 Let's get this show rolling. Woo! Woo! So please give a warm round of applause to our two speakers, James and Burton, who will be adding one more thing to my list of worrying about, which is hacking seismological networks. So please. Okay. Now can you hear me? Oh, awesome. Okay, guys, welcome to our talk. This is called Exploiting and Attacking Systemological Networks Remotely. My name is Burton. This is my colleague, James Hara. We are from Costa Rica. And we're here to share the results of our last research. So, okay, this is our disclaimer first of all. This is not a typical talk. Of course, it's a technical talk. Probably it is the first research of this kind. All vulnerabilities that we found has been correctly reported to the U.S. Earth and they contact the vendor, affect it. We are not responsible of the action that someone can take after attending this talk. Okay. So, hello guys. Hello. This is, okay, ready. So, who we are? The agenda for today is this one. So who we are, we don't really know. The motivation behind this research, how we get into these devices, how we find it, we will talk also about the risks and the impact who is getting affected by attacking these devices. Also, we will talk a little bit about the seismological instrumentations in order to understand better this research. Also, about the internals, deployments on the earth and ocean as well, about network topology, also how we get into the vulnerabilities phase, also about the firmware analysis, attack vectors and post exploitation. And finally, we get into some conclusions and recommendations. Okay. So, my name is Bertine. As I mentioned at the beginning, my colleague James, we are from Costa Rica, San Jose. We are the co-founders of the NetDB project, the network database project, which is a search engine for IoT devices. It's a project that I started five years ago. And then, James joined into my idea and we started working very hard from two years ago and the framework and the tool. As I mentioned, we're from San Jose, probably many of you know our country. Thanks. Thanks. Because it's a nice place to live and visit. You are welcome anytime you want to visit us. We had a lot of beaches, not beaches. So, you're welcome. It's a very nice place to live. We don't have armies, so everything is pretty much cool and relaxed. Okay. The motivation for this talk, why are we interested in seismological networks? Well, an Amirash attacker is not interested for attack these devices because we haven't seen our research previously in this field. It's pretty weird. Actually, if you take a look in the Snowden docs, if you look for the stream seismological seismic, Snowden doesn't mention anything about it. And that was pretty much interesting for me. Who could be interested? And I think that governments, you know, in order to self-attach older countries to seismological networks, this is a new cool and attack scenario because these devices are placed in string environments like in the middle of the ocean or in the underground. And around volcanoes and specific areas. You're playing with devices that measure natural disasters. So, it's very risky. This could lead to a financial sabotage to a specific company or country. The vendor of these instruments doesn't have any sense of computer security at all. I'm going to show you. Remote access, remote exploitation. So, all the things that I mentioned, power of this research to continue until today. Okay. How we discovered these devices? So, how we discovered these devices? We have, as we told you before, IOTS or Sanji. So, let's see a demo about how we get into this device. Okay. Let me show you guys very quickly because it's not the main focus of the talk. This is the NetDB Web GUI, the web application. You can perform queries regarding our query builder tool. You can search in HTML, IP, ports, URL, HTTP headers, countries, SSL certificates as well, fingerprints, and so on. There are a lot of options. So, in this particular, what happened here? Sorry. Okay. Sorry. Okay. In this particular example, we are asking to NetDB for a specific IP address. We are indexing, come on. We are indexing from this IP three ports and this example LDAP SSL with the respective certificate and HTTP server and HTTP and the port 80. If you take a look in the CNIP address and others are changing, very well known for you as Shodan, it doesn't have any results. So, I'm not saying that we are doing a very job scanning the internet, but we are doing something, something that they are doing. We are using another strategy to get into the result and we are focusing on getting as many data as possible. Yeah. Well, basically that is NetDB and this is how we will be able to get into the seismograph. Just looking into the HTTP headers labels. Okay. So, as you can see, we have a lot of fingerprints of the many devices. So, one day we have done a lot of research thanks to this search engine. We see a keyword, a very curious keyword. So, we have another demo in which we will see how we get into this particular device. Okay. So, let's see the demo. So, this is NetDB in action. As you can see, I'm asking NetDB for a particular stream, which is Taurus. That stream is available in the server label and the HTTP header of these two IP addresses. So, you can see the fingerprint, JETI, 5.1X, Linux, 2.4.24, NMX Taurus. That was very, pretty much new for us. So, I'm asking NetDB for a particular stream, which is Taurus. And I notice when you connect directly to the web server running in the port 80, you will get into this dashboard. And you are saying something very unusual. I have seen many researches about BNCs up in the internet and many other servers, but I haven't seen many servers, but this one was pretty much different because it's giving you readings, it's giving you voltage on readings, forward and waveforms. You can see how the waveforms, there is an option called waveforms and you can refresh these waveforms each five seconds. So, at the beginning, I was not sure about exactly what was this thing. So, for the reason I started the research, for some strange reason, you find a unique fingerprint and millions of fingerprints that we have and we are currently collecting with NetDB and the public internet. So, what is Taurus? That's the question now. So, we have the web server, we have the readings, we have everything, we have access and track them. So, we know already the fingerprints, so we can start tracking them on the internet. But what it is? Okay. What is Taurus? It's a portable digital seismograph developed by Nanometrics. It's a company based on Canada. When you take a look in the official documentation, you will know that it's pretty much connected directly to the broadband seismometer, which is called Trillion 240. And then, all the data coming from the broadband seismometer is routed to the portable digital seismograph and then that quesition center. Also, it could be connected to a geophone. These geophones are devices that are placed in the middle of the oceans in order to understand better the sounds of the seismic waves in the middle of the ocean. So, which is a seismometer? Seismometer are instruments that measure the motion of the ground. They are reading the wave movements for earthquakes, volcanic eruptions, or different sorts. From Wikipedia, we read there are different common applications like air quake, detention, frequent dealing, also mind safety, structural analysis. So, continue with the research. So, we asked, so for example, which is the organization to keep the standards, protocols, and all the rules to get these devices properly working globally and in the world. So, I found the International Federation of Digital Seismograph Networks. This organization keeps up to date the SIT reference manual, which is the standard protocol for earthquake information exchange and all the digital seismograph worldwide network. So, these devices provide the real location just connecting directly to the web server. As you can see, you can go to the time option, and you will notice that the location area is providing to you the latitude and the latitude and altitude according to their exact location somewhere in the war. So, there is a demo showing you how we were able to find seismograph in the middle of the ocean. So, let's take this data from this real production seismograph, and let's ask to Google for this location. And you will notice that it is placed in a very cool area. So, let's go to Google to the exact location. And there you go. This place in the middle of the ocean in Europe, between UK, and Norwega, and Denmark. So, we said, well, this is cool because these devices is running in an autonomous way in the middle of the ocean. So, let's attack this thing. So, it's pretty cool because I haven't seen someone exploiting something in the middle of the ocean. So, let's do it. Okay, NetDB is giving us a note, their exact location because we are using the MaxMind databases in order to query the exact location of all IP address that we found every second. But it's pretty much accurate because it's telling us, well, your device is located in some ISP in the UK. So, this is another example of how you can use Google Street View in order to query the same information. And we found this seismograph located in Marlow, Oklahoma. It's the same one here. This is the coordinate. And asking to Google, so, it's telling us, well, it's inside that property. But Google Street View doesn't have access to property. So, you're not able to get into more inside the property. But it's in there. So, it's pretty cool. So, which is the impact? I was looking for a real impact in the real world. So, first all, no one else has ever done, as we told before, research security about this field. So, we know that, we know that, we know this, that we can perform a denial of service. Also, we can take advantage of the web server applications. And then we get into the web application vulnerabilities. We see that there are several bugs, this information disclosure in the web application that is using, as we said, a GRI server. Also, there can be a big economic impact for oil and gas research of a specific company. There are other fields like a military industry and unknown areas. Yeah. Okay. Another company which is called PGS, they sell these components or these networks in order to perform gas and oil recovery. So, this catch my, this catch my attention because you can see that there are lower applications for this technology. Just not for earthquake detention or earth understanding. So, vendors found in this research, good old systems, GWL instruments, ZARA, also there are no vendors, but the most affected is nanometrics, which claims that there are the world leaders in seismological instrument and networks. Also, you can take a look in Google for wait papers regarding instrumentation and earthquake technology in order to understand better how these devices works because it's pretty much a science field. So, no one, no it's not very familiar for us as security researchers. So, it was pretty much difficult to me to understand exactly how these devices work. So, I had to request some help to our organization in my country, which is called Opsicory. And they provide to me some information regarding how they work. And I explained to them exactly, well, I got a red shell here and these things. So, they told me, well, bro, we are screwed basically. A lot of mathematics, a lot of physics. If you are interested, you can take a look. This is an example about the other seismological instrumentation. This is an example about how to use geophones and what is their hydrophones in order to catch up the sounds from the ocean and to catch up the movements from the earth. But in the first example, they are producing a fake movement in order to get into the gas and oil. So, I found a demo from a company doing this. And let's take a look at how they are being deployed and how they are producing the fake movement in the earth in order to get into the gas and oil sources. So, as you can see, each point represents a little sensor. But you notice that they have a big trucks and they in some way stimulate the earth in order to get the response and check, well, there is gas and oil. So, let's dig into it. This truck is collecting all the data from the network and then is sent to the acquisition main center. So, this is where we are attacking. Each of these little devices. So, let's take a look at how they look at typical configurations. As we can see, we have the sensor and we have the portable digital seismograph. So, basically, the portable is the small piece on the left top of the image. We have the broadband, the bottom, which is called Taurus. Which are the internals of these devices? They are Linux based operating system. They have a remote management system. They have several service like SSH, telnet, S2P, the web servers jetty. They have a really accurate GPS that can be used and fewer to get, you know, exactly location of the device. Also, they basically are made for ocean borrow deployment. In this case, the trillium. They have a device that can make the device be long time. I mean years in the ocean. In this case, we have a sophisticated image in which we can see a horizontal sensor, vertical sensor. We have accelerometers. Yeah, sorry. Another layer for seismological and electronic stuff. In this image, this is a pretty expensive device. So, we are not available to get one. So, this is an HD photography in which we can see several components of this device. So, what about the deployment options? We have two cases. The first one is for the air deployment and the second one is for the ocean bottom deployment. For the first one, as a stand alone deployment, it's typically running above third mode. It's not required a network connection. For the second one, it will work as a network element. So, in this case, the user must configure the Taurus with the required acquisition server IP. So, the Taurus will be streaming the data to the acquisition server using the MP protocol. That means Natomertics protocol. Okay. Geophysis depends on seismometers to monitor earthquakes generated by the motion of the tectonic plates that form the crust. In order to function, the instrument needs to be level prior to operation. That's easy enough for a device deployed on Drayland. But when it comes to seismometer plates in the ocean floor, thousands of feet below to the surface, the process gets beat and more challenging. As you can see in the air deployment, it's pretty simple. You know, it's a small device and it's a simple step to deployment. But now, let's see a topology of the seismological network. Before jumping into the ocean deployment, this is how it looks as a seismological network. In this scenario, we have three different communications type. The first one is a BSAT, the second one is ADSL, and the third one is a GPS model. So, basically the data comes from the sensor, is sent by the towers to the acquisition server. Well, this is a typical ocean bottom deployment. They are using autonomous underwater vehicles as known as AUABs. This is a pretty much expensive deployment because you need several chips and several UABs. And each of these sensors are digital seismograph. It has a cost around $30,000 each. So, it's pretty much an expensive infrastructure. This is an example of how it looks like the dashboard which receives all the data coming from the remote stations, in this case the seismograph. This is software provided also by Nanometrics, which is called ATENA. And it can provide to you the exact location and a nice web GUI. But it's not the focus of the talk today. There is also an open source web server that can collect also the data coming from this station, which is called SISCOMTRI, if you are interested to take a look in the open source seismological technology. Okay, the challenge, as I mentioned, is pretty much high. In order to function, these instruments need to be level prior to operation. It's not easy when it's 1,000 feet to the ocean floor. So, I would like to share with you a video about how this works. Actually, we have sound, no sound. Well, this is a quick demo. Well, no, not a demo. It's just in order to take a look how these engineers work in the ocean deploying these devices. You can see this is the UAB. And that antenna that you can see is the GPS antenna. Inside that glass ball is the cylinder with the sensor. So this device has an autonomy of eight months. Also, they can be powered by solar cells. Also, in some cases, they can be provided with a long term battery because these devices consume pretty much few power for their operation. So, there you go. This is going straight to the ocean. Okay. Okay, seismometers capture a transient phenomenon. If an instrument malfunctions, whether it's at the bottom of the ocean or at the top of a polar ice cap, the data is lost forever. So, it's telling us, okay, if you can deny the service of this thing, you will lose a lot of data. And what happens if you do the same with 1,000 or 2,000 of these devices at the same time? So, this could impact a lot of the research that these engineers are doing. You need to be absolutely sure that the sensor will perform perfectly every time. That's exactly what the director of marketing of nano-matches says. So, what about the vulnerability research? We are starting looking for, get a shell of the device. So, we are starting looking first for the firmware in Google and other servers. But what is pretty difficult to get it? So, what I think was, look with my friend for the firmware using other techniques. So, let's explain about that. Okay. So, the firmware was not very easy to find in the internet when I started looking at it. So, I decided to send an email directly to the support, the nano-metric support. And they replied me back 10 minutes later. And they told me, welcome you, welcome you. So, I'm going to give you a username and a password in order to get all the documentation and all the finger in front of us and all the software. Okay. So, I said, well, pretty cool. And the same day I started downloading everything, the finger and all the stuff available because they gave me access. I haven't done anything illegal here or something weird. It just was a simple email requesting access to the finger and they were very gently to provide access to me to that database. Okay. So, there's the finger, finally. It's that TGC file which contains a lot of scripts and batch. So, basically, you don't need to use a bing-wok tool or a finger mod key in order to take a look into the finger, like other fingers available in the IoT devices. So, I thought, well, you probably are kidding me because there is a script called Tauru's install.sh which is pretty much a lot of bunch of batch commands. So, imagine that you could inject batch command inside that script and then upload it to the sensor, to the Tauru's, and you will probably get a bug that we're running always. So, nothing complicated for us. Okay. After three days, they sent to me an email. They're a team. Nanometric software and finger can only be provided to registered customers and I do not see your organization registered in your customer database. So, what is the serial number of the Tauru's you wish to upgrade? So, they cut me up all the access to the database but it was too late for them because I already have all the documentation and all the fingers. So, starting digging into the finger, I was able to get all the passwords, the root passwords of the SSH daemon, the password of the web server, the password of the telnet, the ftp and everything. And also I found several backups that are not well documented in the official documentation. So, too much talk. I know it's pretty hard for you, all this information I know is pretty heavy. So, let's take a look in the demo. So, this is the shell with the default password and the SSH daemon. So, who I am? I'm root, of course. Let's, as to the system, the uname and, you know, it's NMS and NMX Tauru's. And after that, what happened in the middle of the ocean is the following. Well, exploit. Let's take a look here. Again. So, basically now we have a root shell. We have the highest privilege on the system. We can do whatever we want. We have beauty box shells also. We have access to all the system components, to all the threads, everything. Everything is completely compromised after you get the default password for the SSH server. So, you can see there are a lot of profiles. So, you can go straight to user's TXT template, which are all the users in plain text. And you will notice that there is something called factory, which is not documented. And then central, tech and user. The password is the same for all the users. Central, central, tech, tech, and user and user. And the factory vector, which is not in the official documentation. These users are from the web application, specifically. So, let's continue taking a look into the system file. You get the PSW file. So, let's do a cat. More users. You notice that the SSH password is not in here. It was in other file. But it was only available unpacking the finger. So, the password was dolphin 18 for the SSH server. I don't know why they choose that pretty much innocent password. I don't know. Nothing related to the system or the field. Dolphin 18. So, now we have access, user, a vector user, a lot of vulnerabilities. Let's test some vulnerabilities. I wouldn't call this a server day. But no one else previously found this bug before in the system until I reported to the U.S. server. And actually Nanometrics confirms the issue. But they told me, well, yeah, the bug is in there. You win. But I think that there's no way to exploit this remotely. But it's in there. I think that an attacker with a lot of creativity can exploit this remotely. So, let's take a look in the video in order to show you how the bug works perfectly. Okay. There you go. Also, you notice that we have access to all the interfaces. So, we can turn off or turn on the interfaces. So, this is the bug, the shell shell bug. It's completely vulnerable. And that's it. So, more bugs and errors. You can see traces. So, here is an example about when we were trying to put it down the server jetty. We noticed that it's pretty easy to crash it out with just a pushing technique sending randomly data over this jetty server because they have, they don't have enough memory. Yeah. You can actually send crafted URLs in order to get these traces. So, you will get a lot of disclosure information and messages. Okay. So, another vendor effected that we notice is Google systems, specifically in the SSL protocol. These devices are running HTTPS server with full her big bug enabled. And also using our platform NetDB, you can query the SSL certificate for the string Google systems. And you will get directly into the go route seismometers. So, let's talk about protocol and communication stuff. These devices are using CIT. CIT is the protocol, the data format internally primarily for a change of seismological time series data and related mirror data. So, the format of the nomenclature of the CIT format is four components. The first one is the network code. It's one to two characters to identify the owner of the data. The second one is the station code. One to five characters for the station recording the data. Because it could be several stations. Location ID identify the different data streams for a single station. And the last one, channel call, that is important, will contains the band sample rate type and orientation of the sensor. So, if you want to know more about the CIT protocol, you can get into the reference manual that you can see on the web page. Well, this is an example about Google systems deploy the networking using a screen server or something like that. Well, our attack now, we have a root shell, but we need to do something more. We are not just having a root shell and a seismogram in the middle of the ocean, so we need to do something else. So, I thought, well, I have access to the protocol, I have access to the device, so let's do a manual attack from all the data coming from the earth and being streamed directly to that decision center. So, my position now would be in the middle of the station and the decision center, because these packets are not vain sent using any type of encryption. There is no SSL, there is no PPtional, there is nothing. These packets are being routed to the public internet without any protection. This is an example about how looks the packet header and the seismic packet. This is pretty much representative. It's not the exact packet. It did just for you and to understand better how the packet looks like. Basically, it's an XML file which contains all the information regarding the latitude and longitude, and this is the main focus of the manual attack, because we can modify in our proxy the latitude and the longitude, and this is going to be injected directly to the main acquisition center as a false data or false positive. So, we can flood the acquisition center with false data. Let me show you the demo of the manual attack. So, the same thing, the same seismograph in the middle of the ocean, but this time, these devices has an option called communications. So, they can stream an autonomous way packets to any specific IP address that you provide to them. So, let's take a look. Let's create a new profile in order to route all the traffic to my proxy. You need to go to data streaming. You will notice that there are some profiles in this seismograph. These three main profiles, but we're not going to touch anything. We're going to create a new one just for the proof of concept. So, let's provide our IP address and after press the apply button, this seismograph is going to start sending to me all the information coming from there. And you will see, you're right, the TCP dump running. This is our proxy in this case. And you will see all the data coming straight to our proxy. And what I am going to do is modify the latitude and longitude and then replace our IP address to the original main acquisition center IP address because it's using UDP. As you know, UDP packets doesn't use any sequence mechanism like TCP, so you can spoof the IP address. And that's it. So, well, conclusions. We are able to locate these devices anywhere in the world. We are in control of the device, the network and the software running on it. There is no system communications. These devices have engineers to say people don't understand the earth. And vendors please call better and thinking security about devices that help us to protect our people and the world. So, recommendations. Basically, thinking security when you call this equipment. And that's it. In case you have any questions, just let us know. Thanks. Thanks.