June 2013 Archives

VPN access

| No Comments | No TrackBacks
pirate_playground_epsos.jpgPeople often ask how I write PLC hacking tools while on the road.  The answer used to be VPN access -- I would run a small openvpn server on my home network with a bunch of PLCs connected to it.  I provided an Arduino with an ethernet shield, which controlled a relay to turn power on and off for various PLCs, and a linux server to run attack tools from (some attacks, like arp poisoning, just don't work over a vpn tunnel).  When working with the great folks at Tenable and Rapid7 for Nessus and Metasploit module development, they loved the setup.

When I described the setup to a friend in the business, he said, "I would pay for access to that."

A major problem with finding security issues in industrial controllers is cost.  You can find backdoor accounts and service stupidity easily enough with firmware analysis, but sometimes the more fun stuff (such as ladder logic upload over the normal 'SCADA' protocol) is a bit more tricky to find via straight binary analysis.  If you spend just a few minutes with a live device, a lot of these issues fall out quite quickly.

So I am giving it some thought: would anyone be interested in access to a PLC VPN?  It would have a few industrial ethernet switches (one currently has some 0-day that needs to be coordinated), multiple PLCs, and I guess a small server which ran a Windows Terminal Server and Linux VM for running configuration software and running hacking tools.  It would also (of course) have a relay board for rebooting PLCs and RTUs when they inevitably crash.  I could even wire it up to some real world stuff, like have PLCs connected to some lights and stepper motors, plus a webcam, so that you could watch what happens to the PLC in its various failure modes.

Is anyone interested in such a thing, to be used as a hacking playground?  Would you be willing to kick in a few dollars to make it happen?

Image by epsos
pirateflags_rimesparse.jpgHalvar Flake gave a thought-provoking keynote at SOURCE Dublin this year.  His premise is thus: in the past, shipping by sea was woefully insecure.  Nations decided to create formal navies, recognizing that safe shipping was good for commerce.

Cue analogies to the new NSA Data Center in Utah, as well as projects like Perfect Citizen.  Of course all physical analogies break down a bit once the term 'cyber' rears its ugly head, but in a way this all makes sense.  Sure, utilities, banks, and other 'critical infrastructure' can never be physically moved to a handful of highly secure ports, but logically perhaps they could be.

About this Archive

This page is an archive of entries from June 2013 listed from newest to oldest.

May 2013 is the previous archive.

September 2013 is the next archive.

Find recent content on the main index or look in the archives to find all content.