Unfortunately not all are free to download, but with a certain effort it was possible to find them, although sometimes retrieving the latest patch is really impossible.
Absolutely zero. I have never used the products I tested, and the situation has not changed much after the tests. I didn’t go deeper into the software that I tested, after all it was just an experiment.
3. How much time did you spend with each product?
I didn’t spend more than 2 days on each one, including the reversing of the protocol, the auditing, the fuzzing and the analysis. This also includes the writing of the advisories and the proof-of-concept code, because for me it’s normal to provide this code for anyone wants to verify the bugs I report.
4. Can you provide an overview of the tools or techniques you used to find these vulnerabilities in such a short time?
I performed a simple auditing of the main operations by following them with a debugger. Just the classical watching of what the program does with the bytes of the incoming packet. This is necessary mainly for figuring out the protocol (for example some of the softwares use checksums) and noticing some bugs directly with the eyes.Then there is the fuzzer part where an automated tool modifies the original sample packet or builds it from scratch till the finding of an exception like a crash.
The vendors have not been contacted because I no longer follow the so called “responsible disclosure” guidelines that I used until the end of the 2007. The fact is that finding a vulnerability and releasing it publicly is already a “huge” job that the researcher does for free (finding the bug is the major part of the patching process) and contacting a vendor that doesn’t even credit him in the patches is just like becoming a slave and it’s offensive to the researcher … I have many horrible experiences with responsible disclosure.
For these specific bugs I have waited some months between the finding and the releasing because I wanted first to see if was possible to get some funds by reporting them to specific security companies that make responsible disclosure.
I guess no because I have noticed that there is no interest in these vulnerabilities so there are no funds for my research. This situation has been confirmed also by the same ICS-CERT (http://www.us-cert.gov/control_systems/ics-cert/) where the resulting concept of our discussion can be summarized in “SCADA is a so critical field that if I find a security bug I must do it for free”, and I must also cooperate (forever for free) to fixing it. So spending my time and effort for free is something I would limit, I have already done this for 10 years and “glory” leads to nothing, although I must admit that a full-disclosure release is ever a pleasure. :)
Anyway I have some other SCADA vulnerabilities in my pocket and 3 of them are about a very big vendor, but at the moment I have still not planned the releasing of these additional security bugs or if they will be under full or responsible disclosure.
Image by @TimStratPhoto