There is a ‘talk franchise’ that has started titled ‘Switches Get Stitches.’ Started by Eireann Leverett and Colin Cassidy, it showcases problems in industrial network switch hardware and firmware. Digital Bond Labs offers a humble contribution to the cause: a demonstration of a firmware rootkit for an (admittedly somewhat dated) industrial switch. If you are attending Defcon 23, be sure to check out the ‘official’ SGS talk there.
One of the components in this year’s ICS Village CTF is going to be pretty unique: we have modified a network switch firmware. This ends up giving a lot of interesting leeway: we can now mangle packets, talk to a command and control server, and make a few other interesting flags for participants to find.
Most ICS equipment lacks any kind of firmware protection. Scarier is the fact that some operators, including a very small subset of utility operators, purchase safety-critical equipment from dubious sources such as eBay.
So, let’s take apart a network switch and show just how easy it is to trojan a device!