VPN access

| No Comments | No TrackBacks
pirate_playground_epsos.jpgPeople often ask how I write PLC hacking tools while on the road.  The answer used to be VPN access -- I would run a small openvpn server on my home network with a bunch of PLCs connected to it.  I provided an Arduino with an ethernet shield, which controlled a relay to turn power on and off for various PLCs, and a linux server to run attack tools from (some attacks, like arp poisoning, just don't work over a vpn tunnel).  When working with the great folks at Tenable and Rapid7 for Nessus and Metasploit module development, they loved the setup.

When I described the setup to a friend in the business, he said, "I would pay for access to that."

A major problem with finding security issues in industrial controllers is cost.  You can find backdoor accounts and service stupidity easily enough with firmware analysis, but sometimes the more fun stuff (such as ladder logic upload over the normal 'SCADA' protocol) is a bit more tricky to find via straight binary analysis.  If you spend just a few minutes with a live device, a lot of these issues fall out quite quickly.

So I am giving it some thought: would anyone be interested in access to a PLC VPN?  It would have a few industrial ethernet switches (one currently has some 0-day that needs to be coordinated), multiple PLCs, and I guess a small server which ran a Windows Terminal Server and Linux VM for running configuration software and running hacking tools.  It would also (of course) have a relay board for rebooting PLCs and RTUs when they inevitably crash.  I could even wire it up to some real world stuff, like have PLCs connected to some lights and stepper motors, plus a webcam, so that you could watch what happens to the PLC in its various failure modes.

Is anyone interested in such a thing, to be used as a hacking playground?  Would you be willing to kick in a few dollars to make it happen?

Image by epsos

No TrackBacks

TrackBack URL: http://www.cyberpacifists.net/mtype/mt-tb.cgi/584

Leave a comment

About this Entry

This page contains a single entry by giminy published on June 6, 2013 4:19 PM.

Privateering versus the New Navy was the previous entry in this blog.

What Project SHINE says about Endpoint Security is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.