 Okay. It's my very great pleasure to introduce to you our next talk. I think industrial security has been a lot of has been in the news a lot in the last year, and I'm very curious what our next speakers are going to have to say about that and especially in the context of railways. So, please welcome Sergei Alex and Gleb with the next talk, The Great Train Cyber Robbery. Hello, Congress. It's a great pleasure to see you again. As usual, the only frontman for SCADA strange graph team who for last five years trying to save humanity from industrial disaster and to keep a purity of essence. So, please keep your big hands for all people who support us. Just not for journalists. This is SCADA strange laugh team talk and mistake by joke all our responsibilities. It's not related to our employers. So, railways. Railways is one of the biggest artificial system built by humanity. It takes a thousand and thousand kilometers all around the globe on different continents and my personal trip railroad trip when I was a student take more than 9,000 of kilometers and six days. Maybe because I was young and have a lot of time, but still even now I prefer to travel by train because on airplanes you see the earth from the skies. When you train, you can observe, connect with people with this land. But in our Hacker vision, most important question is how it's work because it's always interesting to understand how work in this case railways. What are two important words in railway universe is the signals and switches. Signals allow to train operators to train drivers to understand correct speed. Should he speed up or stop or slow down and switches obviously allow to change direction and move train from one track to another. Many years ago switches and signals operated by human manually. So, if you want to move train in different direction, you must change switch by your hands. But about maybe 100 years ago, modern system called interlocking was invented. Interlocking is a system which calculate dependencies between train location, signals and switches position to understand can train go in this direction or is prohibited. So, if it see conflict rotors when routes when train can collide, it's prohibited this situation by at first physical locks, which is interlocking. It looks like steampunk picture, but still physical interlocking works. For instance, in New York City transit, you can find what some of stations still operated by manual interlocking machine. Very important point related to railway is way to understand position of the train. There are a lot of different way to do it now in modern world with always high speed train, where GPS tracking, GLONASS tracking, but track circuits still very widely adopted. What is track circuit? In this idea, we use rails as wires and transfer power into rails. Sometimes it's DC, sometimes it's AC with modulation. By the way, signal relay accept with signal and if it's okay, it's open to clear light to green. If we have a train on the rails when it's kind of a little short circuit, and relays energize it and train switches to stop signal. So, now we're speaking about relays. After physical interlocking, most of railway automation system was built on the relays. On special little relays, which built with a lot of gold, which can operate in wide range of temperatures. And what's most important, vital relays are gravity operated devices. But nobody know what is gravity. That is why I think nobody know how vital relays are working and it's working by magic and that is why we should trust it. By the way, for me, relay room on railway station is a place where students are about to get inspiration for their soundtrack. Because you can sit here for hours and listen to this music. Okay, this is old school. But today things changed and we have a lot of automation system, computer-based system on the locomotive, on the way station, on the station, on way side. It's a traction motor control, computer-based interlocking, computerized ticketing system, et cetera, et cetera, et cetera. Let's discuss in details how it works. I want to give you an example about Eurostar train, which name it one of the most smart train in the world, because it has one, two, three, five, seven automated system on the board for France, for Great Britain, for Belgium, and generic European train control system. But let's stop for a second and check with highlighted reactor protection system on the board of Eurostar train. I hope this is typo, because I'm not ready to speak about nuclear train at the moment. Switch on the mic. Yep. Hello. So the locomotives, they built from several vital systems, like the one that allow them to move, to stop, to say the driver about the situation on the road, and most importantly, the train protection system that can somehow react and prevent several some accidents. All these subsystems are interconnected. So for example, traction system won't mess with braking, or in case of some accidents, the train protection can stop the train. The bummer is you can't find anything to conduct security research on the internet, publicly available. And this is true for all railroad software. But if you try hard enough, so let's speak, for example, about one system that's actually a train protection system called Sebas. The 10 year old version of its Sebas 32 is very, very widespread. And the newer one is Sebas PN is very new and is still a catch. And some of us will catch it more than others. So let's look at how this system was updated. And just by looking at it, we can see a lot of things, like they stopped using some proprietary operating system, and it's a good news because most of the time homegrown operating systems tend to be disastrous. They, in this system, they don't have hardware controllers. They have PC based stimulation called VINAC RTX. They have new modern, well, not new, not modern, but unified transporters like Prefinet. And nowadays they use very widespread CPU architectures like X86 and PowerPC. And it's a way to ease the job done by reverse engineers. So when you read a lot of manuals and documents on the internet, and you know from which subsystems some locomotive components are built, you can actually probably find something on the internet. We are speaking about VINAC RTX PC based controllers. But it's not the time to talk about it. But still we can talk about the internals of the system. And this is actually what tell us a lot of things, not vulnerabilities but weaknesses. Like if you want to control the the controller to stop it, to shut down, to run, or anything else. You don't need authentication and you don't see any kind of industrial protocols. It's just XML over HTTP. And it's easy to repeat and easy to build your own tools to control them. And if you look deeper, all these things are self-written like HTTP server and XML parsers. And I believe you can guess what this means. The next logical step would be to talk about how can we reach those systems in real world. But we don't know and we don't want anybody to know about this. So let's continue our saga and switch to computer based interlocking. The goal of computer based interlocking is to help to manage route through the station. And if we try to analyze it from other computer system we can find the following important part of computer based interlocking is a yard master workstation. It's like a human machine interface in ICS environment. It's just a PC with special software on the top. And the second important part, this is integration gateways which helps to connect sometimes wirelessly to different stations or to centralize the traffic control system. Most important part of computer based interlocking is a central processing unit which process all dependencies like we saw in the previous pictures with walks. Now it's processed by computers. And object controllers like POCs in our SCADA environment which transfer management command directly to wayside devices to switch the switch or to change the light of the light. Requirements for computer based interlocking interlocking is very formal and in different countries you can find these requirements as a state law or as a law of different railways companies. By the way, because it's veto component for safety, for traffic safety, this requirement is fixed and all interlocking system must fit such requirements. So, when we're speaking about security, it's very important to build correct threat model because you know when we discuss computer security people mostly discuss integrity, availability, confidentiality on information but this does not work in industrial world, it does not work for computer based interlocking. From our point of view, there are three levels of threats. First level related to safety or cyber physical threats allows to attacker to create a disaster. Second level, it's economic, economical threats which allow to attackers to impact threat efficiency to you know to impact your revenue as a railroad company. And low level is reliability when you can impact system but with just add additional work for engineers who support this system. Sometimes colleagues asking me what is cyber physical threats? For me, I don't have a clear definition but for me the threats which can be done in cyber world but impact something in real environment like this. Always funny on the pictures in the Twitter but let me explain by example what is conflict routes or what is a less restrictive signal light. This is example of conflict route. Less restrictive signal light but this is Lego toys. Let's check it how it works in real life. It's not such funny. Switching is in correct position and even if driver understand the situation in trying to stop it's impossible because train very heavy. So let's discuss attack vectors gain computer based interlocking to make appropriate model. First level it's attacks gain work station which can be easily accomplished by security physical security bypass or by social engineering because it's not very hard to force somebody to plug USB drive into work station. Second level of attack it's attacks gains integration gateways against wireless and wired network devices which connects computer based interlocking to rest of the world. And other attack vectors also related to communication to communication between yard master work station and CPU communication between CPU and object controllers. And sometimes even related to communication between object controller and way side devices because this situation when object controllers communicate with way side devices or wireless link so if you can intercept it or make amends the middle attack you can control switches by yourself. So I will give you several examples. All examples are from Google. It's not related for any particular assessment we did in the past. First physical security. It's actual pictures I guess and it looks like actual pictures because during our assessment physical security is terrible. In most cases you can say okay guys I need to check your system ABC XYZ pass to the station and get access to work station or a service. Password protection second picture from movie documentary movie about Great Britain railway automation system. The main challenge here to guess work station name which also you're watching you see all way six something but I think net bills responses can help here. All software it's everywhere it's again from Google. It's actual use new equipment and system approval certificate which allows to use system which runs on the windows nt4 service park six and above and this system managed track guards and this is flexible safety processor but about safety most of railway system built with redundancy in mind. It's used several CPUs sometimes three sometimes four sometimes even eight which runs different same but the different programs sometimes built by different team of engineers and some kind of majority system which compare results and trying to understand is where any problem with computation but in practice it's mean if you have a root access to computer basically you're working you need to patch several location and memory not only one. Hello again. So as Sergey said previously in old days we had this steampunk like interlocking but and the most of the complexity of building them was in crafting building and nowadays it's about how to create safe system. So by saying we want to have a safe interlocking with women three things like trains should not collide should not derail or trains should not hit people and they are doing this by use of different formal methods so to mathematically prove that these safety critical systems are really safe. I won't tell you about formal methods this is a topic for a separate talk but in short we are talking about creating a set of specifications with requirements and a model of our process and the point is to prove that our model satisfies these requirements. We have a lot of the world have a lot of different instruments like PMET, FNB, ProverCom and so on and all those systems all of those systems are used by industrial companies to make safety critical systems and we will talk about BMET it that is very widespread not only for you know space rockets airplanes and trains but also for vending machines and traffic lights. There is a development environment called Atelier B that allows us to create those specifications and models and later on to prove that we are safe. This development environment also have translators from the models that you created two different languages like C, C++ and other so you can later integrate them into your solution. We are not trying to say here that the math is wrong with Atelier B or the BMET itself but we are trying to show how human developer can create wrong specifications and this can create different vulnerabilities like memory management and this is a part of slides from one of the developer of Atelier B where they say that they can cope with all of those problems. So we took Atelier B and created a very small project it's called bad index it have an array and one operation that tries to access an item in the array and as you can see there is no boundary checking in the code and all of the green circles to the left they say that all type checking was done correctly that we generated proof obligations we proved everything so kind of we are safe. So if we generate a program in C afterwards we can see a situation where a memory corruption or segmentation fault can occur and again this is not the fault of the math it's a fault that we haven't done the boundary checking and the point we want to prove is that there are still humans the people who write this specification requirements and as with any other program in language they can introduce vulnerabilities actually good news in the world none of the people I heard that generate these things to C code or C++ code they use other which is with its strong type checking checking is a more secure language in comparison to C for example but there are some pitfalls too like typical other implementations have a mechanism called the tramp lines and that means it will execute code on stack which is not very good for C programs and for example if you want to link other code with C libraries one of the security mechanisms won't work so let's get back to the railroad to the interlocking these systems are not actually that easy and most of the times people who create those formal methods they try to mathematically prove that only the logic part is safe like Sergei said we must not allow trains to to collide or something like this all other systems like the operating system where where we will place our code the different communication services the user interaction part the part with with the signaling when we want to know where is the train what is the position of the switch and so on it's almost always written in C and this provides us a lot of capabilities to exploit this and somehow to influence influence this proved for safety logic and to create it to work otherwise so this is a slide where we show what the vulnerabilities for this formal methods and other vulnerabilities of this interlocking systems thank you but if you're trying to discuss those vulnerabilities with railway people with engineers with people who support interlocking system the typical answer okay you can create conflict rules but in the lab because all in real life is air gap it okay let's talk a bit about air gaps fortunately if you if you type railway in shodan you will get very few results and most of those results is felt positive I hope but sometimes you can get something interesting for instance Delhi railway station somewhere in India which accessible via PPTP port but I guess this is not something industrial great it's just internet access for a station what interesting here interesting that this device is located in the company rail rail tail corporation of India so I guess that there are special telecom operators for railways for instance in Germany there is special network operation operator who support Deutsche Bahn network and also they provide SIM cards interesting why railway operator needs SIM cards to allow train drivers to upload high resolution video to youtube or something no for gsmr gsmr is railway version of gsm which use it to connect trains to wayside devices to calculate optimal speed to understand train location to manage all conflict situation and gsmr is good from encryption point of view it was a very good talk from Stefan on 28c3 and you can find a lot of information about gsmr key change encryption where and we decide to don't go this way to don't crack encryption we decide to check our site of gsmr for instance jamming so it's in specification that if digital modem the digital modem on the train should always connect be connected to control center so if the modem connection is lost the train will automatically stop so if you have a good gsm jammer but on different frequencies you can stop a train if you need it or you can go in jail also if you need it there are different other interesting issues for instance in gsmr handset there is one more of there is a very useful feature to manage this handset via sms with password one two three four i'm not sure that there are a lot of engineers who changed this password i guess there are not so many engineers who even know that this handset can be managed via sms to continue sms discussion where a very interesting feature gsmr in gsmr sim card which call it over-the-air management and which absolutely is the same like is in our standard sim cards i know that you know what sim cards can be hacked over the air it was discussed several times by karson know by alexander zaitsev and alexeyo osipov and if developer of sim card template have some issues with programming he can allow you to get encrypted response to brute force signal to decay key and after it receive information about encryption key and sometimes even upload malware on the sim card after karson talk many of big telecom operators decide to review sim cards or filter binary over their sms messages but i'm not sure that something similar going in gsmr world more some gsmr equipment supports over-the-air firmware updates not only sim cards updates which allows you to do firmware updates over the air modern modems for gsmr supports interfaces like usb or pcmi which reminds me our old research which name it bootkit via sms when was demonstrated like a how attacker who can hack the modem over the air for instance with over the firmware update can use it to hack the host which use this modem for network communication and gain control over this host this is old video it's online for a year which demonstrate how hack it modem which connected to uh laptop first starts to work as a modem network devices and it's okay but after a short timeout it starts to operate as a keyboard and obviously keyboard can type so as real hackers our modem start calculator and after we get the specification of input output system to bypass save boot save bios if you have it and reboot the computer during reboot our modem become a CD-ROM drive and install bootkits you can ask me are there any keyboards in railway equipment my answer sometimes they have it sometimes doesn't have but in most cases we have drivers for keyboards drivers for additional system for printers sometimes and if you can become a printer or camera you can exploit vulnerabilities in drivers or direct memory access as was demonstrated by Travis Goodspeed and Sergey Bratus for local vulnerabilities and as was demonstrated by Timur Yunusov and Kirill Nesterov for remote vulnerabilities because nobody cares about buffer overflow in keyboard or mice driver why because it's cannot be exploited remotely but if your remote device can become a mice and exploit this vulnerability you can exploit such vulnerability remotely so let's back to railway system and if somebody can attack the modem the modem can attack automatic train control system and you can control the train everything is interconnected because everything in entertainment well let's take a look from let's take a look on the locomotive railway systems and you can find out a lot of devices a lot of systems from one point of view it's especially for passengers users like information entertainment systems another one it's devices like intercommunication between engineers uh picameras wireless access points gateways and so on but the main idea that all of them operates uh through the one uh communication channel one of them communicates especially for railways another one for some kind of information systems well and it's another one proofs of of it because uh no it's from for example from big vendor moha and it shows their approach how to uh get connected uh different devices and how they connected with locomotive especially for solar power plants and picameras too and uh they tend to fly in the clouds and nowadays modem way they tend to be like an internet of things devices but in this case and especially in context of our topic it's uh realized it's created without a very strong very secure approach well and uh we will show you why it's exist and uh we analyzed uh several uh vendors like bintech dg net module and so on we analyzed uh different devices type of devices which is uh special like uh railway equipment gateways uh modem modems and so on and uh we found out a big private case zoo uh from our previous experience it exists and it exists in different different industries but in this case uh it a little bit shocked us because it's railways i i mean and there are a lot of private case and each vendors tend to be tend to hard code the private case well and uh well it's it was not only for uh SSL certificate private case which correlated with uh certificates but also for remote management administration like like secure shell there was exist from one vendor private case for secure shell okay and uh you can ask us uh and you could write so what the impact of it first of all i can say oh hello captain ebius uh if it's private and it's private became publicly available it's not a private it's easy yes and obvious and uh another one uh that's uh if you create something private especially for private case it's created for private communication for private uh for safe communications but in this case uh i hope you know it's like man in the middle attacks and after it communications between railways uh systems they are not secure also as i said before it's give us give attackers possibility to remote lagging shells and we will show you a little bit later and uh another one uh it's fingerprint devices for example you can extract public case uh from private uh create uh some kind of fingerprint uh using md5 another uh h1 and uh using search genes like shodan or sensors you can find out a lot of devices which is connected to internet and you know private case you know what to do the next and this picture shows you uh original uh traditional way how to hold a beaver and in this case it means how to keep your secrets next one it's uh well well well it's again again a lot of default credentials but in case of railways management systems it's not only for web communications but also for secure shell telnet and uh they try to change to they try to secure communications and change uh telnet port well uh another one example it was uh uh really important notice to dear customers so in this letter you can see that you should use only two possible default credentials for administrator for the administrator password well well it's uh a dear customer who was warned well uh take a look on this piece of code uh how do you think is it secure or is it hello from early 20s well uh it's obviously not secure and it's created nowadays uh at uh 2015 and it gives us possibility to inject system code well next was quite interesting possibility everybody remember about usb out around malvar and so on uh but in case of railway devices special equipment there is exist usb port and uh if you want to easy to uh easy life of system engineers who don't want to go with devices there are a lot of you can put your usb stick and uh device uh outer start outer run uh for example system update software update firmware update or system configuration update uh how it works uh it works very easy and uh again it easy life of system engineers if you don't remember your password you can create password please uh well in this case you can create password hashes and as big as you can and try to brute force and run your uh after update well you can ask how it's uh well railways uh systems looks like isolated from the internal world but uh uh at this picture you can see approach of attacker who can uh interconnect to railway station through the management system and uh once said when you connect to internet internet connects to you and uh from the internal side of railway communication you can see that there is three steps uh when you trace road some host it's inside train next one it's outside uh well it's wayside the next one where which we mentioned before it's telecom well locomotive uh has a lot of equipment and uh some of them works uh for user interface some of them works uh well especially for net module vendor works on through vpn but in this case they uh all of them works through the the same public mobile network well and uh there is a proofs by shodan that net module uh especially uh special devices and uh vpn gateways uh connected to the internet next one is uh net module vulnerability which was fixed and new firmware it was simple uh uh request which changed administrator password just simply agreed with yula rules well kudos goes to our colleague simon roshkov and uh from our experience we should give many thanks to uh search from different countries big thanks post-cryptom last year uh we spoke about uh wind and solar energy and uh we get a lot of feedback uh on our talk uh and decide to launch uh scada sos project which uh focus it on the discovering hunting of open smart grid devices uh on the internet and we get a lot of uh interesting results uh in the different part of the world and we get a lot of feedback from the vendors and search uh by the way this approach this project help it to remove uh more than 60 000 uh internet connected smart grid devices like power plant from the internet and uh several vulnerabilities was reported to vendors to search uh several already fixed and uh i want to thanks uh mr maxime rubf who contribute this project very much thank you max we decided to continue open approaches so we starting uh scada pass uh project and we going right after the talk we're going to release the list of uh default and hardcoded accounts and different uh plc scada hmi to force vendors to don't use hardcoded and default password and where system so kudos to aksan andrieva who help it us to prepare this the list and please contribute uh after our previous talk we uh get the comment about uh european power system uh if somebody can take uh three gigawatts of the net uh for couple of seconds the light will go out uh for quite long time but we know what uh there are uh special devices uh like relay protection build it on the uh digital substation which build to prevent such bad situation and we again decide to research it we uh did uh some kind of research in digital substations protocols and uh in previous conferences we released uh special toolkits uh for digital substation protocols and uh uh this year we created with the help of five grid guides uh challenge called digital substation takeover uh it uh was implemented with siemens uh c-protect c-cam protective relays switches industrial switches and so on and uh bad guys on this uh challenge give us the result as you can see global disaster well uh and in real digital substations we have very good very uh well known protection called uh protection relays to avoid this kind of cable melting but relays also vulnerable uh vulnerable and uh during this challenge guys find out vulnerability on siemens c-protect uh it's uh with specially crafted packets you can create denial of servers of relays and in this case you can cable melt but also during practice uh challenge uh we find out uh some kind of conformation code on siemens c-protect but uh siemens uh uh doesn't publish this uh conformation code on official documentation but also uh siemens says that it's not vulnerability not hard code well with this code we can read system log also we can use this for device memory introspection very interesting next the last question from the previous talk uh was about direct marketing directive uh which force wind and solar plants uh to be connected to central management point not only to read uh uh current status but also to actual shutdown or reduce output because it's uh uh required by electricity market it's now uh works in germany many vendors have special models for direct marketing marketing to in scada to support these features uh but we run out of time and hope to discuss with uh issues next year on our upcoming talk scada with antenna thank you okay perfect um so quick reminder if you really do need to leave please do so as quietly as possible and if you can stick around for the next couple of minutes until we're completely finished if you have questions for the three speakers please go to one of the six microphones in this room so we can all hear you as i hear we also even give out prices for the best questions or additional you know motivation to ask a great question um all right uh are you lining up at mic four no okay all right then we'll start with the question from the internet all right thanks have you studied anything related to the american positive train control system um we don't know yet okay i don't know um do you have another one okay all right then um mic four please you said you looked up uh trains on shodan and incenses what protocols did you find them on and how did the results compare between the two services in general you sometimes you can find generic remote management protocol like http like ssh uh from uh inside network as glab showed profanet is heavily used but also there are a lot of uh proper protocols uh which uh not so public okay i don't see any further questions right now so um please give a warm round of applause for our speakers thank you