 Hi everyone. Thank you very much for coming to our presentation. We're going to be talking about some research we did with PLCs and prisons correctional facilities. And I'll give you an introduction of my co-presenters. Sorry, I hope that's not too loud. The objectives we're going to talk about today are we're going to analyze the Skate Assistants and PLC vulnerabilities. We're going to discuss modern prison design. We have a specialist here who has designed over hundreds of prisons and correctional facilities in his career. And we're going to theorize some possible attack vectors and routines of malicious code introduction. I'm going to talk to you about ladder logic. And while it's very easy to learn and to program in this, it's part of the devil and the details of why some of the PLCs are vulnerable to some of the attacks that we've created. We're also going to recommend some solutions. Some are technical and as with a lot with security, they're also managerial. This is me. I do a lot of stuff, actually. Right now, with this project, I've been doing a lot more technical work, but I'm an attorney as well. I work in Washington, D.C. most of the time, but I'm also in Portland, Maine. I'm a part-time adjunct computer science professor at the University of Southern Maine. And I'm so glad I have, like, every year a bunch of students from that university come to DEF CON. I have a bunch of academic backgrounds. I've studied in China. It was interesting and did a lot of work overseas. I presented other black hats, DEF CON, so you may have seen me presenting it more like freedom of speech for some eminent issues, but this is the other type of research that I do. And let me turn this over to my father, John Straux, and I'll introduce himself. Well, nothing to introduce. You all can read. The only point I want to make is my specialty really is physical security. Now, that's what y'all call me, even though 99% of what I do is electronic systems. And so I do the engineering or the specs and the drawings, and I've done a lot of what's called just design, which is mostly corrections, also courthouses. All right. I am Teague Newman. I'm an independent security researcher and penetration tester. I'm based out of Northern Nevada up here and also Washington, D.C. In 2009, I competed in the Net Wars Challenge. It was part of the U.S. Cyber Challenge. In all the rounds that I competed in, I placed it in the top ten in the nation. I also do training and penetration testing for course security. I've taught people all over in all different facets from, you know, enterprise to government, as you can see, for places like NASA with U.S. Marine Corps Red Team. So I'm all over the place. Some of the stuff that I do on my own time is GPU-based password auditing, like somebody up here, and liquid nitrogen overclocking. So that's me. We also have a other special member of our team, Dora the Skater Explorer is here in the audience, but Dora did not want to appear on stage. He's an exploit writer. He has great backpack, all kinds of tricks inside with great exploits. He's good at coding. He lives in the tropical area of Columbia, Maryland. Dora has done a lot of great work for our group, so we're very glad that Dora is here with us today in the audience. All right. One thing that we're going to describe here is we're not talking about any vendors per se. While we did do our research, as you can see our PLC that we purchased on eBay and everything, it's up here on the table. We'll have close-ups of the picture if you can't see it. It's a big room. The red team always wins. So what we're here to discuss is really about, we did a lot of research and some of our attack vectors and exploits were on the control computers. This is not a talk about semen's per se, but as the picture suggests, I mean, this jail facility is Alcatraz. It was designed to be no one could break out of prison there, right? Well, we did our research, you know, suggest otherwise you know this case to be true as well, but the red team always wins. So we're not here to discuss particular vulnerabilities because what's clear and what we're releasing in this presentation today is that with PLC's, it doesn't matter what vendor it is. So while semen's is our research module there, it's not just about semen's, it's about any PLC because we will discuss and we'll show you a demo of what we've done with the control computer. All right. So why present about prison vulnerabilities? One of the big things that we're talking about here is not our exploits per se. We're not releasing our exploits. We've used it for a proof of demonstration to all of you about the work that we've done, but it's really to kind of hit home the idea if you work in a facility in which PLC's exist, these are the types of things that you should know. Now, all of us, most of us in this room will know, we know what PLC's are. A lot of us at Stuxnet, but if you work in a correctional facility or you work in other types of facilities that have PLC's, even water treatment plants, those employees may not know what that is. This is part of the problem that we've seen in the correctional facilities is wardens, guards or officers that work there. Their responsibility is actually, it's pretty high. Some of the vulnerabilities we saw, semen's or GE, whatever, the essence of they can't fix them. What needs to be done is these people working in these facilities need to know that there are devices that can be vulnerable to attacks. So the U.S. puts a lot of money and funding into securing some of our, what we call the U.S.'s assets of high secure facilities, bank vaults, things like that where you may see PLC's. But when it comes to our countries, shall we say, worst liabilities in a sense, we are encouraging some heightened security because of the discoveries that we've made. So we're trying to talk to the people who do work in correctional facilities and that's why we went public with our research. And we'll tell you about a little bit of how we did that, but a lot of law enforcement agents too, we talked about who work in these prison facilities, didn't really know much about this. So we're bringing awareness to that issue. So when we did the research, because this has to do with the U.S. correctional facilities that we were looking at, we briefed some federal agencies. You can see from the slide, they're friends, they're friendly, but what's great is that when we said, hey, we found this vulnerability, we want to talk to you about it, it took about two months to really get together everyone from these agencies. But when we did, it was a positive experience in the sense that they were willing to listen and talk to us about what we did. And they were allowing us to present here. And that's why we're really grateful for this, because it's not, we didn't talk to Siemens or GE because it's really about the correctional facilities in this presentation we're doing. So we were glad and we are grateful to those agencies who allowed us to do this presentation. All right, so the story of Christmas Eve, as you may see in the bio, or in the bio, the abstract of our presentation, all the doors on death row popped open a little while ago. And I'm going to have John Straux here, my dad tell you about the story of Christmas Eve, because he was called in to figure out why death row, all the doors popped open. And it's also kind of the basis of this whole entire presentation. And that is quite some time ago, I designed an electronic security system that is all the electronics for a state penitentiary that included a death row as a maximum security facility. We were done, it was occupied, inmates were brought in, thing was running, everything seemed to be going fine. And then Christmas Eve, I'm at home and I get a call from the warden. All the doors and death row had popped open spontaneously. That concerned him. Now it turned out nothing really bad happened. They've got everybody in. But it concerned me a little bit in terms of what could have happened and liability and things like that. So we immediately went out there and tried to track down what what caused it. What it turned out to be was the contractor had not used the manufacturers and model numbers of the equipment we had exactly specified. They had made some substitutions. Now in hindsight, in all likelihood, I would have proved the substitutions. But the problem was that the two components, that is a PLC and a relay, had never been used at a correctional facility before. And some kind of voltage surge occurred. And there was a printed circuit board that had a one way diode on it as we found out. And it was leaking voltage. And it was leaking just enough, not very much just enough to trip the relays, which then opened up all the doors. Easily fixed. Now, go forward in time. And I'm sitting there watching news about Stuxnet in Iran and how they attacked the PLCs and got the centrifuges moving fast. And I had a Eureka moment. I said, wait a minute. We had that happen at a high security prison accidentally. What could you do if you did something deliberately? And the other thing that occurred to me was, wait a minute. Nobody knows that PLCs are used in prisons. They really don't. Most large security systems don't use PLCs. We'll get into this again later, why you use PLCs in prisons. But if most people don't know that PLCs are used in prisons, then all the skater talk about skater attacks is focused on power grids and nuclear facilities and all kinds of other things, but not prisons. And it's a vulnerability that if you know about it, you can protect yourself because 98, 99% of the solution to the problem is procedural, not technical. So this research idea started a lot with looking at the Stuxnet. And those of us that were interested in following, the code is very well designed, well engineered. I mean, it took a lot of professionals, but her observation state, I'm sure you've all heard those theories. But I got this idea to start looking at where else PLCs that are vulnerable might exist. And I got to give credit to Tom Parker and FX. They're not a part of this research project per se, but they have really fantastic analyses they've done of Stuxnet. I mean, going through line by line with the code. And then Black Hat Abu Dhabi last year, we all got to sit down and really talk about some of the essence of what makes Stuxnet unique. And so after these presentations, I came back to the US and I sat down with my father who has a lot of design experience, and then with Teague, who's a fantastic penetration tester. And that's when we said, wow, this could be interesting. So what if someone wrote a worm or a virus that could affect correctional facilities? That was our big question. All right, so I'm going to turn over. My dad's going to do a big section now on the design of prisons. And the reason this is important, if you understand the structure and why things are designed in prisons, you'll understand why some of the PLCs and where they're vulnerable is a problem. Culinary Institute of America. And also work, we actually had a really neat wave file we're going to play, but apparently we can't do that right now. So that has nothing to do with anything. It started with Stuxnet. Attack was, and this is what I read, not personal knowledge, against step seven of the Siemens software. And apparently there's some Microsoft patches you can do that minimize this vulnerability. But it goes back to the fact that it's all about the programmable logic controller, the PLC. It's not just the SCADA systems for like power lines, pipe lines, water systems. Prisons use PLCs. Now let's go back to nomenclature just for a minute. What is a prison or a penitentiary? A prison or a penitentiary is something that's probably run by the federal government or the state government. It's confinement for a year to life. I mean, it's serious confinement. When people talk about a jail, and a lot of times they use the terms improperly, a jail is usually a county, city or town facility, and confinement is usually less than a year. The only thing about a jail that makes them a little bit interesting is some jails could be really huge. As pointed out, Orange County Jail in California has 2,500 inmates. And the other thing about a jail that makes them important to look at is a jail is often used for pretrial confinement. That is, while you're waiting trial, they put you in jail. So you could be a pickpocket, you could be a terrorist, you could be a serial killer. So anybody could be in a jail even though the confinement's very low. In the United States there are about, I think, exactly right now 117 federal correction facilities, 1,700 prisons that has state penitentiaries, 3,000 jails throughout the United States. And of these correction facilities about 160 are operated privately. And most, possibly all, I haven't surveyed them all so I can't speak definitively, use PLCs and air electronics. That's me in jail. Now, we're going to this because if you, to understand what the vulnerability really is, you've got to understand how a prison operates or a large jail operates and what the electronics are and how it works. This is the contemporary design of a jail. It involves a central control and then housing pods for housing controls. And the whole idea is ergonomics. And that is, it's no longer the way Hollywood portrayed large prisons where there are long cell blocks with bars. In fact, most new modern facilities don't even have bars. They have solid doors with vision panels. But these long cell blocks don't exist. The idea is ergonomics is central control can see down those alleys into every housing pod. The control in every housing pod ideally can see every single cell. So there's visual contact with everybody you're managing. And that minimizes the number of people that you need to operate the facility. Going back to a point I made earlier is, I have heard two misconceptions. One is that some people think that PLCs are used in all security systems. And as I said, they're not. Most large security systems, for example, use some kind of operating system that's specifically written and designed for security systems. The two probably most common, once people know, are Lanell International's On Guard or Software House CQR 9000. And there are a bunch of others. But those are two really big ones that have a big share of the market. They don't use PLCs. Now, are there similarities between what they use and the PLC? Of course there are. The only thing is, their controllers or their data gathering panels, whatever you want to call them, are smarter, more multifunctional, multitasking, much more state-of-the-art. Now no one's ever tested those systems so I can't really speak to it. But you wouldn't put a PLC. Now why do you use a PLC in a prison? The reason is it's very simple. It's very basic. It's easy to program. And more importantly, it's easy to track. Because nine times out of ten after you do your programming, say you're doing two, three hundred cells, or five, six hundred cells, that could equate to twenty, thirty thousand points in a system. If you did conventional programming, that's one heck of a lot of tracking you have to do. Some's not working. You know, this button is supposed to do this. When you use ladder logic, it simplifies it. Because when you print it out, particularly in a long sheet of paper, it looks like a ladder. And you could follow the lines, trace them with your fingers. It'll go from this point down to this point, down to this point, and it ends up where you want to go. But it's that simplicity and vulnerability that make it vulnerable. I also want to make one correction is that we've been doing some news interviews. One of the news interviews seemed to imply that I said that corrections officers weren't smart or should have known this stuff. How many people here drive a car? How many you know what a PCV valve is? Or if you do, most don't. Just because you drive a car doesn't mean you're required to know what a positive crankcase ventilation valve is. It's a very important valve, particularly in older cars. And that's the point is why should a corrections officer or a warden or administrator know what a PLC is or how it's programmed? They're specialty, their skills are to operate the facility as efficiently and probably with not enough people and not enough money and try to make it work well. That's their job. So I don't mean to anything I've said or whatever counts me being oppressed. I'm not criticizing the corrections industry or corrections officers. This is the same kind of design. Now it doesn't look like a spoke of a wheel, but it's the same concept. It's ergonomics that is vision lines for control. You can see, in other words, our rule of thumb was when we designed was if you could directly see the door then you didn't need a video camera there or anything else. You couldn't see the door, you put a camera there. And not only that, you put a camera on both sides of the door, not just one side, so that you can see if somebody for examples under duress are being compelled to do something. Many have hundreds of cells, but all but the smallest jails or prisons have some kind of central control. So what does it look like? Starts out with the central control. This is the hub of the wheel. This is the brain of the entire facility and it runs everything, virtually everything. You know, even things like showers and lights, you know, depending on what state and jurisdiction you're in, they have different rules. But the whole purpose of the entire facility is obviously about door control, to keep people in and monitor locks, cell and wicks and motors, and to monitor sensors where it limits switches. You also monitor many other kinds of systems like closed circuit video surveillance, duress alarms, that is someone's being held at knife point or shank point, I guess vernacular, intercoms. And some facilities, not all of them, have some kind of perimeter. A lot of times there's a perimeter patrol, that is there's a fence intrusion detection system, concertina wire, barbed wire and so forth. Those things tend to nuisance a false alarm at high rates. And they sometimes have patrol vehicles out there, they have a graphic interface. Sometimes that graphic interface between the patrol vehicle and center control is radio frequency. Which, you got to remember, the big boom in prison and jail construction was about 15, 20 years ago. And back then nobody talked about cyber security or viruses or any of that stuff. It just wasn't important back then. And these facilities are still operating and they haven't changed hardly at all. They all go back, all these activities go back to a program or logic controller. Usually it's a self-standing rack someplace in an equipment room, not in a control room. In some places there will be a big relay bank. Because the PLCs themselves don't have the ability or the power to do things. Again, it's basically a very dumb form of multiplexing basically. And they control many functions. Now this is a very simplified block diagram of what works. And Teague and Tiffany will be going back to this shortly. Yeah, basically you have inputs and inputs are panel switches, lock sensors, door sensors. You want to know that the door is closed and you want to know that the door is locked. In the early days, for example, when electronics were first introduced, inmates found that they could put pencils in the track on a sliding door. Why are sliding doors preferred over swing doors? The biggest reason is safety of the corrections officer. Swing doors often end up putting corrections officers in the hospital. Because some of these inmates have nothing to lose, either that or they have no sense of consequences. And they'll slam that iron door shut. So sliders are preferred, even though it was slightly more expensive. They'll put pencils in there and sometimes they'll jam up the door right up to the point where the before the limit switch trips. So you think the door is locked, but it really isn't. Because the limit switch hasn't tripped yet. There are, by most accounts, 40 to 50 manufacturers of PLCs throughout the world. These are the most common ones used in correctional facilities. And of these, I'd say, the top ones are Alan Bradley, GE, and Square D. Now here's some very basic PLC facts. Two points here in terms of protocols. Lawn works is real popular. I don't know, again, this is a different industry for me also. You may not be familiar with lawn works. But the objective of lawn works is primarily one thing. It's to minimize by as much as 40 percent the amount of wiring conduit you use. And wire conduit and correct facility could end up being tens of thousands of dollars in cost savings. Or much more. Another thing is programming language. The most common programming language for PLCs was then, is still true today. Maybe after our presentation it might change, is ladder logic. Simply because it's easy to follow, easy to track, easy to review. It doesn't mean you couldn't use any of the other languages to program your PLC. It's just simply that they don't. And again, back 15, 20 years ago, at the boom of correction facility design and construction, it was the most common sense thing to do. Make it as simple as possible. In large facilities, PLCs monitor thousands of points. Contact closures that then control hundreds of devices, mostly motors and solenoids. Here's one schematic design, but a better one to look at would be this one. And the point I want to make here is that now you probably are not going to monitor 34 points, but if you want it to be a purist about it and know the exact status of this one door, you could monitor 34 points just when it's one schematic. And that's another reason why the PLC is ideal, so easy to review. And Tegh might bring this up a little bit later, but a little note down there under the note. Speed control. We were playing around with, well, if you did it maliciously what could you do? Well, I remember a demonstration using pneumatic sliding doors that basically are air driven pistons. And I saw that when we turned off the speed control switch, we could actually crack a two by four and a half using the door. So if you wanted to, for example, hurt somebody, that'd be one way of doing it. And then all the way out, not just inside of SILDI, even the fence sally port gates ultimately are controlled back at the central control. Now during the day, for example, there'll be direct control right at the sally port gate. But say two o'clock in the morning, again, they're short staffed. Don't have enough people. A lot of times they'll switch control back to central control. At that point, you would have a vulnerability going from inside of correct facility all the way out to the gate. During the day, you probably would not because they'll have what's called direct control and the only way central control would take it over is through an override, which you would rarely do. And we're going to harp on this a number of times, and I'll repeat it again one more time right now because it's so important. 98, 90, 9% of the solution to fix to this vulnerability is procedural, not technical. And in fact, there's probably no technical way to giving a 100% fix for the PLC vulnerability. But if you airgap it, make everybody follow strict procedures, have no unauthorized connections, you probably don't have a problem. At this point, I will turn it over to Teague and Tiffany, and they're going to look at specific vulnerabilities and infection vectors. When we did a evaluation of a facility, it was here in the U.S., and we were able to go in and take a look at both the Internet Access, some of the security there, and talk to some of the people who work there, the guards, to get an idea of how much knowledge they had about IT, information security, and what they had in the facility. So one of the things that the vulnerabilities we found were open doors and gates. There are times when we were talking to the officers, prison guards there, where they have shorter staff, and in the morning hours, when controls are shifted to central control because of staffing shortages, if you were a malicious attacker, these are some of the things that you would look at. And if you're inside a prison, you would theoretically be able to see the movement of some of the guards. So this is something that we thought would be one of the vulnerabilities. As my father said, cause phase lock sliders to go out of phase, preventing doors from opening and closing. This was interesting too because my father's done some research and some work in fire protection, fire evaluation. And do you want to mention something about the slam doors? The mic should be working. Yeah. There's a, there's a, not on all doors, there's one feature called, you have to specify when you request a lock manufacturer, it's called a remote latch hold back. They usually use the initials for that. And the purpose of that is that if there's an evacuation, most of these, a lot of these doors are called slam locks. As soon as you slam the door shut, it's locked. It stays locked. The only way you can open it is with a mechanical key. Someone has to be there. And then depending on a state, some states, for example, won't allow any corrections off-site to open more than a certain number of doors because this assumption is it might be a smoke filled corridor. And you have to be able to identify the keys by feel. So it's a complicated process. Now if you wanted to, for example, if you were the bloods in the crypts, and you wanted to get somebody on the other side, what you would do is start a mattress fire someplace, which happens every year. And in fact, every couple of years inmates die and particularly from smoking inhalation, would be to get an evacuation started. And if you knew, if you could suppress the remote latch holdback in the PLC software, and you didn't like the guy behind you, all you have to do is slam the door. And that door will be locked and whoever is on the other side of the door is not going to get out. Emergency release of entire cell blocks or the entire facility, we are going to be discussing, and T is going to mention it to you, a cascading release where you, if you release all of the doors at once, it actually can break, it can break the locks and cause pretty severe damage. So we discussed, I think T is going to mention a little bit more of that in his part that he is doing. And perimeter fence intrusion detection systems have high rates of false alarms. So that's another vulnerability we looked at. And one of the things that a lot of people have asked about this presentation is, well, this is not possible because the prison system is not on the internet. You know, it's supposed to be, you know, this is a high-secure facility, including maximum security, they should be off the internet. When we did some research and we actually looked at a facility, it's not as the IT and the way that they set up the networks, in some cases, was an afterthought. They designed the prison and the security in it, and then the networks and all that came in later after it had been designed. And some of the IT contractors maybe didn't have backgrounds in security. So what we found is that the systems are not as air-gapped as you may think, there's not as much network segmentation as you may think, and we were able to see some problems with that. One of the problems we found is that the PLCs and the control computers, those things need some patching and updates, things like that. So inside the central control center that you remember from the picture we had up there, there's an electronic, not electronic, but there's like a computer room, a equipment room, that's where a lot of the computers are. And when Teague and I did our evaluation, we were able to go and take a look at this stuff. And some of the stuff we found was surprising. Also, if there's a commissary or sometimes some of the lower security prisons, stuff like that, they have like vendors, fast food vendors and stuff that sell food in the facility. Those have a lot of internet connections to order food or supplies, things like that. We were able, in one circumstance, to trace that network back to the control room. So if that is an attack vector that we looked at, that you shouldn't be able to get from the commissary to the control room, but we did see that that was something that we did see. So we are dismissing the myth that the PLCs are, they're invulnerable because they're not connected to the internet. This is another thing that we saw that if people are in the control room, just like the Stuxnet attack, if you have a USB drive, something like that, that's how you can create or the infection can take place. Also, when we were at this facility on site, we saw IT was there doing some fixes on something. They were in the equipment room unsupervised and maybe at this particular facility the guards knew who these guys were, but what we found is when we follow them down in there, you know, it's, we didn't see anything back going on with them, but we, it's the type of attack vector when we're thinking about it. That's a way that you could get that in there. So another thing we found is that there was an interesting story and it's in our white paper about when patrol vehicles, when they get close to, for instance, like police stations, small jails, things connected to courthouses when they're bringing in inmates or people that are standing trial. If they had a video camera, the video is actually transferred like via Wi-Fi to the, a control computer inside of the prison. And T, can you mention more about that? Yeah, so is this working? All right. So what occurs is some of these DVRs now when they get within range, they're actually just start uploading video files to essentially the jail land to a storage machine on there. Well, it's been proven at this point that some of the DVRs in the police cars had public IP addresses and they actually have been hacked remotely, compromised, and they were able to upload whatever type of file they wanted instead of a video file to whatever the storage unit, you know, the SAN or NAS or whatever would be at that particular facility. Number of other things were also able to be done such as watch the video live. But the most interesting thing is is that the DVR in fact was on a public IP address. It was compromised and they were able to upload a file to within the jail that was not a video. And from a story we read that some of those, some people have figured out that if they live near a jail they can pick this up. It was not an encrypted signal and the videos went up on YouTube. So that was unfortunate. So they definitely need some guidance or assistance from the InfoSec community. So we're here doing this part of that reason. So something we saw that was most alarming though that really got us to say we want to talk to the government soon because we'd really like some prison warden's guards and the federal bureau prison to start training people working in these facilities. Why you need to not access Gmail, not access Twitter from the control computer. We did see that. So we're in the control room and Teague was down in the equipment room looking at the PLCs, things like that and I'm up there and we're watching someone on the control computer pulling up Gmail and that's one of the concerns we found is if they knew why this is very risky both for their lives and those of the public at large I'm sure they wouldn't do that but sometimes and we've, my father and I have talked to a lot of law enforcement officers. You know it gets really late at night people get bored they're gonna start checking Facebook things like that. They need to know why they should not do that inside the control room particularly. And this is why we're glad to be talking about this because we did see that. So you can cause widespread panic pandemonium either by locking all the cell doors down opening them up. So the cascade program we talked about you can destroy all the locks all in one go. So there are a lot of reasons why if you work in these facilities know that Stuxnet is not just something in around it's not just something that affects nuclear power plants. It can affect your facilities here the prison in which you work. So Teague and I are gonna discuss some infection vectors we talked about. So I'm gonna talk about from some of the infection vectors from without. So we talked about the software updates straightforward malicious attacks from outside the facility. There have been other research that have shown that some PLCs are connected to the internet and it's something that if you know the model number and all that that make the attack vector a lot easier. Malicious attacks from outside the sanitize point connections to the outside we saw that I mean we've seen connections to the commissary connections to the outside on the control period computer via checking Gmail. So there are a lot of ways that if we want we're want to do a malicious attack we could do it. So also from without clearly at this point we have seen that someone was checking their Gmail from the control computer so a client side attack factor is completely within scope at that point in time because we know that it has you know they are checking email. Of course from out again there is potential via these DVRs if they're uploading wirelessly from the police cars and now this would be within a jail not a prison but you also have to look well if they're uploading wirelessly there's wireless there as well. Now how does the network segmentation look in that situation? Clearly it'll probably be different everywhere but it's probably not always going to be done correctly. It's just rare to see it done perfect all the time. From within obviously we have the typical social engineering attack factors. We've seen people technicians working alone in the equipment room who says they're really technicians right. Stucks pretty well prove that even if stuff is air gapped it doesn't particularly matter you can still compromise it. So obviously the other thing to think about as well is it's people say that Stucks was via USB drive and now think about all the stuff we have now with the teensies and everything else. It doesn't just have to be a USB drive it can be you know any particular HID interface. So obviously there's clearly all the social engineering vectors and there are a number of external vectors as well. All right so we talked about we don't believe that in all facilities internet access is isolated. There's some maximum security facilities we saw that the person who's had some access to a computer that they we read this at an article in the next article said well the prisoners are finding all these flaws in it so they're essentially red teaming it in a way and then the prisons fixing all the holes they found including buffer overflows that they saw the prisoners were doing. So this is the internet access isolated. We don't know from that system but it's a type of thing that they need to be very cautious about this. So what kind of badness is possible and this is where we're going to talk about I'm just going to briefly say this is how we set up our basement lab. We're going to T is going to give you some pictures of that and we're going to have a demo of our PLC what we're working but okay so the worst day of scenario one of them is open all the doors mayhem open some of the doors release from prison is this unlikely but maybe you still have to get past the guys with the guns so that's that's a little difficult as well but in the past 30 years helicopters have been used for prison escapes eight times six of which were initially successful they were picked up later for other things but which event is more unlikely so when we hear that oh this is really unlikely that this might happen there have been some very unlikely things with helicopters but we think that because of the Stuxnet and the copycats things like that it actually may become a lot more likely we can close all the doors during a fire let's say you don't want a witness to testify against you in trial lock all the doors and if there's a fire everyone perishes in that side so prisoners are locked in locked down a housing unit so how much did this research cost us and when some people say that to do this type of PLC research it's going to cost you know it's going to take a big lab and if research facility and a lot of money to do it it did not for us at all it cost us $2,500 most of those were in legit licenses we made it clear that that we we saw the licenses elsewhere but because we're doing this well and also we we wanted to get through the legit license so we could do a lot of research on it as well but we bought this from the vendor and the Siemens model that you see here is the S7300 the same one exploited by Stuxnet it's the same one that we do see in some prisons and there are a lot of exploits that are available that we found exploitdatabase.com or exploitdb.com there are a lot that are free they're out there so our exploits by the way they're unique to some others that have been done out there but they're pretty simple to write I've seen some buffer overflows on a stack 30 lines of code I mean that's not difficult at all to do so we had a lot of fun doing this type of research and T is going to now talk to you about like our basement lab what we had to set up so for the lab it's a computer with that plugged into it it could literally be this right here there's nothing spectacular about it all you need is a machine that will run the software and a way to connect the PLC to that machine it's nothing fancy we set it up in about 10 minutes so definitely not advanced persistent threat so anyhow that's what the lab looks like that is the machine with the PLC on the table that's it that's all that's what we use to research this and this is the programming language this is just an example of it it's as easy as if you have taken some basic computer science engineering classes really understanding just a lot logical gates for instance this is an and this is an or and what you see below is what it's going to look like in the program so it is pretty simple to get this work if you understand these the logical diagrams there are attack vectors as we said we do have exploits of our own but there are publicly available exploits I mean there's a handful out there you can find them at exploit db there is some going in metasploit right now luigi released like 34 exploits for skater systems in one day these are not particularly difficult to obtain all right so now we talk about our attack vector our attack vector that we're demonstrating here is actually similar to what StuxNet did what we're doing is we are directly calling the plc's application functions so once you are on that machine that monitors controls or programs the plc's it's it's open season so basically however you get on that machine we discuss the attack vectors now you're on it what do you do migrate into the process access the libraries and call the application functions so it's using libraries how they're designed to be used that's why we're saying this is not particular to Siemens yes we have that but if the software exists and it has libraries it's going to work across any vendor okay now we're going to do our demo we took demo of of our exploit writers so you're going to get to hear Dora the skater explorer's voice hopefully the the audio will work on this we've been having some trouble with audio okay before I get into the demo I kind of want to explain some things here so what we have is this this PLC there's a number of lights on the bottom and a number of lights on the top and I just kind of want to make clear what's going on you have to use your imagination because these are just lights but what occurs is when you flip a switch on the bottom a light comes up on the bottom and on the top the bottom picture it as what you would see at the monitoring computer it says all right switches flip so in our case it would say the status of that door is locked when you see the light occurring at the top that is what the current status of the actual door in this case would be so if the lights on up top the door is locked if the lights off up top the door is unlocked so you'll also notice in the demo there's typically the cascading release programs that we talked about that would be doors opening or closing sequentially it wouldn't be all at once the possibility was there that if everything occurred at once that you could have voltage in rush and you could start frying some electronics you'll notice is pretty easy for us to not cascade things so anyway just remember the bottom is what you would see in a monitoring area and the top is what's actually occurring on the other end with the hardware all right so what we see in the middle here this is our PLC that switches on the bottom represent the actual lock control themselves so either a physical mechanism or the software changing the state the leds on the right side of those switches represent their state so that would be if the switch is actually physically on or off the leds you see at the top represent the actual lock state which should be like a secondary sensor that's telling you is this lock actually locked or what state it currently is in and as you as you see switching back and forth the leds update to show that status now in the software you basically have all of the internal states again of the same things you can see the lock controls and the lock states themselves and in the software the leds or the column with the true and false is basically are the state of the switches and the lock states at the where they currently are all right so once we actually start running the exploit or the not exploit the interpreter script we're going to basically migrate into the controls or the communications part of the software that handles communications with the actually if you want to look at the PLC real quick it's about to trigger and there they go and as you can see in the software itself the state of the switches are still currently turned on so basically yeah showing a false information really so what we've done if you want to show that much interpreter script real quick kind of what we've done is migrated into the communications process sent using the Siemens actual DLL was sent using Railgun the communications commands to send that basically any of the information to update the variables on the device itself and basically all we did all right so you'll notice there with this last shot of the software too that is basically what you would see in the control center you'll see that in fact all the doors are still locked and clearly on the PLC they were not in fact let me embroider on that just for a second that is my original expectation was that we would somehow be able to control the PLC to unlock a door turns out we were able to do much more than that we can now unlock the door but tell central control it's still locked when it really isn't yeah we are in fact not only are we manipulating the physical state of the door we are also suppressing alarms and notifications as well okay can we go back to the other screen please this is what it looks like for those of you can't see it up here that was the same one in the video so there's a close-up picture of it and this is when we toured a correctional facility we took some pictures of like the relays and PLCs and some of the wires and networks there and we're showing you a few of those in here these are also by the way our white paper is was published by wire but also it's on core securities website under one of their blogs about devcon so you can pull up our white paper and more information on this and see more pictures all right so this is the really the summary we're going to be talking about the remediation here now which is pretty clear for what we're going to do use a device for its intended purposes those of us in this room we get that all right but for those of you watching you know elsewhere online prison warden's guards this is very important for you because there's some things that can't be fixed with PLCs it's up to you really to those acceptable use policies have a reason why they're there proper network segmentation restrict physical media the same stuff that would prevent Stuxnet this is the stuff that we're discussing here so many modern jails and prisons were designed 10 years ago before these attacks were known so what we're suggesting is evaluate some of the designs and security that you have take a look at the IT network I mean very carefully because if an attack did occur on a you know correctional facility is a pretty big deal forcing and updating procedures and policies really having the guards understand why this is a big deal is the most important thing this is the biggest risk mitigating thing that you can do is educate your employees if you have PLCs that run safety critical operations or correctional facilities know that these attacks can't exist one point I'd like to make is you know clearly the way we're doing it you can't really patch that so the education is huge how do you how would you do it otherwise that's why you need to everybody always says it but you know the the layered defenses you got to really have it all in place especially for things like this that can be deemed you know critical infrastructure for a particular facility where it may involve lives of people so you got to determine what's important and then implement it hard all right we also want to give a big shout out to Dora the Skate Explorer for being awesome and for any of you out there or watching online if you think that we or Dora hold the keys to the castle here we do not these X points are going to be public and it's nothing that was terribly terribly difficult to do so we got some interesting requests I'll tell you since some articles have been written about us and no we won't help you and you know it's the type of thing that that's one of the reasons that Dora has been has been very quiet here are we going to be taking questions in this room too oh we are okay great oh okay thanks thanks for the feds to invite us for a briefing and special thanks to core security