Pwn2Own is the name of a hacking contest where teams of participants demonstrate their hacking skills by finding vulnerabilities in well-known devices and software. Winners get to keep the devices they hack plus a cash prize. For the companies who produce the devices and software, it’s a bargain. They get the best hackers to find vulnerabilities in their products for a relatively low price. The most recent contest, however, took a dangerous turn. Participants were challenged to take over industrial control software.
Why is this dangerous? Because, to some extent, the ability to breach industrial control systems is the holy grail of nation-state hackers. This is because having this control can disrupt the basic infrastructure of the country that is targeted. Almost all machinery has computerized control panels that set operating parameters and send out alarms if something is not right. If a hacker was able to get into such panels and remotely alter the parameters, they could do some very serious damage.
Some of the controls are air-gapped but others are not. Neither, despite popular belief to the contrary, is safe from sophisticated hackers. Of course, it is easier to breach control systems that are monitored through normal computer interfaces. These are simply software programs that can be circumvented by knowledgeable hackers. And that’s exactly what Team Incite did at Pwn2Own. They took over the software that was developed by Rockwell Automation for companies to monitor their machinery.
Rockwell Automation HMI software is a one-size-fits-all application. (HMI stands for Human Machine Interface.) The company can help set up one machine for monitoring or every machine or device in a factory. They can set up a monitoring system in nearly every industry, from oil and gas, to electric power, to entertainment. And if this seems like it’s too good to be true, well, it probably is.
Team Incite managed to take over the Rockwell HMI and install malware that would allow hackers to control the software remotely. In other words, they could control the software that monitored and controlled the machinery, and they could do so from the comfort of their own home.
The details of the hacking were not made public. These were given to the company so that they could fix the vulnerability. To some extent, the hackers at Pwn2Own have an advantage in that they are given the code, at least for the Rockwell HMI, well before the event. It is then a matter of finding bugs in the code that they can exploit later at the contest.
Regular hackers must take a different approach in order to gain access to industrial control software, and Rockwell seems especially vulnerable to a variety of attacks. I will briefly summarize some of these below.
On their website you can find the following promotion that made me somewhat uneasy.
This seems to imply the ability to at least monitor machinery through a smartphone or tablet. Yes, having connectivity can increase productivity by increasing reaction time if a problem arises. But, from a cybersecurity standpoint, it creates the dreaded endpoint problem. That is, one weak endpoint or one careless user on a network can expose the entire company to an attack. If an attacker manages to gain control of one endpoint, they can work their upward through the network, collecting data or causing problems as they go.
And this is not just theoretical. While randomly checking out some of Rockwell’s network, I came across an unsecured device. I alerted Rockwell at once but only received a robotic reply that had nothing to do with my message. I sent a second message telling them to check out this blog post so that they may see that I’m not trying to do anything but inform them of a serious problem. To prove this, I’ve included a screenshot of the open device. It may help them identify the problem or, at least, contact me for details.
I have no doubt that Rockwell produces good and useful industrial control software; software that is promoted for its ability to increase incident response time. Security, for most of these industrial control software developers, comes as an afterthought. However, this serious oversight demonstrates that sacrificing efficiency for security may compromise both. It cannot be stressed enough that good, high-quality endpoint protection is always a must.
The unsecured endpoint problem is not the only one facing Rockwell and other industrial control software developers. Another possible way that attackers may breach the control software would be by having an employee download a fake or infected app. The app offered by Rockwell is free. “FactoryTalk TeamONE can be downloaded, installed and used right away by anyone on company or personally owned devices.” This permission to use the software on personal devices could be a problem in that the detection of an infected app would then be in the hands of the user.
Another possible hacking vector could be through fake updates that would look legitimate but would, in the end, install malware on the device. Again, if personal devices are allowed it would be up to the user to determine whether the update was real or not.
And, of course, it is very possible that bad agents could simply use tried-and-tested spearphishing. Send a legitimate looking email. Include a valid looking attachment to open. Send them to an infected website. Lure them to a fake sign in page so that their credentials can be stolen. All of these techniques have worked on many users before and will, no doubt, work again.
Rockwell Automation was the only company that offered up its code to the hacking teams. However, other teams downloaded free industrial control software from the internet and worked on hacking it. In the end, every industrial control software program was hacked and was demonstrated to be susceptible to remote access. This should be troubling.
Now, you may wonder why hacking monitoring software would be a problem. After all, it only monitors, right? Well, that depends on the software. Some may allow adjustments to the machinery through the interface. In other words, it may allow a hacker to control what a machine does.
But even if it doesn’t allow direct control, all monitoring software would allow a hacker to turn off or on alarms or change the alarm parameters. A hacker may even be able to send a message to a member on a team to perform some action which would cause a machine to malfunction.
But what’s really worrying is that if these hacking teams at the Pwn2Own contest were able to breach these control programs, it is highly likely that government supported hackers from Iran, Russia, China, or North Korea could do the same. My guess is that they already have but they have not deployed their attacks.