Aftermath of a Major ICS Hacking Contest

  /     /     /  
Publicated : 23/11/2024   Category : security


Aftermath of a Major ICS Hacking Contest


Pwn2Own Miami could help spur more research on and attention to the security of industrial control system products, experts say.



Down they dropped like frozen iguanas: SCADA gateways, control servers, human-machine interfaces (HMIs), an engineering workstation, and other industrial control system (ICS) software on stage in the first-ever ICS Pwn2Own contest last week in Miami.
The three-day contest held during the S4x20 ICS conference placed ICS products in the hacker hot seat in South Beach, where on day one a sudden cold front blew into the city and led to a
National Weather Service warning
that the citys cold-blooded iguana population might fall from the trees as the chilly temperatures could temporarily paralyze the reptiles clinging to branches.
That there were mostly successful hacks in the 25 entries by eight teams of hackers in the contest should come as no surprise given the still-nascent state of security in ICS systems. Trend Micros Zero Day Initiative (ZDI), which sponsors the renowned Pwn2Own contests, shelled out $280,000 in total in prize money to the successful hacking teams.
ICS vendors overall remain in catch-up mode when it comes to security, ICS security experts say. And in that vein, not many are ready to launch a bug bounty program nor likely to enthusiastically embrace participating in hacking contests like Pwn2Own. A lot of codebases arent ready for it, notes Dale Peterson, CEO of Digital Bond, founder and sponsor of S4x20. But there also are some with serious SDLs [secure development life cycles] and that have worked on it really hard and hired third-party offensive teams with great talent to bang on their systems. Theyre ready for bug bounties.
Peterson says the engineering teams of at least three ICS vendors tried to participate in the
ICS Pwn2Own contest
, where ZDI pays bounties to the researchers for the bugs but were thwarted by their own internal legal departments. As a matter of fact, only one ICS vendor, Rockwell Automation, voluntarily participated in the first-ever ICS contest in Miami last week, providing software licenses to its products for contestants for its FactoryTalk View SE HMI and Automation Studio 5000 engineering workstation.
The remaining vendor products had publicly available software that the contestants were able to download and test: Triangle MicroWorks SCADA Data Gateway; Iconics Genesis64 control server; Inductive Automation Ignitions control server; and Schneider Electrics EcoStruxure Operator Terminal Expert HMI. The contest also featured the OPC (Open Platform Communications) Foundations UA.NET standard for its UA server.
A lot of [ICS vendors] have customers who will say Why is your product in Pwn2Own? This is a bad thing. Thats probably going to happen, Peterson notes. Its only a matter of time, though, before the vendors start opening up and offering their own vulnerability award programs. But Im hopeful in the next year well see one or more companies put out a bug bounty program, he says.
Brian Gorenc, director of vulnerability research and head of Trend Micros ZDI program, says Pwn2Own’s first-ever ICS contest drew new researchers who hadnt before participated in previous Pwn2Owns. A lot of them dont focus on ICS on a day-to-day basis, he notes. We worked on picking targets that would make the technology accessible. Rockwell preconfigured their VMs [virtual machines] and simulated PLCs [programmable logic controllers] to show the type of traffic a normal user with experience would have using those tools.
That kind of access helps foster strong research into the security of these systems, he says.
Same Bugs, Different Platforms
Many of the vulnerabilities that were used in the working exploits were the same found in any software program, such as memory corruption and deserialization. As with other Pwn2Own contests, the contestants had a few months with the targets before the actual event to find the flaws and create the attack exploits they launched during the live contest.
The flaws they found are reported to the vendors, which were on-site and had to qualify them. They get 120 days to patch the bugs, Gorenc notes. We expect to see formal patches shortly, however, he says.
There was definitely a mix of some software that didnt have all of the modern exploit mitigations in them, he says, although some had Microsofts Address Space Layout Randomization (ASLR), a Windows feature that prevents the exploitation of memory corruption vulnerabilities.
Gorenc says the bigger picture of the security of critical infrastructure likely will be the impetus that drives more-secure ICS products. We need to protect our critical infrastructure, he says. This is the right time now for a contest like this to come out and put the software under test with new eyes and bring out new research to develop stronger critical infrastructure and strong defense to attacks, he says.
The big difference between Pwn2Own and regular vulnerability awards or bug bounties, he says, is that this goes a step beyond bug hunting, with bounties on the exploits themselves. Thats going to bring a different quality of work to the vendors. For the first time for us to come into this space and to have as many researchers come out shows a lot of people want to secure the software. Given a vehicle and platform like Pwn2Own is going to help step up security work in ICS products, he says.
Renowned ICS security expert Jason Larson, ICS principal at IOActive, thinks events like Pwn2Own could help move the needle toward more-secure ICS software and products. Its long overdue in this space, Larson says. Ive been working in ICS for 18 years and were still finding trivial exploits.
Even so, the Pwn2Own bug bounty payouts in the contest are minuscule compared with underground markets, he says. $20,000 is laughably low here, he notes, citing one of the average payouts for a successful exploit in the contest. There already are established markets for ICS bugs that pay much more, he says.
Zero-Day Market Today?
Just how deep the third-party broker market is for ICS zero-days, however, is not quite clear. Thats a question that Sarah Freeman, of the Idaho National Laboratory, has been studying. Freeman tracks the activity of zero-day brokers such as Crowdfense and Zerodium, to try to determine whether those types of bugs are being purchased and sold. Bug brokers traditionally sell to high-dollar customers such as nation-states, in payouts to the tune of millions of dollars.
There have conversations in whispers of private transactions of ICS bugs, Freeman says. But by and large if you look at the publicly available information, it doesnt appear at first blush to be ICS bugs that the brokers are purchasing, she notes.
Even so, a zero-day for a router that gets sold in that market could have security implications for an OT network, she says. Freeman predicts the market for ICS bugs to be at about $50 million in 2019 based on the data and trends she was able to uncover online for the period of 2015–2019.
Some 55% of bounties went to desktop, servers, and routers; 45% to mobile. Among operating systems — Android, Linux, Windows, iOS, and macOS — the bounties were fairly evenly spread, with around 21% to 22% apiece.
ICS products could fall into some of those categories, of course, so it was hard to suss out the full picture of that sector of bugs. Freeman says that SCADA vulnerabilities represented about 30% of bugs purchased by the brokers in 2018.
But given that most ICS systems are relatively easy to exploit, attackers are less likely to bother burning a zero-day when they can just exploit a Windows vulnerability, for instance. You dont necessarily need a zero-day to attack anything, she notes.
Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
7 Steps to IoT Security in 2020
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Aftermath of a Major ICS Hacking Contest