 Hello, Congress. Nice to see you again. And as usual, the only frontman of Scada Strange Live team. And I know there are a lot of guys who help to make this talk. So if it's OK, please give hands to all Scada Strange Live team. Traditionally, we start our talk from the battle map when we show how many ICS systems connected to internet. But this time, we will skip this because of John. John, who built the Shodan, this year, published excellent resource, icsmap.shodan.io. And you can download and check a lot of different ICS system connected to the internet. And because John said thanks to us, we say thanks to John because he is excellent guy. And thank you, John, again. But last year, after our talk, we received a lot of questions about this picture, about different type of connected system. And people said, OK, this is not ICS. This is some kind of honeypots, maybe. Or it's not serious. It's very small devices. And it's not serious at all. So we decide to go deeper and check first one. IPCA chip is a system on the chip which runs a real-time operating system with TCPIP, web server, and security protocols. We love it. So we start to Google, start from just a system name. We found that it have built-in CGI server with some built-in function. And during this assessment, we found interesting application of this chip, its solar rock system. What is solar rock? Solar rock is kind of smart grid, small grid, small scudder, which you can install in your house to manage TV plant, which you can install on the roof of your house. But it generates about 7 gigawatts of instant output. And at the moment, about 1 million inverters connected to this system. Interesting. Because this system connects to some kind of the cloud, you can use it to find installations. Now we are shown on the boring network scanning just visiting the portal and check it. So this is Germany. And this is different location of the installed systems. And also, it have some kind of, I don't know, social networking features. So you can take a picture of your house, of your PV plant, shave with your friend and say, oh, I'm saving energy. I generate it from my house personal power plant. But this is all about funny stuff. Let's go more deeper in the technique side of this system. OK. It doesn't work? It's working. Thanks. Well, first interesting thing, it's firmware. It's kind of software that gives you a lot of information how the device works. Obviously, I think you know what it is. And most interesting things in firmware, it's configuration scripts, file system structure, and so on. And firstly, to find out through, for example, Google Dorgs, in simple case, you can use just unique strings and grab, for example, in this case, to grab title. And as a result, through Google, you can find a lot of solar log devices connected to internet. It's about 65,000. Of course, all of them connected to internet and cached by Google. Well, and let's take a look on the authentication page of the solar log web server. Simply, it's poor authentication scheme, just only using password. All page using password authentication. But if you know appropriate full URL to download system backup, it's not a required password. Simply download, well, just simply download system backup file. And what's most interesting thing in backup, it's, of course, username and passwords. Well, on this picture, you can see simple encryption and all things that you need to decrypt. Another one, typical process for firmware and devices, it's firmware update. Well, following solar log update process, you can see that it's highlighted part. On the screenshot, you can give a full path to system. If you know what file system structure, simply it's a DOS operation system, like a DOS. Yes, sure. And you can override system files, configuration files, and so on. So it was fixed. It was fixed with collaboration with computer emergency response team of German government and FENQM. But because this is just a platform, I guess there are a lot of different producers, manufacturers, vendors who use this platform to build other devices. So I'm not sure that all of these simple bugs was fixed. It was funny story, but we forgot about it already for God. But one day, I saw this Twitter. And I understood that maybe solar panels not so renewable. And maybe we should use our power, our knowledge, to save sun. So we decided to understand a bit more about all this green energy. And if you want to get new knowledge, what you should do? You should go to Germany, to Hamburg, to Congress Center, but not at Congress, but to Vintenegy, Hamburg. So we virtually visited this exhibition and got a lot of information on different wind and solar equipment. And start from the simple stuff. Showdown again. We found a very common system, SunnyWebBox. As you can see, simple showdown search give us about 80,000 of devices connected to the internet. Alex? Well, first notice about SunnyWebBox default password was three years ago in full disclosure list. It was default SMA upper case password. It's first type of the password. OK, so we decided to read the first manual. Of course, and we noticed that username installer has a different, as previously mentioned, password. It's SMA lower case. OK, so we decided go deeper to read in the first manual. And we find out that it has user and installer groups, user names, and different passwords. It only contains numbers. OK, so what's the real, what's the true password at the final? And real researchers, real hackers, trying to give it by your hands. And we discovered interesting things in firmware that it contains not only user and installer password. It has also service and developer system accounts. And also it has interesting strings, interesting password mode, like hard-coded passwords. So we can't say what password is, because it's hard-coded, very hard. But what we can say that a quick Google search for these devices allow by analyzing of responses, because on the response you can find amount of energy generated by this device, allow you to find about 100 megawatts of energy. If we compare two different generators, like a hydroelectric station, it's like small, helping hydroelectric station near Selamze in Austria. So this amount of energy generated by Solar Rock can be found it via Google. But via Shodan and different types of internet scanning, you can find 20 times more energy if you need the power. But it's all about sun. Let's talk about wind, because you know always big stuff. I think it's killing wind. So simple stuff. Again, very simple stuff. I found very old storage Shodan search, which helps me to find about 300 of systems. The name of the system is Nordic NC2. Just a quick search of vulnerabilities as a system, and this system demonstrates that this system have a long story of vulnerabilities, starting from 2010 and finishing in 2013. What's interesting, I think those vulnerabilities are not patched. Why? Because if we check the response of this service, we can find that this server works on the system, which already deprecated. So it's version number three web server or web server, JT web server, current version number nine. Also, it works on the very, very old version of SCADA. Simple CVS detail search demonstrates that since 2002, people publish information about vulnerabilities in this web service. So I don't want to talk about vulnerabilities in Mama real-to-real recorder. It's even not script-kiddy stuff. But if you want to understand how it's looking real-life, I took two pictures from Google. One picture is Nordic's wind turbine. And second, it's management interface. Only for Google. It's not real. So how much energy we can get in this case? About one gigawatts. So if we compare it with different generation, it's absolutely the same. Like, help me. It's Stuxnet was in Iran on Bushair nuclear plant. The same. So anybody who knows how to read Adwinder, they can write on Stuxnet now. So just to finish with part of our talk, by simple, very simple vulnerabilities, we found about eight gigawatts of instant power energy. If we compare it with most famous, most powerful hydro-electrostation, it's number five on the list. It took two days after the war. So let's continue our saga. Sorry. And talk a little bit about our famous vendor. What the similarities between large hand-drawn collider and, for instance, gas pipe. It's a Sematic VNCC open architecture. It's very popular HMI, quite new system, but it's also have new web server. I think if you was on our previous talk last year, you can remind this picture. This is a history of bugs in Apache web server. Why are we talking about it? Because if you're going to write your own web server, please carefully review all vulnerabilities discovered during when other guys wrote on web servers. Just to remind the history of different funny web vulnerabilities, this was discovered several years ago. If you send incorrect HTTP request to web server without HTTP body, it can crash. This was discovered in year 2000 in internet information server. And you can use PIF traversal to read, write different folders. I think you can remind the vulnerabilities was related to one worm. And another one related to incorrect content land, so you can put big amount of data, but save it is very short, so you can never write memory. Why I'm talking about this old stuff now? Because I want to show you a small movie. Just a second. Here it is. So let's launch WinCC on the debugger to see all the process and submit very complex request with thousands of AAA, a lot of AAA. What we will get? We will get break with typical 31, 31, 31, 31. I think it's AAA also. But if you will send more complex request, what we get? Calculator. I think SCADA must have ability to calculate something. For sure it was fixed. We don't disclose zero days, but I like this command. So if CERN update to version 3.12 of Sematic WinCC OA, we can stop terrorist who clearly have a genius accessing launch hand-drawn collider and create a black hole that will show up the world. So we save the universe. Let's take time machine and come to the past to the Miami at the S4 conference. It's a conference dedicated to SCADA safety and security. And what we show on this conference? This slide, I think you also can remind it, demonstrate over age of the libraries included in WinCC HMI. So you can see that most of the HMI was compiled before the Stuxnet. And on this conference, we demonstrate how to find zero day using find. So you just get the list of the files in software and try to find most old one. And this we found OpenSSL, compiled in 2007. And we say to Siemens, guys, let's update your software. At this was a mistake. Why? Because old version of OpenSSL does not have hard bleed vulnerability. And after update, we get hard bleed vulnerability. And launch hand-drawn collider get hard bleed. Just to demonstrate how it's work, nothing special, but I'm sorry. So we're running a standard hard bleed handler, which require memory from the SSL server. And trying to authenticate with username and password and get username and password from the server because of hard bleed vulnerability. It's base 64 encoded. So we need to decode it. And let's try again with stolen username and password. It should work. Here it is. So simple vulnerability, everybody know about it, not so simple, but white know, yes? And what I want, why I show this demo to highlight one important thing. People can ask me, OK, first you say, please don't write your own web server. But after you said, please don't use third party components. What to do? I don't have answer. But anyway, if you decide to write on the server or to use third party components, please care about security. If you include, I don't know, OpenSSL or bus shell in your software, please update it plus check it, please care about it. Alexander? Well, so another one, vulnerability to its long story. About the scale injection that was first published one and a half year ago. It was simply a scale injection via arbitrary scale commands with unspecific vectors. Scale injection, unspecific vectors. Well, what does it mean? I don't know. OK, well, and Cisco give us excellent decision how to avoid this vulnerability. Simply deny connections to web server ports. Well, OK, it works. Sometime it works. But SCADA components, industrial control system components, it has a lot of protocols, communication processes, it depends on functionality. And in this case, VCC server has not only sync client, it also has a sync client. Well, it works on RPC protocol. And well, firstly, when we try to authenticate, we noticed clear text messages. As you can see, it's user year and next password year. Well, it's clear text. But we spent a few minutes. And after we noticed that authentication data goes to VCC server on the different port. And it's not clear text. Well, where is password? It's no clear text. Maybe it looks like some encryption. Yeah, it's kind of encryption. And I think everybody who saw our previous talk already know encryption key. You're right, this is my encryption key. But this was fixed. And it was fixed with new encryption key. And first of you who guess new lead encryption key give lead price or free beer from SCADA's Spanish Graph team. Secret key? No. It's lead. Good guess, but not right. Excellent transfer. But it's very lead. OK, first of you who said 32 new key and something else. Come on after the talk on the stage. I had a lot of souvenirs. But this is lead encryption key. But this was fixed again. We don't check it yet. And another one interesting story. It's about cookies. Once upon a time, we tried to discover interesting things. Authentication on a semantic, semantic PLC controller. And we discovered interesting thing that cookies contains constant parts and changeable, big part of the cookie. OK, so we decided to go deeper and to understand what's going on with cookies. And well, it's first big, biggest party of the cookie. It's MD5 of some value. Well, so what about its value? After spending some time to reverse engineering PLC controller firmware, we found out that MD5 is from the cookie, the 26 bytes of the cookie and 16 bytes of the secret. And plus two bytes of null. Well, what's about secret? Usually, secret generates. It's a typical practical approach. Secret generates after PLC start. And it uses PNG. PNG was a little bit harder than standard C PNG generator. And C was two bytes value. Well, it's time to brute force. But it's too much values to brute force because PLC is so tender. And what about seed? Seed very often. It's also a typical approach. It's very often depends on time value. And by our practical research, it was PLC start time plus some constant value. Well, constant value using current time. Well, next step was how to obtain PLC start time. It's obvious that we can use values from the web server page, its current value. And up time, up time, we can get through SNMP request. Great. It's time for Dima. And as a result. It's OK. Just a second. It started. Well, I'm not a master of movie maker. I should improve my skills. Well, let's imagine that attacker connected to entire network. Let's ensure that attacker on the network one. For example, and first of all, we try to find out devices that support profanet protocol. We find PLC controller. And you can see that it has a different than attacker side IP address. OK. Let's ensure that it's not accessible. Next step, it's using a Python script to change network settings on PLC controller using a profanet specially crafted profanet request. Well, we provide to Python script destination MAC address, our source MAC address. Well, it's a simple way to get your MAC address of your network interface. And provide network settings for new network settings on PLC controller. Simply, it's IP address, network mask, and gateway. Don't type too fast. Yeah. Well, we received answer. It's cool. Well, let's ensure again that network settings changed on PLC controller. Well, it means that we bring PLC controller to our local subnet. It's accessible. Great. So the next step, let's imagine it's one of the dependency of vulnerability that let's imagine that real user, for example, a SCADA engineer going through browser to PLC controller and simply authenticated using a Ligin and username. Real Ligin and username. OK. Who gets what the password? Star, star, star, star, star. Well, you can see that controller on the operating mode run. Next, so we see that cookies stored on the browser. Well, it's the next very important step. From attacker side, it gets very important values. From controller, it's C2 range. And the final step, it's run a Python script to brute force cookie. And we provide to the script C2 values. That depends on the how many times authenticated user on the controller. It can took from few seconds to some minutes. Well, let's prepare, let's clear our cookies. Everything real on this video. Well, we clear cookies and prepare to give, to put new cookie values. It's still brute forcing. It's only one cookie. With the name Siemens Adcession and big value, that we will give a little bit later. OK. It's typical scenario. No industrial process running at the small net, because people see brute force it, brute force it, brute force it. Yep, we found two real cookie values. And I like C kill to send process. And the final let's copy paste cookie value to the browser and reload the page. And ensure that we are authenticated user administrator. And stop PLC, stop some process. Well, as you can see, we don't need any username, password, and so on. Only connected to our subnetwork PLC controller. What I want to highlight in this vulnerability, for sure it was fixed. But here two points. First point, we found it because of Congress. Because on 29 C3, we participate workshop. And one of guy who was on this workshop say, OK, did you check the cookies? We say, no. I don't believe it on such small device, authentication process realized it correctly. So after this idea, we start working and find this vulnerability. It's already fixed with OK. And second thing I want to highlight, it's communication about SNMP communication. Started from January, we have a long story of communication with Siemens about SNMP hard-coded community. We say, OK, this is not issue. But in the end, we say, OK, this is issue. Because via this vulnerability, you can get the cookie. So what I want to highlight, if you make something, please care about basic thing. Everybody works on SNMP V3 and don't use hard-coded password. Why to do it on the new system like PLC 100, 500, or 1,500? But please don't think that we hate Siemens or something. We're speaking a lot about Siemens because now we're in Germany. If we will be in French, we will speak about Schneider Electric. If we will be in US, we will speak about Honeywell. And you know, really happiest day in my life when we get answers that vulnerabilities was fixed. It's emails from Siemens product sort. And I want to thank all the Siemens team and especially Siemens product sort for hard job. And please give them your hands. And guys, if you're here and I know you're here, please catch me after the talk. I have so many news for you. So this is our traditional slide with number of vulnerabilities discovered in different platform. For last two years, Siemens was the first. But now you can see with Schneider Electric, mostly because of Aquarium of Invencies, have a first place on the discovered and not patched vulnerabilities. And many people asking us, what is your approach to discover so many vulnerabilities? I have an answer because we're too lazy. This year, we decided to not discover vulnerabilities by ourselves. We built big testbed with real SCADA PLC's RTU system connected to a railroad. And say to everybody, guys, you can connect here and hack it. If you can make disaster, you will get price. If you will find zero day, it's your zero day. But please follow responsible disclosure. So for two days of positive half days forum, guys and girls found more than 10 zero days in Indusoft, in Sematic and IPC. IPC does RTU, it's Taiwanese, like on no name. So now responsible disclosure in progress, waiting for the fixes. So we're talking about vulnerabilities, and I want to talk about math. Sometimes math not so hard science. So in this case, we submitted about 10 vulnerabilities, nine vulnerabilities to vendor, and get response that all vulnerabilities is fixed. But in advisory, we found only two. I don't know, shall we trust vendor, maybe not. But what I want to highlight, sometimes is very bad idea to create a false feeling of safety. Because if somebody read with advisory, he can say, OK, is CVE 6.2, it's not very important. I will not update this system. But in reality, several remote code execution without authentication is here. So it's better to speak the truth. Post-crypto, very long post-crypto. Anybody here know the difference between picture one and picture two? OK, different question. What is bad, one or two? Green light or yellow light? Somebody? Green, OK. First, who say green have special price? I will say why. Let's talk about functional safety, because now we're speaking about vulnerability. OK, we root. But when you are talking with industrial people, they say, and so on. So what? OK, you root. I have a special system, I have special protection system, which does not allow disaster. I want to demonstrate how very simple vulnerabilities can lead to very serious problems. First, super heavy trains. I think you know what is super heavy trains. It's very big trains with several locomotives, which sometimes synchronize engines by the radio channel. One on the beginning, one in the middle, always the end. And they synchronize engines and brakes via radio channel. Why? They do it because they need to run synchronously. So let's imagine that somebody run a small radio jammer. And it's a very long device with several locomotives. And they start to run synchronously, and train just goes in different dimensions. So also, it's a very interesting answer. Typically, you can get it if you speak with industrial people about CO4. Anybody here know what is safety integrity layers? Thinks a lot of people, yeah. So when you say, OK, you have problem. We have CO4. We don't care. What is CO4? It's safety integrity layer. It's a demonstrate a probability of failure for different process. It can be a probability of failure on demand when you ask a system if it's continuous process, it's probability of failure per hour. You can see what this is very big number. So probability of failure, very small number. So if this system really have CO4, it should not break ever. But if we get root on this system in 15 minutes, does it still have CO4? My answer, no. And I have very interesting discussion with developer of one system. After demonstration, our team can change the road and manage switch on CO4 certificate system. He said, you know, this is not my system. I saw you upload wrong framework. You rooted and upload wrong framework. And now this is not my system. Before you rooted, it was my system. You know, it's like with people. Sometimes in a more special kind of mindset, you can do very bad things. But this is not you. And this, not my system anymore. So I think now we know the difference. The green light is bad. Why? Because of green light, train will go on high speed to the curve. And sometimes it can be very bad. On yellow light, it will drop speed and move more slowly. And real post-cryptome. I think a lot of people here know what is network convergence. So it's especially in telecom environment when different type of communication protocol goes to the same basic like IPv6 or IPv4. And PSTN goes to IP and mobile goes for 3G and so on. So all different system connected together using the same basic. But what we see at the moment, it's operation technology convergence. We see that modern smart grid use protocols and technologies from ICS, sometimes mobile connection, sometimes billing and payment to understand how many power you generate, and so on, so on, cloud technology. So we see like different technologies come together to maybe make our world better. And for last year, we had a lot of talk on different conferences. For instance, on Blackhead, we spoke about how to hack ATM. In Paxiak in Tokyo, we spoke about how to get root via SMS. And also, we spoke about the gray train cyber robbery on FOSIX. But you know all this about the same things. We cannot say at the moment. Why? Because we don't know yet. But what we know, our world now, it's very complex and very gentle things. So let's invest, let's use our power to keep it safe. Maybe not safe because it's too hard, but at least peaceful. Thank you. Thank you. Thank you very much, Sergey and Alexander. Now for the questions, could you please line up at the microphones here in the middle of the room? And as I can see, we have no questions from the internet. Nothing from IRC. Thank you, Triloda, for monitoring the internet or SignalAngel. How about questions from the room? Yes, microphone number one, please. Yeah, hello. My name is Tric Moebius. I'm working as a software developer in railway with technologies. And I would just like to add concerning the level four safety level. Yes, risk is against failure. Yes, everything which is currently in railway technology implemented is against failure, not against sabotage. If you would, maybe we can take later about that. I understand. Yeah, you're absolutely right. The safety don't think about the people. If you know how railway technology works, you can sabotage everything from Excel counters to point machines, you can crash any train. Yes, because at least you're going to the hardware and disconnect the wires. So it's about detecting failures, not about being able to prevent sabotage. Not yet we're working on it, but that's another talk. Yeah, I understood you absolutely, because you know what is why when I talk with people who work in the industrial system, with the industrial system, I prefer use not safety or security or information security. I prefer to use term cybersecurity. It's like a combination of safety, industry security, and information security. And you can demonstrate how information security can broke security features, safety features, put it on the, for instance, the room. Just let's talk after a bit. OK, thank you. Yeah. OK, thank you. Any more questions from the room? Nobody lined up at the microphone. Well, this is the time to say thank you very much again. Thank you. Alexander, Sergey. Thank you.