Koyo / DirectLOGIC ECOM

PLC Hacking KoyoBackground

The Koyo / DirectLOGIC product line is a much lower cost PLC as compared to the GE, Rockwell Automation and Schneider Quantum products in Project Basecamp. It is less likely to be seen in the critical infrastructure SCADA and DCS, but it is widely used in smaller plants and systems in a variety of industry sectors

The Basecamp team focused on the ECOM Ethernet module as this is the most accessible interface for a cyber attack. The ECOM module is an attractive target for an adversary. In S4 2009 Digital Bond demonstrated how unauthenticated firmware could be uploaded to the device.

In Project Basecamp, the anonymous researcher found ladder logic upload and download is only protected by a seven-digit passcode, that can be brute-forced.  The webserver allows configuration of the Ethernet module only, but lacks any authentication and has cross-site scripting issues as well as denial-of-service issues.  In particular, requesting invalid pages such http://koyodevice/foo.htm will result the in the webserver going offline for several minutes.

Metasploit Module

koyobrute.rb – This Metasploit module will bruteforce a Koyo password.  It is likely that this will work against other devices from Automation Direct which support the DirectNet (aka HAP) protocol.  Currently (14 Feb 2012) this module operates more slowly than we’d like — expect a new version soon that will greatly speed up password cracking.

With the recovered password an attacker can download ladder logic to learn about the project, modify the ladder logic to affect the availability or integrity of the process, and upload rogue ladder logic.

The koyobrute.rb module is currently in Rapid7 QA and should be released shortly. The Metasploit team typically cleans up our code a bit and makes it consistent with the Metasploit framework.

If you can’t wait you can download our proof of concept koyobrute.rb module for Metasploit.

Fingerprinting Tools

The Koyo is difficult to fingerprint due to its limited services. The web server provides no fingerprintable data (no Server: identifier). The Modbus protocol supports no odd function codes. The device may be located on active search engines such as ERIPP by searching for information contained in its web pages.

The Project Basecamp team used the Tulsa Modbus Scanner to fingerprint the Modbus server on the device. Here is the Tulsa Modbus Scanner output.

Note – This is a useful tool from the University of Tulsa, and it would be great if it could be released for wider use.

Ports and Services

Port State Service
80/tcp open http
502/tcp open modbus
28784/udp open|filtered DirectNet

Backdoors

No backdoors were found in testing, although a modified brute-force tool could be used to search for backdoors outside of the allowed password space (allowed passwords are, in big-endian representation, 0xA0 00 00 00 through 0xA9 99 99 99).  A tool will be written to search for backdoors in the complete range of 4-byte passcodes, although it may take some time to run in its current form.