 Alright, it's about that time to get the show on the road, so everyone please give a very warm welcome to Chiyago who will be talking about hacking PLCs. Sorry, I have a little experiment here, and it took a little longer to set up than I was expecting. But I am very, very happy to be here at DEF CON today, and I was honestly expecting like 50, maybe 100 people. So thank you guys for taking the time to be here on Saturday morning and listen to me. I am Chiyago Alves and a little bit about me. I am a PhD student at UAH, and I also work at the Center for Cybersecurity Research and Education. And yes, this is what I do. I love to hack stuff and I try to break as many things as I can. And I'm also the creator of the Open PLC project. If you guys haven't heard of it, you will hear about it a little bit today. Heads up if somebody have heard about Open PLC before. Wow, thank you. That's great. That's great. Thank you. Also today, it's a very important day for me, because this trip to Vegas marks our ninth year anniversary. Me and my wife were together for 90 years. And yeah, I used to have more hair back then, but she's still pretty, the same way. So I'm a lucky guy. And she always complained about being like slowing me down because now we have kids and I have other things to focus on. But I keep telling her that if you want to go fast, you go alone. Life is not about speed. But if you want to go further, if you want to go far, you go together. That's why I'm here. That's because of you. And I'm very happy I invited her to be here at my talk. Thank you. And she has a very important job, actually, because I have really bad jokes and she laughs of all of them. So if you hear her laughing, just please laugh as well. So we have a nice presentation. So a little outline about today. I'm going to start with a background info, a little bit about PLCs. If you guys know about PLCs, I'll try to go fast. If you don't know about PLCs, please pay attention because I will go fast. Then we'll go and talk about a little attack vectors, some stuff we can do to break those things. And finally we'll demo if the demo demons haven't gotten me because I didn't have enough time to set up. So hopefully things will go out fine. So what is a PLC after all? It is, that's what it looks like, right? It's a brick. And it stands for Programmable Logic Controller. And basically it's a digital computer, right? It's used on automation since 1970. So it's a long time ago. And basically it is an embedded system with a CPU, some RAM, some ROM, right? Some Flash nowadays. And you put your program in there, you run your program. And your program decides what to do with the input data it senses from the input modules that PLC has. So PLC has a bunch of inputs, a bunch of outputs. I have three PLCs set up here trying to heat water. And they're doing a poor job doing that. But then you program those devices to any logic you want. And it has output modules to control real life stuff, right? So for example in this setup it's controlling the heater based on the temperature sensor that is attached to the input module. And you will see PLCs in many different places. So here I have like a dam, a substation, a gas distribution system in a petrochemical facility. PLCs are there. And you imagine what happens if you hack into those PLCs and make a crash, right? Or change a setting. So for all those situations a disaster will follow if you break into a PLC. Because they are controlling large, huge stuff that can cause even physical damage and life loss, right? So what is the problem with the current PLCs we have? First of all, they are freaking expensive. You know, if you're building an embedded system it shouldn't cost that much. Nowadays there are some companies selling what they call cheapo PLCs. You can buy one for like $100 or $200 but then they get you on software. There are companies selling software, programming software for PLCs for up to $5,000 per station. And that is ridiculous, right? That is ridiculous. And also they rely on very legacy technology. PLCs were built like 40 years ago. And that's also a major problem because this legacy technology was created at a time that internet didn't exist. So they use unsecured protocols to communicate. Most companies rather patch their devices instead of redesign. We are in a situation where we need redesign and their closed source. So this is a problem if you are a researcher and trying to figure out how they work. So I came up with a solution. If you guys know about it, open PLC, that's my thing, right? Open PLC is the world's first and only one PLC available with the full source code. There are other approaches that people try to develop their own PLCs. But it is not close to what a PLC should look like. PLC, there are many standards that define what a PLC should do and how it should behave. And I try to follow those standards close so that it will look like a real PLC and behave as much as possible to a real PLC. And I make the source code available, anyone can go take a look at the code and use it. It is free, right? And basically open PLC has three main components. The runtime, that is the big thing that I'm creating, is the thing that goes into the embedded system, embedded device. And initially I started creating my own hardware, but then I gave up and started using Raspberry Pi's, Arduino's and stuff that everybody have. So you can load the runtime on your embedded system and have it read your PLC programs. You create your PLC programs on the editor, that's supposed to run on your computer, right? On your Windows, Linux machine, some folks have ported it to Mac OS as well. And the third portion of it is KWR, which is a GUI builder that allows you to create nice animated graphical screens for your PLC programs, right? So for the open PLC runtime, it runs on many different platforms. These are the platforms that are currently supported, officially supported. Like I said, Raspberry Pi, Arduino's, but also there are some industrial devices that people created that also runs open PLC like UniPi and Pi Extend. This is really cool, you can go and buy those devices and install open PLC today if you want. There are other devices that are not here, they're not officially supported. They were created by the community. So I have a forum with lots of people in there and they make all sorts of questions. And they also contribute to the project and they created unofficial patches that make open PLC run on like Orange Pi and other platforms that basically run Linux. This is the editor, what it looks like. It supports five programming languages. These are all the five languages defined on the standard. And this is KWR, right? This is a real nice graphical screen created on KWR, so it can create many things. This is the water temperature control you're going to see today. So let's going to talk about PLC protocols for a bit. I don't know if you touched on SCADA protocols before, but what it looks like, there are problems with those protocols. Basically, most protocols today are derived from legacy serial networks. So if you're old enough, you might remember those RS485 networks where you hook up a bunch of devices on a serial cable and all the devices receive the same message and they decide if they want to accept it or not. This is great for hacking, right? You just listen to the bus and you get everything. There is no authentication, of course. There is no integrity. And when I mean integrity, I'm not talking about error correction. I'm talking about if somebody tempers the message, is that going to be figured out at the other end or not? So they don't have any integrity mechanisms. And there's no confidentiality. So the message goes on the field with no confidentiality, which means it goes in plain text, right? So the most popular SCADA protocol is Modbus. It's about 90% of the PLCs support that. Actually, I haven't found any PLC that does not support Modbus. They usually support their own protocol plus something else plus Modbus. Everybody talks Modbus. And in essence, Modbus is very simple. There's nothing very complicated with that. It is, of course, based on serial networks. And the commands, basically how it works is that the commands for the protocol are encoded into function codes. So you have different function codes for different things you want to do. And it's open. That's probably why everybody supports Modbus because it doesn't require any licensing. You can go and pay Modbus Foundation to have your device certified so that they make sure that your device is actually following the full standard, but you don't have to do that to support the protocol. There's no licensing, right? Licensing fee. And this is the Modbus frame. That's what it looks like. Basically, the first byte is a slave ID. And the slave ID is a unique address because it was based on serial networks. So you have to have a way to address the device. The function code is what I was talking about. It tells the slave device what to do. It's like the command it should obey, right? And the function code varies from reading or writing to memory areas. Data. Well, data is data, right? It depends on the function code you're using. And finally, CRC. It's just error correction verification. Again, this is not checking integrity of the message itself. It's just checking if there are any physical errors that happened on the transmission, right? If somebody can tamper at this frame, change the data, recalculate CRC, and send it through, it will go, right? It will be accepted by the PLC. So those are the most used function codes. There is function codes to read digital outputs, to read digital inputs, and also to read and write registers. Basically, all it is, is working with memory. So Modbus gives you free access to the PLC memory. You can read whatever you want. You can write whatever you want with no authentication. Who loves that, right? They updated Modbus to make it compatible with TCP, IP networks. What it means is that they added a frame on top of the Modbus frame. So basically, it has a transaction ID to keep track of all the transactions you're making. So if the host makes a transaction, it makes a random number on that transaction ID. So when it receives a response, it might receive a bunch of response from the same slave device, and it will match the transaction ID to make sure that that response is related to that query it was making. Protocol ID. It seems that originally Modbus on TCP was meant to work with other protocols as well. But they created this field so that different values on that field will mean different protocols. I've never seen anybody using anything different than 00, and 00 stands for Modbus. So I think they field on this. Length is length, right? How many bytes there are after it. And after that, it's just plain serial Modbus frame as it was before. They kept the slave ID byte on that frame because some people would just convert between TCP IP networks and serial networks. So you have all devices talking serial and new devices talking TCP. So keeping that byte over there means that serial devices will also be able to receive that message, right? Even though if they are addressed on TCP. For TCP only PLCs, usually, that byte means nothing. They will accept anything. Tax scenarios. What can we do with this? You can create a few different attacks on that. Because the message is so simple, you can just interrupt the communication and cause a denial of service. There are many ways to do that. You can intercept the message and read the contents because there is no encryption, no confidentiality at all. You can also modify the message. You get the message, you get a bump in the wire or some sort of eater cap or poisoning hack. And you get the message since it's plain text. You modify the contents, send it back. Yeah, that is pretty disastrous. And my favorite, injection. You can only just send a freaking frame. The PLC will accept you, right? It accepts everybody. So let's demo it. Hopefully it will work. So I have here skatobr and let me start the last PLC. I didn't have the time to do it. Hopefully I will now. Let me get back to skatobr. So this is skatobr for you to get familiar with it. It's an old tool but it works very well and I incorporated it into the open PLC project so that we can update it and renovate it over time. So here I have all my data sources. These are all my PLCs. So here on the table I have three different PLCs. The first one here is open PLC, running on a UniPy platform. This is an industrial platform. The second one is an Allen Bradley MicroLogix 1400 series. And the third one is a Schneider modicon M221. So let me go ahead and try to turn them all on. Hopefully they are good. So let me start this PLC as well. In the meantime while this thing is starting let me show you the graphical screen and see how it looks like. So this screen shows my system, my setup here. So what I have as I said before, I have a cup filled with water and a water heater element inside it and a temperature sensor. The temperature sensor is connected to the PLC so I have three identical setups and since PLC talks ladder logic I just created the same ladder logic for all the three PLCs. So they are running identical logic programs. Of course each architecture will just interpret that logic differently internally. Some will compile that to binary code that's in case for open PLC some will just convert that to virtual machine that will just run interpreted instructions. So it varies by vendor but they all in essence doing the same logic. I just copy paste the same ladder diagram to make sure they are all running the same thing. And on that configuration I have a flexibility here that I can set the PLC for manual mode turn on the heater if I want manually so you can see the heater going up here just a little break to turn on the PLC, sorry. And I can turn the heater off I can put in auto mode so the auto mode will try to keep the temperature around 40 degrees Celsius and you know temperature is a slow thing so you might go up slowly and go down slowly but in essence all the PLCs are trying to keep that around 40 except this third little one because it's not on yet. Sorry about that. Let me just log in here and in one second I will turn it on. So my job here is try to attack these PLCs once I am in the network I will show you how easy it is to create a Modbus frame and attack it, right? Last click. Not yet. Okay should be good to go. Let me start it. Yes I want. Okay this is so machine basic this is the software used to program the Schneider Modicon M221 we will have a lot of fun with that software today. Okay so let me start my terminal here. So I have an injection attack ready what does injection attack does? It tries to send Modbus packets that will switch the PLCs in manual mode and keep the heater on, right? And this message will be sent over and over and over again so that the operator will lose control of the PLC and will not be able to turn it off, right? So I will start the attack now this little attack I hate sound. This little attack has two parameters I created this software by the way everything is available on my GitHub so if you want to get those tools go ahead you have it. So it has two parameters the first one is the host 100, 100, 100 because I'm really bad with numbers I had to choose a good one. And the other parameter is frequency I won't use it the default frequency is a thousand messages per second so let's try that on open PLC go all right cool heater is on let's turn it off well it doesn't work so let's put it out of mode it doesn't work either I'm screwed so that's probably what the operator will be thinking you see the temperature going up and you can't do anything about it and all it takes is sending freaking modbus frames that's all it takes what I'm doing here is riding to a portion of the memory of the PLC that I know it's storing the setting for manual or auto mode and the other area that is storing the setting for the heater if it's on or off that's all it takes and I can guarantee you that this kind of attack works with 100% of the PLC that I know of so okay let's stop this because I have boiling water already let me put back on auto mode we'll shut off the heater now let's try the same thing with our friend Alan Bradley it is at the same IP except 101 I know I'm bad with numbers so let's try that again boom oh gosh no it's on doesn't work auto mode also does not work temperature will go up and yeah it works the same way you see different brand of PLC freaking same modbus protocol that's the culprit let me stop this auto mode again last attack let's try that on the Schneider modicon please misbehave okay it's on even though the temperature is also over the set point it does not work either so that's how simple it is you can today start creating your own PLC attacks okay let me stop this now this was this was pretty fun and I had a lot of fun creating this but I have one more thing for those of you who are fan of Steve Jobs this is where the best part happens right so let's talk about micrologics micrologics is a PLC from Alan Bradley and rock ultimation I don't know the history but they keep both names in so I just say both names but what are the fun facts about micrologics 1400 series you should be buying one today to hack it's a pretty fun device right so first of all it runs vxworks vxworks is one of the most popular real-time operating systems on the industry it's on everything including PLCs and there are a bunch of vulnerabilities reported for that device guess what I bet most of those works with Alan Bradley as well right it is one of the most popular Alan Bradley PLC you see that everywhere and it supports modbusdcp that's why the injection attack worked this is my favorite feature it can be killed remotely by sending a bad modbus packet this is great so let me talk about this what I call micrologics deadly packets basically all it takes it's to trick the memory memory allocation algorithm of the micrologics PLC so what I do is I start a new transaction ID protocol of course is modbus 00 and on the length field I say I will need 20 256 bytes but I only have 6 alright so it might try to allocate that much memory but it's only receiving less than that and right immediately after I start a new transaction ID where the length is the length of the previous packet and it's incomplete it stops at the unit ID so it makes the PLC confused with this memory management system and I cause a buffer overflow writing that message on a different area of the device crashing the device and making it unrecoverable so let's try to do that alright so just to check here I should have everybody running wow I left that PLC on for too long alright so we are targeting ellen bradley now it should be working fine so I'll just put in manual mode to prove like the heater is on heater is off it should work beautifully auto mode should keep the heater off let me just keep that on the heater on so that will be more fun let me go it's hard to type when your hands are shaking it should be ellen bradley exploit this is also available on my github so all the only argument it takes is the IP address of the PLC so all it does is send those two deadly packets and let's see what happens when I do it dead so you'll see right now that the PLC is not communicating anymore you see the exclamation point all around dead how cool is that right you can even try to press the buttons over there it's completely dead and you know the fun fact of it is if you power cycle it's still dead I'll prove it I just power cycled it and it will boot again it managed to boot again but default LED keeps on for some reason so yeah it is booting up and you still see the exclamation points here you will see it till the end of the presentation so the problem is that application got corrupted so the PLC cannot launch it again the default mode is always on the only way to make it work again is to reprogram it with the ladder logic this is creepy right so if you lost the ladder logic you screwed please don't send it on the wild there are too many micrologics PLCs out there alright let's behave okay let me see if I have something else this is a problem that affects all micrologics 1400 series I don't know about others because I'm not rich to buy all the PLCs but I bet it also affects some other related series like 1100 and so I talked to Alan Bradley through ICS cert we published this vulnerability and they are really nice they responded back and tried to work with me to create a patch so they released recently about a few months ago a firmware update this firmware update fixes this vulnerability although it's a pain to update it I spent like half an hour trying to do that I'm supposed to be a security expert imagine people all in the field what they will do to try to update this thing they won't they won't stop their factory to update their PLC firmers hopefully the new PLCs that will be sold now will have this new update already built in there are other mitigations where please disable Modbus DCP this is not a fix dude if you're disabled in the protocol you're not fixing it you're just disabling it so this mentality is common for all the PLC vendors that I usually talk to minimize network exposure but PLC is behind a firewall so basically what they're telling you is the security is on you we don't provide security you're freaking alone so try to do your best these are good practices but I honestly believe that a PLC the device itself should provide any sort of security and one last thing alright Schneider no reason why I brought the Schneider PLC with me the Schneider has a protocol that is common to all the Modicon family I think other families also use this it's called Unity protocol at least me and some other researchers are working with this call it Unity you might hear both names and this protocol is obscure it is undocumented it runs on top of Modbus DCP so you have a normal Modbus transaction but one you have a function code 0x5a this is x a decimal for 5a this triggers the sub protocol that runs on the data field of the Modbus frame for the Modbus documentation 5a is a reserved function code for vendor specific functions this is a nice part it is used to configure and monitor the PLC down to the operating system level you can do a total memory dump using this protocol you can get the operating system image using that this is crazy it's proprietary and undocumented so they try to make secure by obscurity but that won't prevent us from figuring that out how it works so basically Unity have a bunch of function codes so it's a function code inside a function code you have the Modbus frame and then you have the Unity frame and these are the function codes you can play with and I have to thank Luis Litas he is a researcher on the same field we started talking and communicating like one year ago because I figured out he was working on the Unity devices as well and he is contributing to each other and he has a very nice blog LitasEnlated.xyz you go, if you want you can go and check it out he has a step-by-step how he managed to get those function codes and reverse engineer the DLLs for the so machine basic and get that information so this is pretty cool and basically you can take a look at some messages here they are pretty cool they are a block this is my favorite but today given the time constrained we will only play with a few of those so basically we will start a communication we will read a project info to read some data about the project this is also cool take PLC reservation it means that the PLC needs to be connected to someone someone needs to reserve the PLC if you take the PLC reservation you are taking the other party down this is DOS built in the protocol dudes this is what so you just keep sending this take PLC reservation and I think nobody else can connect so release PLC reservation and you are releasing it because you just don't want to communicate anymore and start PLC and stop PLC will basic main functions to start and stop the PLC alright so let's play with it I will just keep this slide open so we can play a little bit with how it works is that up? ok so I created also a little software modicon tester I don't remember the name of the executable ok so this software was created in C sharp in a hurry please don't look at the code it's messy but the good thing is it works and all I did was to create this thing to help me reverse engineer the protocol so it basically encapsulates the messages on the modbus frame with the function code 5.8 so I can send anything and it will be accepted as unity messages so all you do you connect to the PLC it's already set up with the M221 IP address I connect and then it gives me the hexadecimal output and the ASCII related to that so let's start by starting our communication so every function code has 001 and I'll end it with 00 so it just gave me back a hi I'm here that's fine hello so let's go ahead and release PLC reservation if somebody was talking to it sorry and then I'll take the reservation 10 00 and now the take reservation is an interesting thing sorry I should have make it bigger but I'll promise I'll read it right the message is sending me back with the take PLC reservation it ends with a magic byte in this case it's 8e even smaller for me so 8e I mean it's this magic byte that I need to send before any message that I want to send now on now that I have a session reservation I have reserved the PLC for me I'll have to use this magic byte that means that before people were trying to do replay attacks so the replay attacks would be successful just because they didn't have any session management so you could just get messages that the main station was sending and just replay that and it would work now you need the session number but that won't prevent us from sending stuff right so now let's play with this I have 8e as my session number you can see here urgent Alan Bradley is not talking still sorry sorry dude you can see that the modicon is still working fine temperature is 40 degrees celsius I can turn the heater on manually and off right it works so what I'll do here is stop PLC command so I need to start with my 8e and then the stop message is 41 it ends with ff00 and let's see stopped now the PLC can still communicate but the heater is off I cannot turn it on I cannot turn it off I cannot put it in auto or manual mode it's off how cool is that so just by sending a few messages I can have full control of the PLC but here comes my favorite feature of this protocol this is really interesting so I'm going to use so machine basic here for a second let me just create something new so I'm just using their application to talk to this PLC over here right and when I click here it already identified PLC I try to log in and it's trying to log in but this application is password protected how come so I cannot access my PLC without the password if I try to type anything it won't give me access alright what can we do about it okay let me get back to my unity tester here so remember that message read project info for some reason that thing doesn't even require session so I'll go ahead and send this zero zero no session zero three is the function code for that and zero zero zero zero will just get the header so let's see what comes out of it my header for the project that is stored on the PLC what is this yes the freaking password right so if I were Steve Jobs and I was working at Schneider I would say this is not a buck this is a feature what if you forgot the password the device needs to tell you that right so let's try it defcon is my password so when I type boom I mean super hard now I have full control of the PLC again using their own software just because I stole the password and it works I've tried with different slightly different types of modicon M something serious and the same thing works so yeah you can play with that I can start the controller because I stopped it before and I can see the programming on it yeah I have full access so this is pretty hilarious now that's to show you how secure your PLC is and imagine that those things are controlling your nuclear power plants and your water filtration systems I'll just go live in a jungle so Schneider also they were really nice I submitted this through ICS cert and they talk with me and we try to come up with some mitigations and they recommended the following things disable unity protocol this is the best mitigation ever so again you see a different vendor with the same mentality just turn that freaking thing off it doesn't work right they also recommended because of that password vulnerability and all of that they recommended to store your project files in secure access restricted locations and encrypt your project files with reputable third party file encryption tools again they're giving you the responsibility to fix stuff to secure your settings and this is pretty it gets me worried right and a little bit about what I plan to do in the future by the way I haven't showed you this this is what Open PLC looks like this is a web interface that is running on the device so once you install the runtime you have that interface up and you can see your programs you can see your hardware you can even mess up with the code live right so it's pretty cool and this thing is also vulnerable and insecure I created it to be like that because I'm trying to mimic what other vendors are doing so we can kind of research about it but my PHD thesis is about creating a secure version of Open PLC that will try to prevent those types of attacks from happening so it was really fun to be here at DEF CON today it was really an honor to me to be here and thank you very much for coming and staying with me this Saturday morning if anybody have any questions