 Hello everyone, I'm Mars from TS1 Networks, and we are happy to have the opportunity to share our research results on the DEF CON 2019 stage. At this section, we will discuss the ecosystem of ICSS data, and more deeply focus on Mitsubishi electric communication protocols, and please allow me to quickly introduce TS1. TS1 is a subsidiary company under TREM Micro. We focus on providing cyber defense and visibility for operational technology. And currently, I'm a research researcher for TS1, and focus on IoT, ICSS, and SCADA, enterprise analytics, security, and research, and also share the many results of my security research at a major cybersecurity conference such as Hebron Head, Hecon Sector, Hecon Boss Conference, and other major cybersecurity conferences. I'm also the general coordinator of the Hexing Taiwan Conference, Hecon 2021, and my colleague, Selman. Selman specialized in IT and SCADA put a crossing, and then as current programming, he also has both speaking experience at a global conference such as CyberStack, Hecon Hexing Boss Conference, and also Mary Power for deep ICSS research. And today's our live, and first we will discuss modern ICSS and SCADA ecosystem, and then move on to the problem of Mitsubishi ecosystem, including how to analyze and successfully take over the entire ecosystem. Because Mitsubishi is not very actively facing this issue of our finding, and we will also share the process of our content with Mitsubishi, and show why we decided to share our finding based on the public's right to know. And finally, we will also share to let you know how to perform a mitigation. And first one, modern ICSS SCADA ecosystem overview. Mitsubishi is world's largest industrial control manufacturers by market value, with a global market share of more than 10%. So you will see the top three, and then show very powerful percentage in the global market here. And then show all the buy line annually instead of revenue in the industrial automation status. Mitsubishi is also among the top three. Here you will see here. And at the same time, it is also ranked third among the most popular POCs with commercial status analysis. In the privacy slide, we can see that the Mitsubishi has performed very well in this field. And we're also very interested in the Mitsubishi ecosystem scope. So let's take a look at the scope of Mitsubishi POC series. And Mitsubishi can basically cover any size, system size, from small to large, and they provide different levels of POC for different system size. So from the slide, you will see from small size to large size, the Milseq F, IQF, LQ, or IQR, a little smaller to large, the overall of land like our covalent. And then show, but you will be interested in one more thing is queer or little POCs used. So based on Mitsubishi's official statement and our own observations, a Mitsubishi's POC is very powerful and widely used by a range of medicals including automatic automated data or warehoused fluid and battery, semiconductor, general automation, chemical, FPD, inspection machines, and soft land and including building automation, injection manualing, printing, machine tools, and many more of land are used low Mitsubishi POCs. It's very widely used and they're covered over critical infrastructure, many infrastructure centers we daily use like power, water, water and so on. And it's very close with our people's life. You just imagine where those industries are close to your daily life, if it's security issues, occupying critical devices like mental illness industry, and the attacks can disrupt or control the asset, the impact will be very dangerous and will be powerful and huge. So you should take care of this. And then show, before we perform this research, we reviewed the previous very powerful industrial security research and we noticed something important. Almost no one conducted research on Mitsubishi. Most of the research is in focus on Siemens S7. So it was in Bradhead, 2019, 2017, 2016, 2010, 11, like focus on Siemens devices. Or even not only focus on Siemens, about some other parts have nothing to do with the communication protocols, like ISIS targeted mailways or attack vectors in different centers. So we believe this is a good opportunity to work in deep with the Mitsubishi ecosystem. And also, we also more review the Mitsubishi vulnerabilities. It's very important things and we reviewed it. And the hazard already announced that vulnerability in the pet maybe one years ago, a few months ago. Also, this table shows some examples. But there are many more. And we have found that the most of the population vulnerabilities are only specific devices, modules, cell phones, and do not specify address issues in layer communication protocols itself. So now that we have introduced the starting perspective of our research, let's take a look of the three different ICS ecosystems. And how does the ecosystem of the standard of critical infrastructure countries look like? Our first example is Modobox. And you will see the HMI, POS, and the workstation of the use of Modobox TCP communication. And only the POS standard with built-in devices use Modobox RTU. Our scheme usually is serial lighting not based on TCP, IP, not based on Ethernet. But they will have something different, but focused on the Modobox TCP layout something different, according to the different function implemented by different manufacturers or ICS vendors. But basically, the natural functions are created limited. And also second sample is Siemens. So in Siemens, it provides layer on private protocols. Siemens S7S7 Plus has already been strongly secured to a certain extent by applying in deep research from many researchers. So I dare not say that this protocol is secure, but the HMI says our security is already much better in conversation to other ICS protocols. So we will say Siemens does a good job for cybersecurity than other ICS vendors. But finally, what about the MISB issue? And between HMI and POC, it supports a wide range of communication protocols such as LMP, Modobox TCP, and Ethernet IP based on different network modules. And in order to support our capabilities with a variant of assets. And from the perspective of attacker, if you can't cut from the HMI, you must understand various protocols can be used in an attack. But for your POC and the network station, they use the mailsoft. And mailsoft, a private protocol is used to communicate between the network station and POC. And if someone can tag over mailsoft protocol, they can compromise or meet POCs and master the entire ecosystem. And we were able to actually publish this. Now, to have a phone pod, let's dissect and compromise MISB ecosystem. So as our attacker, if we can discover a mobility in mailsoft, and we can basically take over MISB ecosystem completely. And we can fake and reforge the engineering workstation to pass the command on the POC. So it does whatever we want it to do that. So we can figure out, let's say we've used the mailsoft protocol to communicate with LMPC. And also, yes, mailsoft have us authentication mechanism. But this authentication mechanism is very, very weak. In other words, as long as we can pass the authentication, and we can take over everything. And as you can see, this is just a few handshake process between engineering workstation and POC you see at the beginning of the entire authentication process. And generally, well, the network station will send a challenge request. It's message one to the POC. POC will return the rendered 10 bytes challenge code to an engineering workstation. And that engineering workstation AWS will do the calculation based on these 10 bytes challenge code and send back the 32 byte code to the POC. And then confirm whatever or not it has passed the authentication. And how we have to do this, and how we have to do is to reverse the reverse the calculation process of these 32 bytes. Unless it is these things we need to do, then we want to find out something tricky or something interesting in that part. So how can we reverse their engineering workstation software is our goal. And just works two and just works three. And because they support different POC type and POC modules, we know from small to large. So you can think of 3 is the newest and 2 is older, but you can see at least. And let's take at least a part. But I will say the application is something different in some back end services. And we show now we will start our reverse engineering general. But there are many, many steps, but they are not too complicated, but all of them are exchanged between the value of speeds or operations between the regs. After receiving the random 10 bytes challenge code, the first thing is an engineering workstation will calculate the schedule operation with a challenge code and a schedule or a base text here. And you will see from the array your x4d, blah, blah, blah here. And step one, and they will change the schedule buffer place to like change the place. It's step two. And into the step three, they will convert the type of buffer to the shorted variable and verify PLC 10 bytes challenge code and some of the type of buffer. We believe this this behavior is used to confirm the integrated of the 10 bytes challenge codes, actually it's not be modified by other people or a text. So they will calculate this. And after that, yeah, an engineering workstation will retrieve the forward shorted variable to integer variables and then go to the function and sub 62c3e. So go to deeper to the sub function. In this moment, I will say there are many, many sub function and go to layer, go by layer. So just speed the pace, patient to the localese because there are many, many operations for creating the 32 bytes in the response. So also in the step six, afterland in the function, 62c3e, and I'm going to use the predefined 32 byte code to generate the 30 to byte test code. And then you will see the predefined 32 bytes already here. But I will say the 32 byte already well based on the different PLC model. I get a different value. So you need to trace it is bound by one. If you want to attack a model, you need to trace a rate. Yeah. And also I'm step seven, well, and then to generate 64 byte output buffers. So you will see the local here and lovely local will put it here. And so after that, it just have to collections, but after they will generate 62 byte of rate with the value, you access 636. And for step nine, perform a special word on the first 32 bytes and the CDB array, and then jump to the functions of 62 a 60. So you will see the left line of here. Here. Yeah. So you will see here. Okay. And on the step five step 10, they will generate the go to the function. Yeah, 62 a 60 year here. Generate the 104 bytes are read and they call me the value from a right here to the first 32 byte bytes here. So the value could be five by the links variable, but just quickly go to this and then Kobe the 64 bytes from a right. Yeah, 100 bytes. And if you're literally in the last eight bytes and show on this table, so you can quickly goes understanding the 104 byte or greater. So and then go down to another, go back to the sub function 62 c 38 and jump to sub function 62 b 70 and jump to the sub function 62. And I be to handle the last a bite of the 100 bytes array and settle the last eight bytes to integer variable and add the value your x 40. So you are serious. And also after that, we'll do another after another on sub function 62 a c seven after 62 a t 90 and they will run a calculation and update the first 32 bytes of the 100 bytes array. But it just a huge calculation and, you know, just, just quickly goes to lace. Yeah, because none, none, none very special things here. I know, so it's cute and the sub function 62 b 70 B again and updated 100 by four bytes already based on the computed challenge code. And before go to the step 50, it's cute and summer function on 62 b c six. So you will see go here and then update the value in law of setting the X 30 is all that is the rule x 80 from the 104 by the rate. And I don't know of setting the rule on the rule x 60. And you will see the some many sub function in the function on 62 b c six. So, and then we go down there to quickly go point out the least on the function and we will read in some function to help you understand a lot of things laterally. And also, yeah, in a step six function, super function on 62 x s and they update the 104 by two red buffer from offset, you X 31 and set to the 27 by 27 bytes to the zero and enough set the X 60 at the value the X 27. And then update the 104 by two red buffers. I'm used to, yeah, but we will, before that, you will see the 62 a c seven function already using the previous function. So it's used to just update for 32 bytes, just so we not duplicate the list to repeat this on the part. And go down there to the same 17th release of function also update the 104 by the red buffer from offset, see what 58 set the four bytes to zero and offset the X 64 to integer variable and that should three bit and swap it with offset the UX five C for offset the UX for 50 had UX eight here. And and then also still in the same sub function, but we'll jump to another sub function to 60 62 b 49 and update to 104 by the rate to 136 bytes. Yeah, you will see here and the first 32 bytes as a integers and add the 32 bytes offset us or one or four and then swap it. So we will find here and about steps 19 of set the UX 136 set the UX five C bytes value to the UX 40. The final rate is 200 bytes now. So so we will calculate the letter based on these the writing out and step 20, the loop you will see the little four loop is used to execution words, the last 32 bytes in the 200 by the rate within output and storing to the 200 by the rate. And the following function is just repeat the same function behavior based on this and just base just use these 200 bytes to calculate it. So after all of the calculations and getting the final 200 bytes and the first 32 bytes is the soft authentication function need. So and you know, extend just to catch the first 32 bytes from the final 200 bytes and then send back back to the POC and just pass the notification. And then show at this part, I think you already know how to transmit authentication mechanism, but I want to emphasize one thing is no traffic analysis is absolutely indispensable to laser research because when we do a lot of reverse engineering, but listen protocol is no protocol. So you can now we load any tools help you to analyze the network traffic. So we believe this we if we come back and we can totally take over it and more easily. So for this purpose, we build the wild shark law programming for the mouse of protocols. And then so we will show this protocol later for our demo. And we will kind of share our programming support the mouse of and can help us to recognize can understanding the wild shark at the mouse of the protocol. And and now I move on to the front part. In our scenario, we want to take over the entire POC means to be sure equals in the right. So we build this scenario is overriding the POC program. And it's our goal that because after the bypass authentication, everything we can do that, but we want to overriding the PS program is our goal to just just other demo. So you can see that. And if we can bypass authentication and successfully override the POC program and we can perform any function you we want to perform. And so next I like to look how to override the process. So here we just let us know, let you know how to quickly go through this the handshake process. And we will later we will step by step to let you know with the with the wild shark screenshot to describe the function behavior. So we will see the message one is used to send the challenge code back to the 10 bytes challenge code from POC and message two and messages three will send to send the certification request with the city to bite on the challenge code. So to the POC and pass the notification. So after message four and I think you can do anything they want to do. And you like a little remote stopped, but here just if you need to override the POC program, you need to remote stop first and open the file search the file and read the POC program file here. And after that you need to write data the data the body you want to write to the file. So with the message is 13. And after that update the file site with message 50 change modify the file creation the data and time to close file and write a file modification to storage after that you're ready done with the file operation. And then you just need to remote route you can run the POC program which you replace it. So here is this is a totally ancient process quickly go through this just keep in mind and you will know our whole process is like this. And as we will use the wild shark screenshot for follow up detail as they by state. So the first message one the end of the workstation will send to the POC the challenge code the x the x5a for the uff to get the challenge code. It's a big number it's a big value and never never changed. And when POC receives and will generate the 10 bytes random challenge code to the end of the workstation and end of the workstation well our fake engineer workstation will calculate the 72 bytes of parallel of that you will see here you will see here so so well well um uh payload to the POC and when POC receives these 32 bytes payloads and well calculate it and then pass load specification. So after that if the message for the error code in message 40 is 40 is mainly the success if it is another value and also failed. So after that we saw that we see that it is very exciting because we successfully do to to pass load specification and then from message 5 the attack can do anything we want to do. So we do a remote stop with the least function code because we want to override the POC program so you need to stop the POC now you can operate the program right so get function code URL for the and then you can send a request to you want to open the POC program file but you don't know where is POC program file where so you send another comment is you want to find you want to search at least a file at least a file you will see that you want to search for man.qpg POC program file here okay so get the response and then send a request to message 11 to read file you want to read the POC program file man.qpg and get a response successfully read successfully read and send them your software request with the message 13 you want to write your data file and this this this this message repeat to try try this because it's based on your data how big your data you want to write into the file but we want to replace we want to override the POC program so here just like this so we all keep two tries to file one file two and get the successfully error code and and send another function code update the file size because you already changed the files and files that need to be changed and then we send them the message 13 to modify the file creation the data and type of the of the least this file okay and send a close file so you already close file meanwhile is you already write or data you want to write to the POC program down and modify the write through the file modification to the storage data for you again and now you can remove the wrong you can run the program if you run it you can also consider to run the POC program you override it so that is a successfully now we show another demo of our demo of least procedures so this demo well just I'm sure whole process of our privacy's life were overriding POC program and in the normal status here is normal running everything is normal good light of POC running and in our attacks there we are we override an empty POC program so download this POC program to POC we'll make the POC to operations data because these are the empty POC program but also if you want to modify specific point of the POC and you can change this so in here you will see the POC already be started because we update we download the MPLC program to the POC so also you will see here if we use the workstation to view the POC program and you will see before we override the POC program is look like this is very normal status and average lady logic lady logic is very normal after we overriding it's empty totally empty so we can uh uh really make huge some impact on this site if you you can change everything you want to do but how about allowing a potential impact on these attacks and if you when we use the mail software protocol and according our survey that we know generally speaking of POC series of misuse well impaired by the mail software protocol because they use mail software to communicate between and the workstation and the POC also some new lister POC will allow the need to mail software to catch it but if you know attack and know the mail software protocol they can take over the devices that are there it's very easy and also we will say other people will study uh mail site so MP protocols and we will say it's just small parts and also we will discuss the issue later because we will share our reporting vulnerability process with me to be sure and also the potential impact of the attack using the mail software protocols so not only um many things you can do like a remote remote stop or to interrupt the process or you can override the previous program like us or you can write a read the specific data to change the small part control process I know so um you can do the malicious file in the POC and generate it to the POC file so we know you will um something um not understanding about it so we provided a common baseline based on the my tour techniques for ICS and basically the impact we can achieve is by taking over the mail software protocol is reached and depending on what the attacks want to achieve so you will see the part is including the including the manipulation of control denial control and loss of control of Lena including with our attack scope so now um as we mentioned before we say I mean she's not very active uh facing these issues so we want to highlight because it's not a problem only for me to be other pro other vendors we can't tell we may we meet or so have some on this um attitude to very um not not very active uh attitude to handle the vulnerabilities but we want to highlight it just we want to keep everyone know vulnerabilities very serious things so here's our timeline for we got our first repaid uh from the vendors so on May 30 2020 is this is the first time vendor repaid and when we notified that and in the many repaid states uh level of authentication process we pulled out is not a it's not to protect the customer's security but to prevent connection to devices of other companies and more planning it is uh that it is not a vulnerability from the vendor side from the uh vendor perspective however regardless of the original purpose this authentication process does has have problems attacks can use it well to perform the various operations our research how this is a serious risk so we know the vendor don't think um this is not a PDB it's like a feature um just prevent all the vendors connection but we don't think so and after um the vendors uh for some repaid we write back the the lecture the message to Leiland now um why we think this is a vulnerability and this is very serious and just how we find it and as well as how it can be exploited so in this part since we say this is unfairly bad and we want to highlight it and point out um we can successfully bypass this authentication we can make some impact uh we should know as a vendor you should have some secure awareness of this should not avoid it and also it is a part of our second repaid we want to also explain what happens when the authentication is not pasted and basically we think this needs to be addressed and seems like to lead to a very serious dangerous when they're in trouble explore it so here okay and the vendor declined a lot part because we highlight let's go from mail software and srmp and they say srmp does not require the authentication yeah after our modification it is not required the authentication of srmp i would like to point out is one point things is this is not actually more dangerous without authentication between hmi poc and attack can easy to attack poc i know that it's a legacy protocol usually for uh it's protocol for isaac offline not not uh security design but i think it's not a reason for you know the folks on this not not build not face the security issue and these functions have some limitation compared with mail software so we will say the srmp is a subset of mail software and we can provide attacks um with a rich resource to to compromise devices and also it's also is a part of our on some question we want to uh yeah the vendor repairs and um here we all said uh last time last time our repaid uh basically we want to lay out how much information we have access to the exploit from fraudulent conversation we can consider to read and write everything we want and should not this behavior should not be uh used by the also rotate the user who attacks to do this behavior and so we say uh yeah if if we can now upload this some material we still want to highlight the issue and not compare with srmp because this is independent srmp is srmp and mail software is mail software but but they said yeah if you are serious it is possible to use srmp to operate mail that qp3 and just as possible operate through project So they say, yeah, our SNP is not a support user to operate the PS program file, but SNP will allow that authentication. So everything can do that. So no security issue is very believable, but we know this is a vendor's perspective because manufacturers is different with the security guys. So also then the DDI decided to close this case because the vendor finally internally did not recognize this is a vulnerability, but we think this is a vulnerability. And after a few days, because we also, in here, we also send our, we want to procedures, we want to let people know, we want to share our finding to other people to in a subsequent conference. So after we go, we say, vendor say, yeah, we receive another repay from vendors and hoping that we will indicate it in the first say, at least it is not a vulnerability, this issue is not a vulnerability. And it means the issue brought us. So of course, yes, we respect the vendors are serious because we know, we can only understand a lot of vendors. It is not easy. They need to build it also a huge system. So we need devices, but we know that some come complete with security people and manufacturers. So we respect the vendors. I have to say that. And so we will say, so we say this is conflicted with the security perspective and the manufacturers so perspective. So this issue is not a vulnerability in the product from vendors perspective, but we still hope that this issue can be remitted before it leads to the problem for worksite stakeholders. So for the other reason, let's take a look how to make this issue. So there are short term and immediate long term for short term, you need to mitigate your environment, you need to detect, you need to protect your ICS and SCADA protocols. Even there are a legacy protocol, there are security in the side, but you should try to protect your environment. Basically sometimes vendors cannot patch it or vendor will not patch because they may want to deliver new versions, maybe. And also for the research, only for mail software, we focus on this. So we provide a lot of planning for analyze mail software protocols, and we also provide a snow reward. It is IDS new world, IDS IPS reward, and for open source. And this can help you to detect and to protect mail software traffic. So like this, here is our rules that you can just copy this to your snow reward list and then run it and it can help you to detect and to protect some specific mail software communication, like mail software authentication, remote stop, remote run, or write files of this behavior. And also you can check this, it's helpful to, oh yeah, our rule is useful. And also the last part is, yeah, we need to learn to complete planning. We want to help you to think, yeah, we know the ICS vendor usually don't have the security awareness. We face many, many ICS vendors. They usually don't have the security awareness, OT guys, ICS vendors, ICS manufacturers, they don't have the security awareness. So I think the first thing is you should build a lot of security awareness and you can try to build a different environment from outside, like a similar attack from outside, what they want to do and how you build your security environment from outside with some security awareness, maybe, but it's still based on your environment. And also there is a security design in the protocol or other components from inside. So it's based on the ICS vendors, they need to, they should be on the security side that prevent the vulnerability happening in their components or service. Because other people, power, water, they use will be more secure. And then you can secure your ICS and SCADA ecosystem more secure in the future. And over with that, in OT guys, they say, look at how parties keep the operation wrongly. Yeah, we believe. But we more believe is, in the near future, you should keep your operation secured wrongly because a character is more and more, they try to compromise the more and more security infrastructure environment, like we can overlook it, we should take a serious point part. So that is my presentation and thank you for listening. And if you do have any questions and welcome and contact me with Twitter or if you're going to take home websites, I know we are welcome and thank you for listening again. Thank you.