This morning, at our S4 Conference, Reid Wightman gave a detailed two-hour presentation on the Project Basecamp results. Project Basecamp had six great researchers looking for vulnerabilities in six different PLC’s / field devices, and the PLC’s took a beating. There were backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, overflows galore, TFTP for important files and so much more.
Digital Bond’s S4 has us flat out this week, but we will be blogging in detail on this next week, but here are some of the Basecamp basics.
The Basecamp team:
- Reid Wightman (project lead)
- Dillon Beresford
- Jacob Kitchel
- Ruben Santamarta
- Anonymous Researcher 1
- Anonymous Researcher 2
- Control Microsystems SCADAPack (bricked early on)
- General Electric D20ME
- Koyo / Direct LOGIC H4-ES
- Rockwell Automation / Allen-Bradley ControlLogix
- Rockwell Automation / Allen-Bradley MicroLogix
- Schneider Electric Modicon Quantum
- Schweitzer SEL-2032
The Basecamp Tools:
As we have said in earlier blogs, we are hoping that Project Basecamp will be a Firesheep moment for PLC’s. To that end we are working with Rapid 7 to release Metasploit modules for the Basecamp vulnerabilities. There is a press release out now that announces the GE D20 Password Retrieval module available today, and a number of other Basecamp modules in process and for release soon.
We have also worked with Tenable Network Security to create Nessus and PVS plugins. A joint press release went out today at 11AM and the plugins are available in the Nessus feed.
Thanks to Basecamp team who volunteered many hours, including Reid who seemed to be working about 20 hours a day the last few weeks.
What do the checks, exclamation marks, and x’s actually mean?
researchers from DSecRG (subdivision of ERPScan company) decided to take a part in this initiative by publishing a number of 0-days in WAGO PLC and some SCADA software.
information is here:
http://dsecrg.com/pages/vul/show.php?id=401
http://dsecrg.com/pages/vul/show.php?id=402
http://dsecrg.com/pages/vul/show.php?id=403
http://dsecrg.com/pages/vul/show.php?id=404
http://dsecrg.com/pages/vul/show.php?id=405
http://dsecrg.com/pages/vul/show.php?id=406
http://dsecrg.com/pages/vul/show.php?id=407
Are you going to publish the Model numbers and Firmware version that you tested? That would be helpful as there are a lot of variations to consider
What about Siemens PLC?
Some answers from a variety of comments:
The chart listing the vulnerability types found in PLCs the researchers examined. A red “x” indicates the vulnerability is present in the system and is easily exploited; a yellow exclamation point indicates the vulnerability exists but is difficult to exploit; the green checkmark indicates the system lacks this vulnerability.
We will be publishing more detail, including version numbers, in a series of blog posts beginning Monday and the Basecamp paper will be part of the S4 Proceedings ebook. We will also be posting the video online.
We did not include the Siemens S7 or other Siemens PLC in Basecamp because it had been tested quite a bit already. We are considering integrating those results into the Basecamp paper, and we considered the Siemens vulns in coming up with the categories. We also are encouraging Basecamp researcher Dillon Beresford to pass his Metasploit modules to Rapid7.
Dale Peterson
Digital Bond, Inc.
[...] than to preventively fix the systems. Industrial control systems are still highly buggy, a group of ICS security researchers around the consultancy Digitalbond have tried to showcase at their SCADA Se…. For experts in the field, this is common knowledge for more than a [...]