 Okay, so hi everybody. Welcome to a talk regarding the medical word of FIPI buckets. We're going to explain the topic soon. This is Tal and myself, Sharon. We work for Clarity for the past few years. We mainly do reverse engineering in the OT domain. So we break up PLCs, HMIs, engineering stations, etc. And we research OT protocols. And today we're going to talk about the research that we have conducted regarding some ICS vendors. But before that we want to show you our cool lab. This is our setup with different vendors, different field sees from all over the world. Rockwall, Schneider, Siemens, you name it. We have everything from everything. And this is where the research mainly was conducted. So today we're going to talk about what are change IP packets. We're going to explain why they're being used and who uses them. We're going to show some practical examples of how different vendors implemented the change IP packets. We're going to discuss the security implications and security aspects of what it means that you have change IP packets in your network. And finally we're going to sum everything up and we're going to release some of our customs not rules that we have developed according to our research. So change IP packets. Think of the situation that you're buying a new device and you want to plug it into a network. The device has no network settings but still you plug it into a network and somehow you're able to communicate with it. So how it is done. When you plug in your device inside your network you send a change IP packet, a magical change IP packet to the device. And suddenly the device gets a new IP address and you're able to communicate via layer 3 which is the IP layer. Yes it's true that you need to know some basic elements about the device. For example in modern Ethernet networks you need to know at least the MAC address of the device. But since MAC address is relatively easy element to achieve in a network. If you're sniffing the network you can see our responses or your tissues are. So it's relatively easy to get the MAC address so we assume it's a no problem. Before we dive in deeply into the magic change IP packets we want to give you some examples from the IT world regarding what a change IP packet is. So let's talk about what are magic packets. Think of the IT domain. Back then at the late 90's where computers was in the rise and the power consumption of the entire computer industry was in the rise as well. Many vendors and governments wanted to reduce the power consumption so they recommended people to shut down the network devices or computers when they're not being used. They was fine until the IT administrators wanted to conduct some maintenance processes but the computers were turned off. So they could not back up the computers. They could not perform any updates. They got really mad. So that's why AMD and HP came with a solution. The computer when it is not being used will be turned off but only the network card will be always connected. So the network card will always get electricity power and will constantly sniff the network. Once it detects a magical sequence of bytes in our case the Wacom LAN packets are 6 times f's and then 16 times the MAC address of the network card. Only then magically it will turn on the computer and now the IT admins can perform their maintenance processes. So the computer was turned off only the network card is connected to the electricity power. It detects a magical sequence of bytes and then it turns on the computer. That's in general the concept of magic packets. Another example we can find in the malicious world for example the chaos or the sea door backdoor. Those backdoors are constantly sniffing the network and once they detect a magic sequence it can be a magic sequence of bytes or it can be a magic sequence of attributes for example port knocking. And once they detect those magical sequences they will do something and in the malicious world they probably gonna send a reverse shell back to the attacker. So that's the concept of magic packets. Now let's talk about how this is how the packet looks. You see the 6 times f's and then 16 times the MAC address. And now that we've covered some classical IT examples of what the magic packet is I want to discuss what are change IP packets and why do we use them and what's so magical about them. So first of all we're human beings right we like things to be relatively easy simple for us we don't want to get up we want to buy a new device plug it into our network and then plug and play we can easily communicate with it. So that's why the change IP packets were invented because we're lazy because we're human beings we don't want to configure back to back physically in the devices. We just want to take the device plug it in somewhere in the network and then immediately start to communicate with it. Change IP packets allow us to do that because if you're connecting your device in the network you can send the magic change IP packet to the device the device will get the IP address and you could communicate with it further remotely. But what's so magical about it? So first of all you're gaining a new access via layer 3 so you're gaining a new access to device which you did not have before. Secondly those devices are acting in some way like a back door because they're constantly sniffing the network they're searching for magic sequences of bytes or magic sequences of attributes and suddenly they are doing something that you told to do. And third most of the protocols that we'll see soon are not being used constantly they're not common because they're being used only when you need to configure the device. So we treat them as very esoteric protocols that we rarely see in our networks. Okay what are the types of change IP protocols? First of all we have the standardized protocol. Standardized protocols are protocols which have many different commands for example to start the PLC, stop the PLC, maybe restart the PLC, read or write addresses, all the regular and basic functionality that you know. But one of those commands is the change IP or the change network configuration and we'll see an example. First of all we have profanet. Profanet is a standardized layer 2 protocol which is mainly used in Siemens environments and is being used to configure PLCs. For example the Simatic S7300 which can be found in many nuclear facilities is configured and maintained by profanet. You probably have heard about Simatic S7300 because that's the famous PLC that Stuxnet attacked a few years ago. As you can see profanet is a layer 2, it's a very standardized protocol. It consists of many different commands but one of them is the change configuration. As you can see in the picture we've used this functionality in order to change the IP of our device. Another example is the GESDI protocol by General Electric. This protocol is used heavily in the renewable energy industry such as turbines. And it is being used to control the Mk6 family of General Electric. What's unique about Mk6 PLCs is that they all run on QNX. QNX is a UNIX embedded operation system and because of that it consists of many very commonly used UNIX commands. For example the IF config. Another thing that you should know about the Mk6 family is that they have a very unique command which is command C which allows us to run any command that we want and it will run on a shell on the device. So we combined the two and we created a change IP packet using the C type command and we were able to run a shell command on the device and we changed the IP of the device. Another type that we would like to discuss today are protocols that the entire purpose is just for setting and exchanging the network configuration. For example we have OICDP which is RuggedCom Discover your protocol. That's a protocol that was properly invented by RuggedCom to maintain and configure RuggedCom devices. So we're able to maintain and configure RuggedCom switches and routers only via this protocol. What's unique about this protocol is that it has authentication mechanism which requires the users to create a unique hash which consists of the username and password of the device among other stuff. And only with this hash you can change and configure the RuggedCom devices. So we have been researching this protocol for a long time and eventually we were able to break up all the different fields of the protocol as you can see. And in the other you can see the authentication hash and in red you can see the IP that we changed the device to. Another type of protocols which are protocols which have magic sequences. Just like we have seen before with the Waycon LAN packets those protocols use a very unique sequence of bytes and only when they get those sequence of bytes only then they will do what they were being told. A very similar group is the magic attributes. Some devices are not even implementing a protocol at all. They're using the attributes of a different layer of the packet and when they detect a certain unique attributes it will trigger the change IP functionality. For example the GE general electric pack systems is a family of controllers just like RX3i or RX7i that have a very unique functionality. The CPU or the network card will consistently sniff the network just like a backdoor. And when it detects a special and unique TCP packet as you can see here with a very unique attributes of source port 1 to desk port 1 as you can see in the picture. Only then it will understand just like a backdoor that we're trying to communicate with it and then the device will take the packet will extract the destination IP address and it will set it for itself. This kind of a behavior is very similar to what backdoors are doing. Another thing important to notice here is that those devices, those PLCs will not take the destination IP if the device is not in stop mode. So if the PLC is in production mode the device will not change the IP. Obviously this is a security mechanism the general electric did in order to avoid harming the production. Another cool type of protocols are the encapsulated protocols. For example BNR didn't want to implement their own protocol. Instead they are using SNMP which is a very commonly used protocol simple network management protocol. But they're using the SNMP over ethernet which is a very uncommonly SNMP flavor. SNMP has two main functionality of get and set attributes. BNR chose to implement SNMP with dire specific OIDs. For example you can see here the OID and if you're getting this OID you will receive the IP address and if you're setting via SNMP this OID you will set the IP address. So for example we have constructed a packet over SNMP and you can see that when we set the specific OID that I mentioned before we were able to change the IP of the device. Now all those use cases are normal which means OT admins and IT admins are using them daily. But what happens when the talkers are using them? What happens when we're going evil to the dark side? The basic concept here is that if I as the IT owner, IT admin can say the magic word and change the IP of the device. Attackers can do the same. Attackers can say the magic word as well. So what can they do with it? First of all if they're changing the IP addresses of my PLCs in production obviously they can cause denial of service and do some bad stuff. Secondly attackers can achieve active and passive men in the middle but before we're diving in into what are passive and active men in the middle let's see how such an attack can occur. So first of all we have a basic setup of HMI communicating querying a PLC. The PLC is controlling a motor and the motor is running at speed of 212 rpm. Normally the HMI will query the PLC and ask for the motor speed. The PLC will respond with 212 rpm which is the normal speed and everything is good. But then the attacker inflaterates my network and sends the change IP magic packet to my PLC and asks to change the IP to .66. The PLC changes the IP and then the attacker changes its own IP to .10 what the PLC had previously and informs the HMI that is now .10. The HMI now thinks that the attacker is the PLC and starts querying the attacker as if it were the PLC and the attacker who wants to stay on stealth mode sends back to the PLC that is running at the speed of 212. But in the background it sends the PLC a change motor speed to 2,000 from 200 to 2,000 and then obviously bad stuff can happen. You should know that this scenario is not so imaginary a very similar attack was performed by Stuxnet in 2010 which conducted a men in the middle attack and changed the running speed of the centrifuge in an Iranian nuclear plant. This is a very likely to happen scenario if your network is not secured and that's why we need a lot of security. So yeah we see why we should have concerns about the change IP functionality but what is the awareness to this issue what are the events that are doing about it. So let's see an example. Seven years ago the CV was published regarding the change IP functionality in the CIP protocol. The CIP protocol is a common industrial protocol which is heavily used in the Rockwell ecosystem. It is a very complex protocol that can be used for a lot of stars from that acquisition and configuring the PLC. So one of the features it said the IP of the device. According to the CV changing the IP of the device can cause a denial of service. It can cause a denial of service and disrupt our process in our facility and break a lot of things. But the question whether it is a vulnerability or just a feature it is hard to answer this question because at the end of the day it is just a feature of the protocol. Since then Rockwell had some protection to the protocol and had some authentication to it and made it much harder to change the IP of the device but it is still possible today. Because if the OT admin can do that an attacker can do it too. Here is a bad packet with the IP that we set. Another solution that we already mentioned earlier is requiring that the PLC will be in stop mode. So an attacker won't be able to disrupt our production environment with that packet. It just won't work. Another good solution is requiring authentication in order to make configuration changes to our PLC which make a lot of sense. But not everyone doing that. Most of the cases you can just tell it to change the IP. So let's take a moment to look on the protocol that try to implement some protections. The Schneider net managed protocol which is used by the Schneider modicon to change its network configuration. So we looked on that protocol and in first looked it looked encrypted. But after looking it for a moment we saw that it just XO with a simple static hard coded key. We were able to extract this key and look on the protocol itself. We saw some credentials in the request. But when we crafted our own packet and sent them to the PLC we noticed that the connection are not being validated at all. Which means you can send whatever you want and it will accept it and change the IP of the device. So we contacted the vendor and they told us that they recommend to disable the service after using it for the initial setup. They are right with the problem with this functionality and this is why it is mentioned in the documentation to disable this feature. So yeah, that is another solution giving the user the responsibility to protect himself and disable this feature. But the question is can we always do it? Sadly the answer is no. In most of the cases the change IP functionality is part of the protocol. We can just disable and enable it. Not all the vendors are giving us this option. So what can we do? So here are some tips for making your network more secure. First of all configure a secure password. In some protocols as I mentioned changing device configuration is locked behind authentication. But if we don't set up a password or don't change the default one or set a simple password like 123456 we are not protected. So don't forget to set a secure password to your devices. Another option in some PLCs there is a physical switch in the PLC itself that can be changed between active mode and configure mode. And in some of those the PLC can be configured unless if the key is in the configuration state. So yeah, so don't forget the key in the state. So in that case I better change its configuration when I think product change mode. Yeah, so another thing that is important to do is separate your network, separate the users from the PLCs. And make sure that a user that is not supposed to talk to a PLC won't do it with a strict firewall rules. Because yeah, it will make your network much more secure. Another thing is monitor your network. Don't let an attacker stay undetected. There are some powerful IDS and IPA tools out there that can monitor and secure your network. Preferably using a solution that knows how to do deep inspection, how to do protocols and detect the attacks that we talked about. Because not all the tools can do that. So yeah, as Ron mentioned earlier, after our research we wrote some snout rules that will detect some of those potential attacks that we mentioned. And take some of those change IP packets. You will be able to see it later in our presentation. So yeah, so we are giving a powerful tool by the vendors to set the IP of our PLC remotely. But these give us some responsibility to protect our network because if we can use it, an attacker can use it too. So yeah, we've seen today a couple of different protocols that we've been researching. Those protocols allow us to change the IP of the devices in various ways. Most of those protocols behave just like backwards because they have some sequence unique bytes or sequence unique attributes. And the devices are constantly sniffing them for detecting changes and understanding that someone is trying to communicate with them. Then we discussed some of the security aspects of what it means in our network. And finally we gave some security tips of how to be secured. And we're going to also release some of our custom rules that we've developed according to our research. And that's a table that summarizes all the different protocols that we have been researching and the security and layers. Thank you.