,0:33:50.35,Default,,0000,0000,0000,,you send a magic string, MFGT1, sorry for\Nmy broken German, but probably it means
Dialogue: 0,0:33:50.35,0:33:57.94,Default,,0000,0000,0000,,"Mit freundlichen Grüßen", I hope I did it\Nright. And then the PLC responds with
Dialogue: 0,0:33:57.94,0:34:02.08,Default,,0000,0000,0000,,"-CPU" and says that now you are in this\Nspecial access mode. I am waiting for your
Dialogue: 0,0:34:02.08,0:34:10.88,Default,,0000,0000,0000,,commands. And this address is also I\Nbelieve 0xedf8 in the bootloader. So here
Dialogue: 0,0:34:10.88,0:34:16.48,Default,,0000,0000,0000,,is a decoding of our clients, which we\Nwill release later next year, actually,
Dialogue: 0,0:34:16.48,0:34:25.12,Default,,0000,0000,0000,,which you see that's 2d435055, which is\Nthe "-CPU" response from the PLC. So now
Dialogue: 0,0:34:25.12,0:34:30.56,Default,,0000,0000,0000,,we are in it. And also we also added some\Nextra saying about your packet format.
Dialogue: 0,0:34:30.56,0:34:36.88,Default,,0000,0000,0000,,Somebody asked before. So once you send\Nthis command, you get lots of
Dialogue: 0,0:34:37.60,0:34:43.36,Default,,0000,0000,0000,,functionalities here in this presentation.\NWe call them handlers and basically they
Dialogue: 0,0:34:43.36,0:34:49.84,Default,,0000,0000,0000,,are something we call primarily handler.\NIt's like 128 entries and there are some
Dialogue: 0,0:34:49.84,0:34:57.60,Default,,0000,0000,0000,,three other separated handlers which are\Nlike 0x80 uart configuration and bye. So
Dialogue: 0,0:34:57.60,0:35:01.68,Default,,0000,0000,0000,,in the primary handler release, there are\Nlots of things. So if you go back to the 2
Dialogue: 0,0:35:01.68,0:35:10.88,Default,,0000,0000,0000,,previous slides, I got the firmware\Nversion here, 4.2.3. And
Dialogue: 0,0:35:10.88,0:35:14.89,Default,,0000,0000,0000,,basically what is happening is that\Nbasically it's this command here, get
Dialogue: 0,0:35:14.89,0:35:19.72,Default,,0000,0000,0000,,bootloader version. We are just requesting\Nthe special access feature to tell us
Dialogue: 0,0:35:19.72,0:35:24.78,Default,,0000,0000,0000,,what is a bootloader version. And also you\Ncan do lots of low level diagnostic
Dialogue: 0,0:35:24.78,0:35:28.93,Default,,0000,0000,0000,,functionality is happening there. Also\Nsome functionalities related to firmware
Dialogue: 0,0:35:28.93,0:35:34.52,Default,,0000,0000,0000,,update happening there which bypasses the\Nusual cryptographic verification of the
Dialogue: 0,0:35:34.52,0:35:42.54,Default,,0000,0000,0000,,firmware and doesn't need that. So let's\Nlook at them, because for this work, which
Dialogue: 0,0:35:42.54,0:35:46.63,Default,,0000,0000,0000,,we are talking about, we actually\Nprimarily only use two of the handlers. So
Dialogue: 0,0:35:46.63,0:35:51.52,Default,,0000,0000,0000,,we don't use.. we don't look at like or we\Ndon't discuss now all others hundred
Dialogue: 0,0:35:51.52,0:35:58.28,Default,,0000,0000,0000,,twenty eight handlers which exist in the\NPLC. So it works. One of the handlers, the
Dialogue: 0,0:35:58.28,0:36:05.91,Default,,0000,0000,0000,,interesting one for us was handler 0x80\Nwhich mentioned here, update function. So
Dialogue: 0,0:36:05.91,0:36:11.07,Default,,0000,0000,0000,,basically what it does is that it lets you\Nallow you to write to a specific part of a
Dialogue: 0,0:36:11.07,0:36:17.26,Default,,0000,0000,0000,,memory IRAM, which previously copied some\Ncontent of the bootloader. So basically
Dialogue: 0,0:36:17.26,0:36:21.73,Default,,0000,0000,0000,,you send this handler after this\Nhandshake, you have to do this MFGT1 and
Dialogue: 0,0:36:21.73,0:36:25.79,Default,,0000,0000,0000,,then -CPU. And then basically you are\Ngoing to send this handler and then it
Dialogue: 0,0:36:25.79,0:36:29.71,Default,,0000,0000,0000,,basically checks because each handler\Nmight have different requirements. Check
Dialogue: 0,0:36:29.71,0:36:34.23,Default,,0000,0000,0000,,number of arguments, for example, and then\Nyou are in this update function mode. And
Dialogue: 0,0:36:34.23,0:36:38.84,Default,,0000,0000,0000,,then you have to provide target ID because\Nthere is 4 subfunctionality available.
Dialogue: 0,0:36:38.84,0:36:45.35,Default,,0000,0000,0000,,Once you enter this mode and some of them\Nare like for IRAM, for SPI or IOC or for
Dialogue: 0,0:36:45.35,0:36:51.55,Default,,0000,0000,0000,,Flash, and then for each of them, you have\Nto choose what kind of operation you want
Dialogue: 0,0:36:51.55,0:36:58.03,Default,,0000,0000,0000,,to do you want to configure, read, write\Nor check. And so you can do all of these
Dialogue: 0,0:36:58.03,0:37:02.88,Default,,0000,0000,0000,,things so you can read and write to the\NIRAM. Basically, this is a function
Dialogue: 0,0:37:02.88,0:37:09.74,Default,,0000,0000,0000,,handler at 0x80. Next is a primary handler\Nlike 0x1c. This is listed in this handler
Dialogue: 0,0:37:09.74,0:37:19.87,Default,,0000,0000,0000,,list, here. So, so basically it allows you\Nto call functions. So the basically this
Dialogue: 0,0:37:19.87,0:37:24.00,Default,,0000,0000,0000,,functions are listed in the IRAM. And\Nbasically what you do is that you send
Dialogue: 0,0:37:24.00,0:37:29.40,Default,,0000,0000,0000,,this handshake, you are and you are in\Nthis. Basically, this is what 0x1c handler
Dialogue: 0,0:37:29.40,0:37:34.52,Default,,0000,0000,0000,,and then you can call the ID number of the\Nhandlers which you want to use. So here
Dialogue: 0,0:37:34.52,0:37:41.92,Default,,0000,0000,0000,,you have like lots of handler available\Nfor 0x1c. So the question is, what we can
Dialogue: 0,0:37:41.92,0:37:50.84,Default,,0000,0000,0000,,do with it. And before I asked Tobias I\Nwant to ask anybody here, any idea? Trace,
Dialogue: 0,0:37:50.84,0:37:53.94,Default,,0000,0000,0000,,somebody said trace. I don't know what\Nthat means, but
Dialogue: 0,0:37:53.94,0:37:57.88,Default,,0000,0000,0000,,{\i1}mumbling in the audience{\i0}
Dialogue: 0,0:37:57.88,0:38:04.16,Default,,0000,0000,0000,,OK. You mean with JTAG? with the\NCoreSight? No, we are not going to use
Dialogue: 0,0:38:04.16,0:38:07.16,Default,,0000,0000,0000,,that. So let's ask Tobias what he can\Ndo.
Dialogue: 0,0:38:07.16,0:38:11.44,Default,,0000,0000,0000,,Tobias: Yeah. So looking at it dynamically\Nand seeing what it does with the memory
Dialogue: 0,0:38:11.44,0:38:15.23,Default,,0000,0000,0000,,is, I guess, a good idea in general. If\Nyou if like static reverse engineering
Dialogue: 0,0:38:15.23,0:38:20.72,Default,,0000,0000,0000,,doesn't give you anything. In this case,\Nwe looked through different or I looked
Dialogue: 0,0:38:20.72,0:38:26.58,Default,,0000,0000,0000,,through different of those functions and\Ntried to see, what can I do with it? So
Dialogue: 0,0:38:26.58,0:38:32.08,Default,,0000,0000,0000,,the base of where I started looking for\Nthis special access feature was basically
Dialogue: 0,0:38:32.08,0:38:37.48,Default,,0000,0000,0000,,that I saw there is too much in this code\Ngoing on. I kind of feel like I understood
Dialogue: 0,0:38:37.48,0:38:42.42,Default,,0000,0000,0000,,what it should be doing. The bootloader\Nwhat it should be doing, but it seemed
Dialogue: 0,0:38:42.42,0:38:50.17,Default,,0000,0000,0000,,just to be too much. And the way we can\Ncombine those two functions is basically
Dialogue: 0,0:38:50.17,0:39:01.67,Default,,0000,0000,0000,,to recap. Use this 0x1c handler, which\Ngives us control over what kind of
Dialogue: 0,0:39:01.67,0:39:07.56,Default,,0000,0000,0000,,secondary list functions to be called,\Nwhich, as we saw before, is copied during
Dialogue: 0,0:39:07.56,0:39:13.72,Default,,0000,0000,0000,,the the boot up process to a position in\NIRAM from external read-only memory. And
Dialogue: 0,0:39:13.72,0:39:19.86,Default,,0000,0000,0000,,this exposes this function handler table\Nto anything that can write to IRAM. And as
Dialogue: 0,0:39:19.86,0:39:25.95,Default,,0000,0000,0000,,we learned before, the 0x80 handler is\Nable to in a limited capacity, do just
Dialogue: 0,0:39:25.95,0:39:32.13,Default,,0000,0000,0000,,that. And here we can see what we can try\Nto do with this. So we use in a first
Dialogue: 0,0:39:32.13,0:39:38.53,Default,,0000,0000,0000,,stage the 0x80 handler to write to IRAM.\NWe can actually inject another function
Dialogue: 0,0:39:38.53,0:39:43.92,Default,,0000,0000,0000,,pointer together with some configuration\Nvalues that allows us to pass different
Dialogue: 0,0:39:43.92,0:39:49.58,Default,,0000,0000,0000,,checks about argument sizes and stuff like\Nthis. We can inject this as an entry into
Dialogue: 0,0:39:49.58,0:39:56.29,Default,,0000,0000,0000,,this table and we can also write to this\Ntable a payload which we can use as a
Dialogue: 0,0:39:56.29,0:40:02.76,Default,,0000,0000,0000,,shell code. And then in a second stage we\Ncan use this previously injected index
Dialogue: 0,0:40:02.76,0:40:11.97,Default,,0000,0000,0000,,that we specified just as a trigger to\Ncall our own payload. So now we have code
Dialogue: 0,0:40:11.97,0:40:17.16,Default,,0000,0000,0000,,execution in the context of the\Nbootloader. So which is as privileged as
Dialogue: 0,0:40:17.16,0:40:24.21,Default,,0000,0000,0000,,we can get at that point and we can see\Nwhat we can play around with this. And as
Dialogue: 0,0:40:24.21,0:40:29.56,Default,,0000,0000,0000,,a little summary is that we chain all this\Ntogether and we get code execution. And
Dialogue: 0,0:40:29.56,0:40:35.62,Default,,0000,0000,0000,,with Ali's words, with this technology,\Nwe're going to rocket the PLC. And before
Dialogue: 0,0:40:35.62,0:40:40.90,Default,,0000,0000,0000,,we go into what this actually allows us to\Ndo is a little word about the stager
Dialogue: 0,0:40:40.90,0:40:47.00,Default,,0000,0000,0000,,payload. So I wrote this this chain of\Ndifferent invocations and it turns out
Dialogue: 0,0:40:47.00,0:40:52.33,Default,,0000,0000,0000,,that this write to IRAM is somehow very\Nslow in the first place, but then also
Dialogue: 0,0:40:52.33,0:40:56.74,Default,,0000,0000,0000,,error prone so the device can just error\Nout and I'm not quite sure what this
Dialogue: 0,0:40:56.74,0:41:03.50,Default,,0000,0000,0000,,pertains to, but what may be interesting\Nto know from the Siemens engineer, but it
Dialogue: 0,0:41:03.50,0:41:08.67,Default,,0000,0000,0000,,basically led to me having to inject a\Nlittle encoded payload, which just has a
Dialogue: 0,0:41:08.67,0:41:16.34,Default,,0000,0000,0000,,subset of bytes which gives us an\Ninterface to do to perform
Dialogue: 0,0:41:16.34,0:41:20.12,Default,,0000,0000,0000,,reads and writes with an arbitrary\Nwrite primitive and then use this to
Dialogue: 0,0:41:20.12,0:41:25.00,Default,,0000,0000,0000,,inject second stage payloads. And this is\Nwhat we want to demonstrate here.
Dialogue: 0,0:41:26.74,0:41:32.80,Default,,0000,0000,0000,,Ali: Thanks. So now we would have our demo\N4 demos, actually. So the first one is
Dialogue: 0,0:41:32.80,0:41:37.16,Default,,0000,0000,0000,,actually just seeing a communication,\Nbasically sending these requests and
Dialogue: 0,0:41:37.16,0:41:42.26,Default,,0000,0000,0000,,getting a response and basically sending\Nthis data payload. So the up is the raw
Dialogue: 0,0:41:42.26,0:41:48.49,Default,,0000,0000,0000,,UART communication. Don't worry, it's\Ngetting zoomed later and the down is like
Dialogue: 0,0:41:48.49,0:41:55.57,Default,,0000,0000,0000,,our client, which actually talking with\Nthe PLC and sending us comments. So we are
Dialogue: 0,0:41:55.57,0:42:01.13,Default,,0000,0000,0000,,just running our UART. And here is we are\Nsending our command. And if you look at it
Dialogue: 0,0:42:01.13,0:42:07.05,Default,,0000,0000,0000,,up, you see the -CPU signal came from\Nthe PLC. And now we are sending our stager
Dialogue: 0,0:42:07.05,0:42:11.63,Default,,0000,0000,0000,,and our stager just sends us just one\Nacknowledgement so we know that the stager
Dialogue: 0,0:42:11.63,0:42:16.01,Default,,0000,0000,0000,,runs successfully. This is for firmware\Nversion bootloader version 4.2.1,
Dialogue: 0,0:42:16.01,0:42:19.65,Default,,0000,0000,0000,,basically. So now we are going to do\Nsomething else we are going to actually
Dialogue: 0,0:42:19.65,0:42:24.23,Default,,0000,0000,0000,,dump the firmware from a running PLC and\Ncompare it with the firmware downloaded
Dialogue: 0,0:42:24.23,0:42:30.91,Default,,0000,0000,0000,,from Siemens' website. So for us, we are\Ngoing to actually unpack the firmware
Dialogue: 0,0:42:30.91,0:42:35.52,Default,,0000,0000,0000,,downloaded from Siemens website because\Nit's a compressed with lzp3. So
Dialogue: 0,0:42:38.08,0:42:43.36,Default,,0000,0000,0000,,that's what we are going to do. Oh, we are\Nactually setting up our SSL connection
Dialogue: 0,0:42:43.36,0:42:50.32,Default,,0000,0000,0000,,first. So SSL port forwarding, ssh port\Nforwarding before and we are just checking
Dialogue: 0,0:42:50.32,0:42:56.95,Default,,0000,0000,0000,,that the PLC is running properly. So like\Nthis is not a broken PLC or something like
Dialogue: 0,0:42:56.95,0:43:02.11,Default,,0000,0000,0000,,that. We wrote something. So we just make\Nsure that the web server is opening the
Dialogue: 0,0:43:02.76,0:43:12.64,Default,,0000,0000,0000,,open the server, it's open, it's good. And\NI also try to log in to the website, to
Dialogue: 0,0:43:12.64,0:43:16.72,Default,,0000,0000,0000,,the Web server of the PLC. Just again,\Nmake sure that the PLC is functional. So
Dialogue: 0,0:43:16.72,0:43:23.92,Default,,0000,0000,0000,,also enter the password. I guess everybody\Ncan guess it. And then so you see that we
Dialogue: 0,0:43:23.92,0:43:28.72,Default,,0000,0000,0000,,log in eventually and in the left side you\Nsee all the like functionalities which
Dialogue: 0,0:43:28.72,0:43:34.32,Default,,0000,0000,0000,,loads related to the PLC. So it's a\Nworking, running, functional PLC. And so
Dialogue: 0,0:43:34.32,0:43:39.68,Default,,0000,0000,0000,,now you're going to decompress the\Nfirmware downloaded from Siemens' website
Dialogue: 0,0:43:39.68,0:43:43.96,Default,,0000,0000,0000,,after checking for export license and\Nstuff. So they want to make sure that
Dialogue: 0,0:43:43.96,0:43:51.66,Default,,0000,0000,0000,,people from Iran and North Korea don't get\Nit. I'm from Iran, by the way. So here we
Dialogue: 0,0:43:51.66,0:43:55.48,Default,,0000,0000,0000,,have the unpacked firmware. But because\Nthe frame rate is very large, as Tobias
Dialogue: 0,0:43:55.48,0:43:59.42,Default,,0000,0000,0000,,mentioned earlier, what we are going\Nto do is that we are just going to export
Dialogue: 0,0:43:59.42,0:44:05.05,Default,,0000,0000,0000,,256 kilobytes of the firmware from some\Npart of the web server and into IDA. So
Dialogue: 0,0:44:05.05,0:44:10.36,Default,,0000,0000,0000,,you have to set the big endianess for the\Ncpu. And also rebase the framwork. So as
Dialogue: 0,0:44:10.36,0:44:15.35,Default,,0000,0000,0000,,you can see, here is no function yet, but\Nonce we rebase it we have all the function
Dialogue: 0,0:44:15.35,0:44:24.54,Default,,0000,0000,0000,,as well and yeah, so then we gotta just go\Nand export 256 kilo bytes from the
Dialogue: 0,0:44:24.54,0:44:29.41,Default,,0000,0000,0000,,firmware so we specifically slow down the\NUART because we want to make sure that we
Dialogue: 0,0:44:29.41,0:44:33.29,Default,,0000,0000,0000,,don't do it's too fast to overflow the\Nbuffer which we have internally in the
Dialogue: 0,0:44:33.29,0:44:41.90,Default,,0000,0000,0000,,PLC. So. So here, for example, in this\Naddress, 691e28 we are going to export 256
Dialogue: 0,0:44:41.90,0:44:45.88,Default,,0000,0000,0000,,kilobytes. This is from the firmware,\NSiemens firmware. Right. So we just
Dialogue: 0,0:44:45.88,0:45:00.74,Default,,0000,0000,0000,,export it. So, yeah, so it's now called\Nfw-0x691E28 in the folder out. So now we
Dialogue: 0,0:45:00.74,0:45:05.64,Default,,0000,0000,0000,,are done with this part. We are going to\Ndump the same address in the PLC. So from
Dialogue: 0,0:45:05.64,0:45:11.96,Default,,0000,0000,0000,,a running PLC, I have to mention again. So\Nthis is the top part is basically raw uart
Dialogue: 0,0:45:11.96,0:45:17.96,Default,,0000,0000,0000,,and this is basically our client part and\Nwe are dumping it with a cold boot style
Dialogue: 0,0:45:17.96,0:45:22.15,Default,,0000,0000,0000,,attack. So we are basically resetting the\NPLC. And before it's over, write the RAM,
Dialogue: 0,0:45:22.15,0:45:28.96,Default,,0000,0000,0000,,we are basically dumping the contents of\Nthe RAM. So this is the address, 0x691e28.
Dialogue: 0,0:45:28.96,0:45:34.99,Default,,0000,0000,0000,,This is about the same address, basically.\NAnd we are dumping 256 kilobytes. And here
Dialogue: 0,0:45:34.99,0:45:41.07,Default,,0000,0000,0000,,we send MFGT1 basically. And then got\Nthe /cpu and then the rest of the stager
Dialogue: 0,0:45:41.07,0:45:48.81,Default,,0000,0000,0000,,and stuff goes. So now basically we are\Nsending packets and then eventually get a
Dialogue: 0,0:45:48.81,0:45:57.48,Default,,0000,0000,0000,,recive. So basically got all the payload\Nlike dumped in mem_dump_00691e28
Dialogue: 0,0:45:57.48,0:46:03.34,Default,,0000,0000,0000,,basically. So this is from the RAM of the\NPLC. This is not anymore from Siemens'
Dialogue: 0,0:46:03.34,0:46:17.30,Default,,0000,0000,0000,,websites. We are just scped to our own\Nmachine and then compare it. So now we
Dialogue: 0,0:46:17.30,0:46:21.89,Default,,0000,0000,0000,,have the memdump and original firmware\N256 kilobytes each. And then we are going
Dialogue: 0,0:46:21.89,0:46:28.98,Default,,0000,0000,0000,,to compare them with each other. And as\Nyou can see, should look here like you
Dialogue: 0,0:46:28.98,0:46:32.76,Default,,0000,0000,0000,,have like hundred percent match. Meaning\Nthat it's exactly the same firmware,
Dialogue: 0,0:46:32.76,0:46:37.14,Default,,0000,0000,0000,,which is available on Siemens website. We\Ndumped it directly from the Siemens PLC
Dialogue: 0,0:46:37.14,0:46:44.28,Default,,0000,0000,0000,,memory using this as special access\Nfeature. So let's do another one. So this
Dialogue: 0,0:46:44.28,0:46:47.90,Default,,0000,0000,0000,,time we all want to show that\Nunconstrained code execution in just a
Dialogue: 0,0:46:47.90,0:46:53.47,Default,,0000,0000,0000,,very basic way. So we are actually just\Nwriting a custom payload to the PLC and
Dialogue: 0,0:46:53.47,0:46:57.96,Default,,0000,0000,0000,,get a hello or greetings from the PLC. So\Nbasically, basically we just asked the PLC
Dialogue: 0,0:46:57.96,0:47:04.92,Default,,0000,0000,0000,,to send us this message all the time. So\Nagain, so we are sending our custom
Dialogue: 0,0:47:04.92,0:47:13.45,Default,,0000,0000,0000,,payload here and say hello loop. And\Nbasically the PLC just sending this loop
Dialogue: 0,0:47:13.45,0:47:24.40,Default,,0000,0000,0000,,for us. So all of these things, again, are\Nfor bootloader 4.2.1. You have to readjust
Dialogue: 0,0:47:24.40,0:47:29.70,Default,,0000,0000,0000,,certain things because Siemens saying they\Nupdated again their bootloader in the
Dialogue: 0,0:47:29.70,0:47:36.46,Default,,0000,0000,0000,,recent 2019 December, which we bought new\NPLC, again, once again. And now here we
Dialogue: 0,0:47:36.46,0:47:42.100,Default,,0000,0000,0000,,get a response. That's the PLC is sending\Nbasically to us this our raw data, which
Dialogue: 0,0:47:42.100,0:47:46.89,Default,,0000,0000,0000,,is PLC is keep sending to us. That's\Nshowing that we are receiving this. But
Dialogue: 0,0:47:46.89,0:47:53.85,Default,,0000,0000,0000,,maybe this was too basic. These are the\Nraw data which we are getting from the
Dialogue: 0,0:47:53.85,0:47:57.76,Default,,0000,0000,0000,,PLC. Let's actually do it a little more\Ncomplex. Show something that is not from
Dialogue: 0,0:47:57.76,0:48:04.17,Default,,0000,0000,0000,,us. So let's play a game called tic tac\Ntoe inside the PLC. And I guess if you
Dialogue: 0,0:48:04.17,0:48:08.87,Default,,0000,0000,0000,,don't know, this is how tic tac toe is\Nlike this is I am playing and I just draw
Dialogue: 0,0:48:08.87,0:48:20.31,Default,,0000,0000,0000,,with the google. So. Now we are again are\Ngoing to send our custom payload. But this
Dialogue: 0,0:48:20.31,0:48:25.36,Default,,0000,0000,0000,,time we are just use partial quotes from\Nsomebody else from the Internet and just
Dialogue: 0,0:48:25.36,0:48:30.09,Default,,0000,0000,0000,,upload, compile it and then upload it to\Nthe PLC. Obviously, you have to readjust
Dialogue: 0,0:48:30.09,0:48:38.73,Default,,0000,0000,0000,,lots of things. But so we are sending our\Npayload, including a stager and these are
Dialogue: 0,0:48:38.73,0:48:44.96,Default,,0000,0000,0000,,the raw data. Again, these are our client.\NAnd eventually you will see a tic tac toe
Dialogue: 0,0:48:44.96,0:48:50.18,Default,,0000,0000,0000,,interface, which you have to enter. So\NPlayer 1 is actually playing with the X
Dialogue: 0,0:48:50.18,0:48:54.87,Default,,0000,0000,0000,,and player 2 is playing with like 0. So\Nyou see of any positioning, which you
Dialogue: 0,0:48:54.87,0:49:04.83,Default,,0000,0000,0000,,choose. You have X, X and hopefully a\Nplayer one wins. Yes. So that was it. So
Dialogue: 0,0:49:04.83,0:49:15.68,Default,,0000,0000,0000,,that was a demo.\N{\i1}applause{\i0}
Dialogue: 0,0:49:15.68,0:49:19.89,Default,,0000,0000,0000,,Obviously, there are lots of other ideas\Nwhich we can work on, on injecting other
Dialogue: 0,0:49:19.89,0:49:24.56,Default,,0000,0000,0000,,custom code, using the special access\Nfunctionality, we are still working on
Dialogue: 0,0:49:24.56,0:49:30.32,Default,,0000,0000,0000,,this. Like lots of other things on\NSiemens, we are sorry Siemens we are just
Dialogue: 0,0:49:30.32,0:49:35.93,Default,,0000,0000,0000,,working on this, but there are more to\Ncome. But in the meantime, there are some
Dialogue: 0,0:49:35.93,0:49:40.88,Default,,0000,0000,0000,,ideas for other people in case they are\Nlooking into this and one to investigate
Dialogue: 0,0:49:40.88,0:49:45.86,Default,,0000,0000,0000,,security of Siemens PLCs. So using this as\Nspecial access entry, you can do somewhat
Dialogue: 0,0:49:45.86,0:49:49.83,Default,,0000,0000,0000,,certain things. So, for example, you can\Nuse this prophylaxis functionality to
Dialogue: 0,0:49:49.83,0:49:54.61,Default,,0000,0000,0000,,write to the firmware. As we mentioned,\Nthis functionality is available and it
Dialogue: 0,0:49:54.61,0:49:59.32,Default,,0000,0000,0000,,doesn't require those cryptographic\Nsignature which normally during update
Dialogue: 0,0:49:59.32,0:50:03.92,Default,,0000,0000,0000,,process of the firmware available. So you\Ncan just bypass it and it's just CRC
Dialogue: 0,0:50:03.92,0:50:08.97,Default,,0000,0000,0000,,checksum. So what you can do is that, for\Nexample, adding entry to organize like
Dialogue: 0,0:50:08.97,0:50:13.45,Default,,0000,0000,0000,,initialization routine, which is\Navailable. And then also you can do it
Dialogue: 0,0:50:13.45,0:50:19.11,Default,,0000,0000,0000,,before organized initialization routine,\Nwhich we call internal th_initial
Dialogue: 0,0:50:19.70,0:50:21.17,Default,,0000,0000,0000,,Another one which we can do,
Dialogue: 0,0:50:21.17,0:50:23.89,Default,,0000,0000,0000,,if you remember,\NTobias talked about some undocumented and
Dialogue: 0,0:50:23.89,0:50:27.68,Default,,0000,0000,0000,,lots of creativity on creating music.\Nli li li lo lo lo
Dialogue: 0,0:50:27.68,0:50:30.56,Default,,0000,0000,0000,,So what one person can do is
Dialogue: 0,0:50:30.56,0:50:35.87,Default,,0000,0000,0000,,like basically adding specific handler or\Noverwriting existing handler. And what it
Dialogue: 0,0:50:35.87,0:50:39.76,Default,,0000,0000,0000,,makes actually is like something like\Ntriton. I don't know if anybody know her,
Dialogue: 0,0:50:39.76,0:50:42.66,Default,,0000,0000,0000,,but triton is malware which were\Nattacking petrochemical plant
Dialogue: 0,0:50:42.66,0:50:44.34,Default,,0000,0000,0000,,in Saudi Arabia.\NSo they were trying
Dialogue: 0,0:50:44.34,0:50:47.86,Default,,0000,0000,0000,,to do it in the TCP. But\Nattacker here can maybe do it in http
Dialogue: 0,0:50:47.86,0:50:54.09,Default,,0000,0000,0000,,example and just listen and waiting for\Ncomments and also other alternatives like
Dialogue: 0,0:50:54.09,0:51:00.95,Default,,0000,0000,0000,,patching one of the jump tables in the AWP\Nhandlers, which can be also used for
Dialogue: 0,0:51:00.95,0:51:08.74,Default,,0000,0000,0000,,process a specific attack. So what else is\Nout there? So what we looked is we looked
Dialogue: 0,0:51:10.04,0:51:10.92,Default,,0000,0000,0000,,We looked at
Dialogue: 0,0:51:10.92,0:51:15.77,Default,,0000,0000,0000,,at attack surface in the Siemens S7 PLCs.\NThere are like for from prospective on
Dialogue: 0,0:51:15.77,0:51:19.84,Default,,0000,0000,0000,,local privilege attacks. What we can...\Nwhat we looked was bootloader. We are
Dialogue: 0,0:51:19.84,0:51:25.35,Default,,0000,0000,0000,,still working on hardware attacks and some\Nhardware software attacks on the edge. Is
Dialogue: 0,0:51:25.35,0:51:31.40,Default,,0000,0000,0000,,this still ongoing work, which we don't\Nobviously discuss now? Also interesting
Dialogue: 0,0:51:31.40,0:51:35.02,Default,,0000,0000,0000,,thing, I think if somebody who is\Ninterested in security of PLCs and
Dialogue: 0,0:51:35.02,0:51:38.86,Default,,0000,0000,0000,,especially internals, I'm not talking\Nabout like just general segregation of
Dialogue: 0,0:51:38.86,0:51:43.06,Default,,0000,0000,0000,,network and stuff like that in ICS, I'm\Ntalking about more advanced low level
Dialogue: 0,0:51:43.06,0:51:51.25,Default,,0000,0000,0000,,stuff. We think like MWSL is interesting\Ntarget. There probably are some like bugs
Dialogue: 0,0:51:51.25,0:51:55.68,Default,,0000,0000,0000,,in their implementations. Also, with\Nrespect to file system parsing and
Dialogue: 0,0:51:55.68,0:52:00.84,Default,,0000,0000,0000,,firmware signing, there are probably\Nsome stuff and also MC7 parser basically,
Dialogue: 0,0:52:00.84,0:52:06.60,Default,,0000,0000,0000,,which they have from privilege escalation\Nperspective and also from remote code
Dialogue: 0,0:52:06.60,0:52:13.63,Default,,0000,0000,0000,,execution perspective, both \NMiniWeb webserver and also any network
Dialogue: 0,0:52:13.63,0:52:18.30,Default,,0000,0000,0000,,access of accessible services which they\Nhave might be interesting. You're actually
Dialogue: 0,0:52:18.30,0:52:27.58,Default,,0000,0000,0000,,also looking at this part right now. So as\Na conclusion. PLCs are becoming more
Dialogue: 0,0:52:27.58,0:52:31.35,Default,,0000,0000,0000,,complex. That's true, because they are\Nactually providing more and more features
Dialogue: 0,0:52:31.35,0:52:34.97,Default,,0000,0000,0000,,and because of this more complexity, there\Nwill be more bugs. We can see, for
Dialogue: 0,0:52:34.97,0:52:41.68,Default,,0000,0000,0000,,example, in the MWSL, which we are looking\Nat now, also bend or strike to basically
Dialogue: 0,0:52:41.68,0:52:47.04,Default,,0000,0000,0000,,more make it more complex. They have\Nbasically some anti debugging which we
Dialogue: 0,0:52:47.04,0:52:52.82,Default,,0000,0000,0000,,just discussed in Siemens PLCs, but also\Nthey have, for example, frame rate
Dialogue: 0,0:52:52.82,0:52:59.46,Default,,0000,0000,0000,,integrity verification so that the sign\Nframe where like upload to the PLC and
Dialogue: 0,0:52:59.46,0:53:05.58,Default,,0000,0000,0000,,stuff like that. So they are making it\Nmore complex. But what you have to know is
Dialogue: 0,0:53:05.58,0:53:14.28,Default,,0000,0000,0000,,that if in their like thread model which\Nlike lots of people make or this security
Dialogue: 0,0:53:14.28,0:53:20.22,Default,,0000,0000,0000,,ecosystem which they built. If they have a\Nfeature which undermines the same security
Dialogue: 0,0:53:20.22,0:53:24.42,Default,,0000,0000,0000,,ecosystem which they designed. I mean, I\Nthink it's obvious that they have to
Dialogue: 0,0:53:24.42,0:53:28.43,Default,,0000,0000,0000,,remove like in the case of bootloader case\Nin their special access features. One of
Dialogue: 0,0:53:28.43,0:53:32.34,Default,,0000,0000,0000,,the good examples. So. And of course,\Ncustomers also have to know, because if
Dialogue: 0,0:53:32.34,0:53:36.43,Default,,0000,0000,0000,,they have such functionality and they need\Nit, as long as customers know, it's fine.
Dialogue: 0,0:53:36.43,0:53:41.00,Default,,0000,0000,0000,,But when they don't, they can't risk\Ncalculate this risk in their strategy or
Dialogue: 0,0:53:41.00,0:53:46.81,Default,,0000,0000,0000,,in this threat model, which they have. So.\NAnd also they have to think or rethink
Dialogue: 0,0:53:46.81,0:53:51.05,Default,,0000,0000,0000,,about security by obscurity. Maybe they\Nallow us, for example, as researchers to
Dialogue: 0,0:53:51.05,0:53:53.70,Default,,0000,0000,0000,,access the devices\Nbetter and easier
Dialogue: 0,0:53:53.70,0:53:55.82,Default,,0000,0000,0000,,to investigate it more. We are still doing
Dialogue: 0,0:53:55.82,0:54:00.89,Default,,0000,0000,0000,,it, but it's just taking longer. And I\Nbelieve that there are lots of seeing more
Dialogue: 0,0:54:00.89,0:54:08.46,Default,,0000,0000,0000,,to be done on like PLCs and Siemens will\Nnot be the last one which we are working
Dialogue: 0,0:54:08.46,0:54:13.84,Default,,0000,0000,0000,,on. So we have to thank some people\NThorsten Holz our supervisor, he's not
Dialogue: 0,0:54:13.84,0:54:20.80,Default,,0000,0000,0000,,here. Thomas, Alexandre, Marina, Lucian,\NNikita and Robin. For their help and
Dialogue: 0,0:54:20.80,0:54:26.90,Default,,0000,0000,0000,,their work. And now we are going to answer\Nquestions.
Dialogue: 0,0:54:26.90,0:54:27.88,Default,,0000,0000,0000,,Herald: Thank you.
Dialogue: 0,0:54:27.88,0:54:37.08,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:54:38.94,0:54:47.32,Default,,0000,0000,0000,,Herald: So, yeah, feel free to line up for\Nthe microphones or write your questions in
Dialogue: 0,0:54:47.32,0:54:54.94,Default,,0000,0000,0000,,the Elisa room. Ah, there you go. It's on\Nright now I think.
Dialogue: 0,0:55:02.04,0:55:07.36,Default,,0000,0000,0000,,Signal Angel: Hello. Yeah. So there is one\Nquestion from the Internet. Did you check
Dialogue: 0,0:55:07.36,0:55:15.79,Default,,0000,0000,0000,,the MC7 parser? If yes. Did you find any\Nhidden unknown machine instruction
Dialogue: 0,0:55:15.79,0:55:21.76,Default,,0000,0000,0000,,on it or something?\NAil: Do you want to answer? So just is it
Dialogue: 0,0:55:21.76,0:55:26.40,Default,,0000,0000,0000,,recorded or I have to repeat it again? So\Nthey ask that if we check the MC7
Dialogue: 0,0:55:26.40,0:55:32.10,Default,,0000,0000,0000,,parser. OK. So it's fine. So we didn't \Nlike truly investigate the MC7 parser,
Dialogue: 0,0:55:32.10,0:55:35.55,Default,,0000,0000,0000,,but we are working on it right now.
Dialogue: 0,0:55:36.93,0:55:40.64,Default,,0000,0000,0000,,Mic: Hello? How were you able to find the
Dialogue: 0,0:55:40.64,0:55:45.84,Default,,0000,0000,0000,,MFG security password?\NAli: That's a very long story. First of
Dialogue: 0,0:55:45.84,0:55:50.24,Default,,0000,0000,0000,,all, like we had we had it in front of us\Nfor a long, long time until Siemens
Dialogue: 0,0:55:50.24,0:55:56.16,Default,,0000,0000,0000,,introduced this anti debugging feature.\NAnd after that, like we had to find other
Dialogue: 0,0:55:56.16,0:56:01.93,Default,,0000,0000,0000,,ways, other means to find it, to find a\Nsimilar function, like similar ways that
Dialogue: 0,0:56:01.93,0:56:06.48,Default,,0000,0000,0000,,allow us because one thing which we didn't\Ndiscuss here is that we didn't tell you
Dialogue: 0,0:56:06.48,0:56:11.92,Default,,0000,0000,0000,,about how we, for example, executed that\Ninstruction before in the PLC. It was
Dialogue: 0,0:56:11.92,0:56:18.24,Default,,0000,0000,0000,,involved some works which we received help\Nfrom some researchers in Netherlands and
Dialogue: 0,0:56:18.24,0:56:24.56,Default,,0000,0000,0000,,in France. So this is this was something\Ninformed by Siemens in 2013. I think they
Dialogue: 0,0:56:24.56,0:56:31.28,Default,,0000,0000,0000,,knew about it. But until 2016, they\Npatched it and then it became out like
Dialogue: 0,0:56:31.28,0:56:35.27,Default,,0000,0000,0000,,basically they tried to protect their PLCs\Nfrom these kind of attack. It was never
Dialogue: 0,0:56:35.27,0:56:39.24,Default,,0000,0000,0000,,published before. So we were using it. And\Nwe don't want to talk about it, because
Dialogue: 0,0:56:39.24,0:56:42.94,Default,,0000,0000,0000,,the original author didn't want to talk\Nabout it. But we replicated what they
Dialogue: 0,0:56:42.94,0:56:49.36,Default,,0000,0000,0000,,were, what they were doing. And then once\Nwe really had to look for other ways, like
Dialogue: 0,0:56:49.36,0:56:53.76,Default,,0000,0000,0000,,then it opened our eyes that there are\Nsome other functionalities as well. There
Dialogue: 0,0:56:53.76,0:56:57.52,Default,,0000,0000,0000,,are so such as, for example, the\Nbootloader. But before we before we need
Dialogue: 0,0:56:57.52,0:57:01.66,Default,,0000,0000,0000,,it, like we never actually looked at these\Nthings. So it was like in front of us for
Dialogue: 0,0:57:01.66,0:57:05.64,Default,,0000,0000,0000,,like two years.\NTobias: Maybe one interesting piece of
Dialogue: 0,0:57:05.64,0:57:10.36,Default,,0000,0000,0000,,background story on this is that we\Nactually in the previous technique that we
Dialogue: 0,0:57:10.36,0:57:16.24,Default,,0000,0000,0000,,used, we actually overrode the conditional\Njump that would lead to this special
Dialogue: 0,0:57:16.24,0:57:20.32,Default,,0000,0000,0000,,access feature being executed with an\Nunconditional jump. So we basically cut
Dialogue: 0,0:57:20.32,0:57:25.68,Default,,0000,0000,0000,,out 60 percent of the whole code of the\Nfirmware image by accident. And then I
Dialogue: 0,0:57:25.68,0:57:30.32,Default,,0000,0000,0000,,just because of the hunch that I was\Ntalking about before that there is just
Dialogue: 0,0:57:30.32,0:57:35.04,Default,,0000,0000,0000,,too much functionality. I revisited it and\Nactually realized that it was exactly the
Dialogue: 0,0:57:35.04,0:57:41.60,Default,,0000,0000,0000,,spot that we overrode before and we had to\Nbasically replace it and use it for our
Dialogue: 0,0:57:41.60,0:57:43.49,Default,,0000,0000,0000,,own sake.
Dialogue: 0,0:57:44.11,0:57:46.29,Default,,0000,0000,0000,,Mic: Is there any boot time security other
Dialogue: 0,0:57:46.29,0:57:51.47,Default,,0000,0000,0000,,than the CRC check? So you. Are you able\Nto modify the contents of the SPI flash
Dialogue: 0,0:57:51.47,0:57:54.41,Default,,0000,0000,0000,,and get arbitrary code execution that way\Nas well?
Dialogue: 0,0:57:55.06,0:58:01.91,Default,,0000,0000,0000,,Ali: So it depends in which year you are\Ntalking about 2017, 2016. So we are
Dialogue: 0,0:58:01.91,0:58:07.19,Default,,0000,0000,0000,,talking about the same models of the PLC,\Nbut in 2017 and 2018. No. So you could
Dialogue: 0,0:58:07.19,0:58:11.77,Default,,0000,0000,0000,,basically just take out SPI flash\Noverwrite it. And that was fine. But if
Dialogue: 0,0:58:11.77,0:58:16.64,Default,,0000,0000,0000,,you were overwriting and it caused a halt\Nin the CPU core, it would again trigger
Dialogue: 0,0:58:16.64,0:58:23.06,Default,,0000,0000,0000,,that anti debugging technology, which they\Nhave. This watchdog basically but from
Dialogue: 0,0:58:23.06,0:58:28.61,Default,,0000,0000,0000,,like frameware integrity verification.\NWell basically once you write to.. the
Dialogue: 0,0:58:28.61,0:58:33.35,Default,,0000,0000,0000,,firmware is written to the NAND flash, but\Nit's just the CRC checksum. But during the
Dialogue: 0,0:58:33.35,0:58:37.19,Default,,0000,0000,0000,,update process? No. There are some\Ncryptographic checks, but once it's
Dialogue: 0,0:58:37.19,0:58:41.92,Default,,0000,0000,0000,,written, no. There are some problems which\Nthere which again, it's a still ongoing
Dialogue: 0,0:58:41.92,0:58:45.46,Default,,0000,0000,0000,,work and we don't want to discuss about\Nit, but nice catch.
Dialogue: 0,0:58:45.46,0:58:50.68,Default,,0000,0000,0000,,Mic: Thank you.\NMic: Hi. Thanks for the talk. Could you
Dialogue: 0,0:58:50.68,0:58:54.94,Default,,0000,0000,0000,,elaborate on your communication with the\Nvendor and the timeline?
Dialogue: 0,0:58:54.94,0:59:00.19,Default,,0000,0000,0000,,Ali: Yes. So, first of all, we know about\Nthis problem for like one year and half
Dialogue: 0,0:59:00.19,0:59:04.43,Default,,0000,0000,0000,,before we reported to the vendor. And the\Nprimary reason was that we were using it
Dialogue: 0,0:59:04.43,0:59:09.33,Default,,0000,0000,0000,,for some other project. This is actually\Nthis result is actually from a side
Dialogue: 0,0:59:09.33,0:59:12.87,Default,,0000,0000,0000,,project rather than the main project,\Nbecause the main project is still
Dialogue: 0,0:59:12.87,0:59:18.08,Default,,0000,0000,0000,,something else and is still ongoing. But\Nfrom a side of that projects, we had that
Dialogue: 0,0:59:18.08,0:59:21.89,Default,,0000,0000,0000,,access. And because we were worried that\Nreporting to the vendor, they can fix it
Dialogue: 0,0:59:21.89,0:59:26.24,Default,,0000,0000,0000,,with software update and then do not allow\Nall other CVEs which we find from this
Dialogue: 0,0:59:26.24,0:59:31.76,Default,,0000,0000,0000,,other project, we didn't want to\Neventually at 2019. Thomas Weber wanted to
Dialogue: 0,0:59:31.76,0:59:37.58,Default,,0000,0000,0000,,talk about his talk on like basically this\NJTAG interface with four CoreSight and
Dialogue: 0,0:59:37.58,0:59:42.78,Default,,0000,0000,0000,,then we decided to actually talk about it\Nas well. But other than that, we actually
Dialogue: 0,0:59:42.78,0:59:48.51,Default,,0000,0000,0000,,talked in June I think with Siemens and\Nthey confirmed that there is this hardware
Dialogue: 0,0:59:48.51,0:59:53.21,Default,,0000,0000,0000,,base, a special access feature. And they\Nare.. they say that they are going to
Dialogue: 0,0:59:53.21,0:59:58.46,Default,,0000,0000,0000,,remove it and that was it. We also send\Nthem a write up for them to read.
Dialogue: 0,0:59:58.46,1:00:02.64,Default,,0000,0000,0000,,Herald: So there is one last question from\Nthe signal angel over there.
Dialogue: 0,1:00:04.17,1:00:09.26,Default,,0000,0000,0000,,Signal Angel: So there's another question\Nfrom the Internet. If tools like flashrom
Dialogue: 0,1:00:09.26,1:00:15.70,Default,,0000,0000,0000,,doesn't have support for unknown SPI\Nflashrom chip, then how do you usually
Dialogue: 0,1:00:15.70,1:00:22.42,Default,,0000,0000,0000,,extract firmware if you don't want to\Ndecap a chip or use SOIC8 socket.
Dialogue: 0,1:00:22.42,1:00:26.54,Default,,0000,0000,0000,,Ali: Can you repeat it again? I didn't get\Nthe question, did you?
Dialogue: 0,1:00:26.54,1:00:32.42,Default,,0000,0000,0000,,Signal Angel: If tools like flashrom does\Nnot have support for unknown SPI flashrom
Dialogue: 0,1:00:32.42,1:00:38.64,Default,,0000,0000,0000,,chip, then how do you usually extract\Nfirmware if you don't want to decap chip
Dialogue: 0,1:00:38.64,1:00:42.26,Default,,0000,0000,0000,,and use SOIC8 socket.\NAli: So first of all, we never actually
Dialogue: 0,1:00:42.26,1:00:49.03,Default,,0000,0000,0000,,decap the SPI flash. So that's just did it\Nfor the CPU. And just because we want we
Dialogue: 0,1:00:49.03,1:00:53.92,Default,,0000,0000,0000,,know that Siemens relabled their PLC, so\Nit's not their own CPU, it's from
Dialogue: 0,1:00:53.92,1:00:58.76,Default,,0000,0000,0000,,Renesas, but that's why we did the\Ndecapping. So story of decapoing setting
Dialogue: 0,1:00:58.76,1:01:04.16,Default,,0000,0000,0000,,aside. But from other things all basically\Nthere are still this functionality, this
Dialogue: 0,1:01:04.16,1:01:08.07,Default,,0000,0000,0000,,bootloader functionality, which actually\Nlets you read the content of the memory.
Dialogue: 0,1:01:08.07,1:01:11.62,Default,,0000,0000,0000,,So that's one thing you can read.\NObviously you don't even need that thanks
Dialogue: 0,1:01:11.62,1:01:15.76,Default,,0000,0000,0000,,to one of my students. We now know one\Nthat's actually you don't even need to
Dialogue: 0,1:01:15.76,1:01:20.64,Default,,0000,0000,0000,,take out the bootloader, chip. We\Nbasically can just connect directly in the
Dialogue: 0,1:01:20.64,1:01:27.97,Default,,0000,0000,0000,,board and dump the firmware. Marcello,\Nthat's his name. He's here, actually. But
Dialogue: 0,1:01:27.97,1:01:34.11,Default,,0000,0000,0000,,anyway, so you can just directly read it.\NAnd yeah, I don't think the reading part,
Dialogue: 0,1:01:34.11,1:01:38.00,Default,,0000,0000,0000,,especially some part of it, is protected,\Nespecially in the recent versions, which
Dialogue: 0,1:01:38.00,1:01:43.20,Default,,0000,0000,0000,,you can't read everything. But besides\Nthat, I don't think there is any harder
Dialogue: 0,1:01:43.20,1:01:47.68,Default,,0000,0000,0000,,now yet. I am sure that they are working\Non that and we are working also on
Dialogue: 0,1:01:47.68,1:01:51.52,Default,,0000,0000,0000,,something to bypass that. So.\NHerald: Okay. That was our next talk is
Dialogue: 0,1:01:51.52,1:01:57.51,Default,,0000,0000,0000,,gonna be about delivery robots. Sasha in\N20 minutes. So let's give you a hand.
Dialogue: 0,1:01:57.51,1:02:01.71,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,1:02:01.71,1:02:11.76,Default,,0000,0000,0000,,{\i1}36c3 postrol music{\i0}
Dialogue: 0,1:02:11.76,1:02:35.05,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2021. Join, and help us!