Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!


======================================================================


Hello, Congress, nice to see you again, and as usual, we only four months of the stage left him and I know there are a lot of guys who hope to make this talk. So if it's OK, please give handouts to all the strange golf team. Traditionally, we start our talk from the bottom up when we show how many ICSE connected to the Internet, but this time we will skip this because of John John, who builds a showdown this year, publish it excellent resource, iciest map dot showdown dot I or and you can download and check a lot of different. I see a system connected to the Internet and because John say to us we say to John because he is excellent and thank you John again. But last year after our talk, we receive a lot of question about this picture, about a different type of connected system. And people said, OK, this is not iciest. This is some kind of honeypots maybe or it's not serious. It's very small devices and it's not serious at all. So we decide to go deeper and check first one ipca cheap ipca chip is a system on the cheap. Which around the real operating system of TCP, IP, Web server and security security protocols will allow it. So we start to Google starts from just the system name we found with it have built in CGI server. We've some built in function. And during this assessment we found interesting application of this cheap, its solar system. What is Saulo work? So it's kind of smart grids, the small greed, the small scale that we can install in your house to manage to plant, which you can install on the roof of your house. But it generates about seven gigawatts of output and at the moment about one million inverters connected to this system. Interesting, because this system connects to some kind of the cloud. You can use it to find installations. Novia showdown on via a boring network. Scannon just visiting portal and check it. So this is your money and this is different location of installed systems. And also it's have some kind of, I don't know, social networking 
features. So you can take a picture of your house, of your preplanned save your friend. They say, oh, I am saving the energy generated from my house, personal power plant. But this all about, you know, funny stuff. Let's go more deeper into technical side of this system. OK, it doesn't work. It's OK to get things well, first. Interesting thing, it's firmware. It's kind of software that gives you a lot of information. How device works, obviously. I think, you know what it what it is. And most interesting things in firmware. It's configuration scripts, file system structure and so on and fiercly to find out through, for example, Google Docs. In simple case, you can use just Unix strings and grep, for example, in this case to grab a title. And as a result, through Google, you can find a lot of sollar log devices connected to the Internet. It's about sixty five thousand. Of course, all of them are connected to Internet and accessed by Google. Well, and let's take a look on the authentication page of the Solar Lock Observer. Simply, it's pure authentication scheme, just only using password, old page using password authentication. But if you know, appropriate full Eurail to download the system back up, it's not required password simply download. Well, just simply download system, pick up file and what's most interesting thinking backup, it's, of course, username and password. Well, uh, on this picture, you can see simple encryption and all things that you need to decrypt. Another one, a typical process for Fenrir and devices. It's a firmware update. Well, uh, following Solaire log update, Protus, you can see that it's highlighted part on the screenshot. You can give the full path to see if you know what file system structure. Simply it's those operations system like. Yes, sure. And you can override system files, configuration files and so on. So we fix it, it was fixative collaboration with computer emergency response team of German government and the Farncombe. But, you 
know, because this is just a platform, I guess what were a lot of different producer manufacturers, vendors who use this platform to build our devices. So I'm not sure what all this simple box was to fix it. It was funny story, but, you know, we forgot about it. Already forgot. But one day I saw this Twitter and I understood that maybe solar panels are not so readily available and maybe we should use our power, our knowledge to save some. So we decide to understand a bit more about all these green energy. And if you want to get new knowledge, what you should do, you should go to Germany, to Gomberg, to Congress Center, but not to Congress, but to win Tanager. No SÃ¶lvi Vitale visit to visit this exhibition and got a lot of information on different wind and solar equipment and start from the simple stuff. Show that again, we found a very common system. Sonnyboy box, as you can see, simple shodan search. Give us about 80000 of devices connected to the Internet. Alex. Well, first notice about Sonny Warbucks default password was three years ago, in full disclosure the least, it was default Esmay uppercase password, its first type of password. OK, so we decided to read the first manual, of course, and we noticed that the user name installer has different, as previously mentioned, password. It's Esmay, uh, lowercase. OK, so we decided to go deeper to read the first manual and we find out that it has more user and installer groups of names and to different passwords. It's only contains numbers. OK, so what the real was a true password to the final, the final and to real researchers, real hackers trying to give it to your Biogen's. And we discovered interesting things in firmware that it contains not only user and installer passwords, it has also a service center, developer system account. And also it has is an interesting string's interesting password mode, like hardcoded passwords. So we can see what Botsford is, because it's hard, very hard, but what we can say with a qu
ick Google search for these devices are all by analyzing all four responses, because on the response, you can find amount of energy generated by this device. I want you to find about 100 of megawatts of energy. If we compare to different generators, like hydroelectric station is like small LP in hydroelectric station in Austria. So this amount of energy generated by Solar Rock can be found it via Google. But if we show them and different types of Fontanez Canyon, you can find 20 times more energy if you need the power. But it's all about some. Let's talk about wind because you know all this big stuff, I think it's killing the wind. So simple stuff against very simple stuff. I found very old storage short on search, which helps me to find about 300 of systems, namely the system is Nordic Nordiques InSitu. Just such a quick search of vulnerabilities as we system on this system demonstrate with this system, we have a long story of their abilities starting from 2010 and the finish in 2013. What's interesting, I think those vulnerability, not budget. Why? Because if we check the response of the service, we can find with this server works on the system which are already duplicated. So it's a version number three of observer of Web server objective observer current version and number nine. It also it works on the very, very old version of Skardu. Simple CBS details search demonstrated with since 2002. People publish information about vulnerabilities in these Web service, so I don't want to talk about vulnerabilities in my reel to reel recorder. It's it's even not script kiddy stuff. But if you want to understand how it's OK in real lives, I took two pictures from Google, one pictures, Nordiques, Winter and Cerca needs management interface only for Google. It's not real. So how much energy we can get in this case? About one gigawatt. So if we compare with different generation, it's absolutely the same like. Help me. It's a Stuxnet was in Iran on Bushehr nuclear plant. The s
ame, so anybody who knows how to read, I want to read at Wednesday's Kenwright on Stuxnet now. So just to finish this part of our talk by simple, very simple vulnerabilities, we found about eight gigawatts of instant power energy, if we compare it with the most famous, most powerful hydro electric station. It's number five on the list. It took two days after the work, so let's continue our saga story and talk a little bit about our famous founder, what the seemingly similarities between Large Hadron Collider and of, for instance, gas pipe. It's a sematic venky open architecture. It's very popular and quite new system, but it's also have new Web server. I think if you was on our previous talk last year, you can remind me picture. This is history of banks in Apache Web server. Why are we talking about it? Because if you go going to write your own Web server, please carefully review all vulnerabilities discovered during when our guys own Web servers. Just to remind the history of different Fyne vulnerabilities. This was discovered several years ago. If you sent incorrectly Chichibu request to a Web server without HTP body, it can crash about it. This was discovered in 2000, in the year 2000 in Internet Information Server and you can use five traversal to read write different folders. I think you can remind responsibilities was related to one worm and the. Another one related to incorrect content leam, so you can put the amount of data but say what is very short so you can overwrite memory of I am talking about this old stuff now because I want to show you a small. Movie just second. Here it is. So let's go around Shervin Ciresi and the debugger to see all the protests and to submit a very complex request for thousands of a lot of a what do you get? We will get a break with typical 31, 41, 41, 41, I think is also but if you will send us OK, if you send more complex request, what we get calculator, I think Scotter. Scudder must have ability to calculate something. Are fo
r sure it was fix it now. We don't disclose zairo days, but I like this comment. So if so, an update to version three point twelve of Sematic CCI. We can stop terrorists who clearly evil genius Xitian that Large Hadron Collider and create a black hole that will show up the world. So we save the universe. Let's take a time machine and come to the past, to the Miami Atmosphere Conference, it's a conference dedicated to the safety and security and what we show on this conference, this slide, I think you also can reminded, demonstrate overreach. Each of the libraries included in Venky HMG, so you can see what most of the time I was compiling before the Stuxnet and the on this conference, we demonstrate how to find zero day using find. So you just give us a list of the files in software and try to find the most old one. And we we found open this cell compiled into two thousand seven and we say the Siemens guys, let's update your software. ATV's was a mistake. Why? Because old version of open SSL does not have Heartbleed vulnerability. And after update we get Heartbleed vulnerability and the Large Hadron Collider get Heartbleed. Just for to demonstrate housework, nothing special, but I'm sorry. The. So we're running standard Heartbleed and little, which require memory from the SSL server and trying to authenticate with username and password. And get username and password from the server because of Heartbleed vulnerability. It's base64 encoded, so we need to decode it. And let's try again with stolen username and password. It should work. Here it is, so simple vulnerability, everybody knows about it, not so simple, but white now. Yes. And what they want, why a show with them want to highlight one important thing. People can ask me, OK, first you say, please don't write your own Web server, but after you said please don't use third party components, what to do? I do not have answer. But anyway, if you decide to write on a server or to use felt party companions, please care 
about security if you include, I don't know, open SSL or bust shell in your software, please updated to check it. Please care about it. Well, so another one vulnerability to its long story about the scale injection that was first published one and a half years ago. It was simply a serial injection, uh, via Ruggeri scale comments and specific letters, secret injection, specific vectors. Well, what does it mean? I don't know. Okay, well, and Cisco give us excellent decision how to avoid this vulnerability. Simply deny connections to Web server bots while it works. Sometimes it works, but scatter company and industrial control system components. It's it has a lot of protocols, communication processes, depends of functionality. And in this case, you see, Sarah has not only seen client, it also has a sick plant. Well, it works, uh, on, uh, PC protocol and, well, firstly, when we try to authenticate, we noticed a clear text messages. Uh, as you can see, it's user year and next passwords here. Well, it's clear text, but, uh. We spent a few minutes and after we noticed that our data goes to see Sarah on the different board and it's not clear text, well, where is password's? It's now clear text. So maybe it looks like some encryption. Yeah, it's kind of a creation, and I think everybody who saw our previous stock already know encryption key. You're right, this is my encryption key, but this was fix it. And it was fix it with new encryption key. And first of you, who gets you a little encryption key, give lead price or free beer from stranger after you. I think now it's lead. Good guess, but not right now. Excellent answer, but it's where he leads and. OK, first off, you say it's 32 Newquay and something that's come on after the talk on the stage, I heard a lot of Southerner's, but this is Leeth encryption key. But it was fix it again without a check yet. And another one interesting story, it's about cookies. And once upon a time we try and to discover interesting things, som
e ducation on the sematic Seamon Sematic Builtin controller. And we discovered it interesting seeing that cookies contains constant part and to change a double big part of the cookie. OK, so we decided to go deeper and to understand what's going on with cookies. And, uh, well, it's the first big, biggest party of the cookies. It's empty. Five of some. Well you. Well, so what about its value after spending some time to reverse engineering A, B or C control or from where we found out that five it's uh, from the cookie. Twenty six bytes of all the cookie and sixteen bytes of the cigaret and plus two bits of no. Well what's about secret. Uh, usually secret generates its typical practical practical approach. Secret your after uh p.l.c. start and it uses uh sparingly virion. She was uh little bit harder than, uh standard uh c beer and regenerator. And uh, so it was, uh, two bytes. William Well, it's time to brute force, uh, as you can see. But it's too much, uh, Williams uh, to brute force because you'll see so tender. And what about see it, see it very often, it's also the typical approach, it's very often depends on time value. And by our practical, uh, research, it was, uh, Bill seastar time plus some constant value. You well, uh, constant will using, uh, current time. Well, next step was how to obtain p.l.c., uh, start time. It's obvious that we can use values from observer page its current value and uptime, uptime, we can get through a simple request. It's time for DEMA and as a result. Once again, just a second. OK, it started, but I'm not a master of moviemaker, I should improve my skills. Well, let's imagine that you're connected to entire network. Let's ensure that you're on the network. Uh, one, for example. And first of all, we trying to find out devices that support protocol. We find, uh, controller and you can see that it has a different than attacker side IP address. OK, let's ensure that it's not accessible. Next step. It's using Python script to change, uh
, network settings on Bilski controller using profanity, uh, special, specially crafted network w well we provide to Python script, uh, destination McAdoo's our source McElroy's. Well it's a simple way to get your McAdoo's of your network interface and uh. Provide network settings for new network, on network settings, on p.l.c. controller, simply its IP address, network mask and target we. Don't bite the first, too. Yeah, well, we got we received Eynesbury, it's cool. Well, let's ensure again that network settings changed on Bilski controller. Well, we bring it means that we bring up your controller to our local subnet, it's accessible. Great. So the next step, let's imagine it's one of the dependancy of vulnerability. That let's imagine that, uh, real, uh, user, uh, for example, uh, Scott engineer, uh, going through browser to the controller and, uh, simply indicated using, uh, login and username. Real again and username. OK, who gets what the buzz word, stars, stars, stars? Well, you can see that controller or controller on the operating mode run. Next. So we see that cookies start on browser. Well, it's the next very important step from a Tiger site. It get very important values from controller. It's strange. And the final step is to run the Python script to brute force cookie. And we provide to the script as it, uh, to. Uh, depends on the how many times s indicated user on the controller it can took from a few seconds to some minutes. Well, let's prepare let's clear our caucus. Every scenario on this video. Well, we clear cookies and prepare to give to put a new cookie values, it's still brute force and. It's only one cookie with the name Siemens, the decision and big value that. We will give a little bit later, OK? It's a typical scenario. No industrial process at this moment because people see brute force and brute force force. Yep, yep. We found we found two. Real cookie values, and I like Sigue to send Protus and the final it's copy paste cookie value to a b
roader. And reload the page and to ensure that we are a syndicated user administrator and stop Velzy, stop Sombrotto. Well, as you can see, we don't need any username, password and so on, only connected to our subnetwork controller. What I want to highlight in this vulnerability for sure, it was fix it, but here, two points. First point, we found it because of Congress, because all on a twenty nine free we participate workshop. And one guy who was on this workshop say, OK, did you check the cookies? I said, no, I don't believe it. On small size, small device authentication process, I realized correctly. So after this idea of a start working and finding this vulnerabilities already fix, it was OK. And second, think I want to highlight its communication about S&P communication started from January. We have a long story of communication. We have segments about S&P hardcoded community and we say, OK, this is not an issue. But in the end we say, OK, this is an issue because we have this vulnerability. You can give us a cookie. So what I want to highlight, if you make something, please care about Bisek. Think everybody vote on S&P V three and don't don't use hardcoded password. Why to do it on the new system like p.l.c. one hundred five hundred thousand five hundred. But please don't think that we hate simians or something. We speak in a world of about humans because now we in Germany, if we will be in French, we will speak about four of Schneider Electric. If we will be in the US, we will speak about Honeywell and, you know, really happy day in my life. When we get answers, what vulnerabilities? Vorst fixes its emails from Siemens products. And I can I want to thanks Siemens, all the Siemens team and especially Siemens product short for hard job. And please give them your hands. And guys, if you hear and I know you hear, please catch me after the talk, I have some news for you. So this is our traditional slightly off number of Wallner abilities. It in different platform 
for us to year. Simeus was the first. But now you can say what Schnieder Electrics because of it, mostly because of acquiring of Invensys heavy first place on the discovery and not budget vulnerabilities. And many people asking us how you what is your approach to discover so many vulnerabilities? I have to answer because we are too lazy. This year we decided to not discover vulnerabilities by ourself. We built big test bed Real Scholder Posse's Irkay use system connected to to a railroad and say to everybody, guys, you can connect here and hack it. If you can make disaster, you will get price. If you will find zero day, it's your zero day, but please follow responsible disclosure. So for two days of positive, how these foreign guys and the girls found more than 10 zero days in India solved in sematic in ABC or ABC, doesn't use Taiwan until like a Noname. So now Responsable just called human progress waiting for the fixes. So we're talking about vulnerabilities. And I want to talk about myself sometimes, sometimes not so hard science. So in this case, we submitted about 10 vulnerabilities and vulnerabilities to vendor and get response that Overlander ability is fix it. But in advisory, we found only two, I don't know, show we trust this vendor. Maybe not. But what I want to highlight sometimes is very bad idea to create a false feeling of safety, because if somebody read this advisory, he can say, OK, ECV, six point two is not very important. I will not update this system, but. In reality, several remote code execution without an education is here, so it's better to speak the truth. PostScript on where one postscript. Anybody here know the difference between picture one and picture two? OK, different question, what is. One or two green light or yellow, white? Somebody. Green, OK, first Kosei Green have special price, I will say why. Let's talk about functional safety because you know, now we're speaking about vulnerability, OK, if you root who but when you are talkin
g with industrial people, wassa and so on, so, so forth, OK, you root by. I have a special system. I myself have special protection system which does not allow all disaster. I want to demonstrate how very simple vulnerabilities can lead to very serious problems. First, superheavy trains. I think I know what a superpower trains its very big trains with several locomotives which sometimes synchronize engines by the radio channel. One on the beginning, one in the middle hours, and and they synchronized engines are in brakes, we are radio channel why we do it because we need run synchronously. So let's imagine what somebody around ran a small radio jammer. And it's where you want device with several locomotives and way around us that starts run asynchronously and train just. Goals in different dimensions, so also it's a very interesting answer, I typically you can get it if you speak with industrial people about Sue for anybody here, know what is. Safety. Integrity requires things. A lot of people. Yeah. So when you say, OK, you have a problem, we have so far we don't care what to sue for its safety, integrity, whether it's demonstrate a probability of failure for different process, it can be the probability of error on demand. When you ask in system, if it's continuous process is probability of failure per hour, you can see what this is a very big number. So, so, so the probability of a very small number. So if this system really have sue for it should not break error. But if you get a root on this system in 15 minutes, does it still have Sue for my answer? No. And I have a very interesting discussion with a developer of one system. After a demonstration like I can, our team can change the road and the switch on CCU for certified system. He said, you know, this is not my system. I solve. You applaud the wrong frame where you are routed and I both wrong from where I am now. This is no system. Before you wrote it, it was my system. You know, it's like with people sometim
es in a small car, in, you know, special kind of mindset, you can do very bad things. But this is not you and this is not my system anymore. So I think now we know the difference. A green light is bad. Why? Because of green light rain if you go on high speed to the Kouf. And sometimes it can be very bad. On yellow, white. It will drop speed and move more slowly and reopen Cryptome. I think a lot of people here know what is network for convergence. So especially in telecom environment, when different type of communication protocol goes to the same basic like IP, the six or IP before, and PSTN goes to IP and mobile goes for 3G and so on, so on. So all different systems connected together using the same same basic. But what we see at moment, it's abberation technology convergence we see with more than a smart grid use. Protocols and technologies from ICS sometimes make mobile connections, sometimes billing and payment to understand how many power you generate and so on, so on cloud technology. So we see like different technologies come together to maybe make our world better. And for last year we heard a lot of talk on different conferences. For instance, on Birckhead, we spoke about how to hack ATMs in Park City in Tokyo. We spoke about how to get through to this mess. And also we spoke about the Great Train Cyber Robbery on Facebook. But you know all this about. About the same things we cannot say at the moment. Why? Because we don't know yet, but what we know our world now, it's very complex and very gentle things. So let's invest. Let's use our power to keep it safe, maybe not safe because it's too hard, but at least peaceful. Thank you. Thank you. Thank you very much. And Alexander, now for the questions, could you please line up at the microphones here in the middle of the room? And as I can see, we have no questions from the Internet, nothing from ILEC. Thank you. Try, Loida, for monitoring the Internet. Our signal angel. How about questions from the room? Yes, 
microphone number one, please. Hello, my name is because I'm working as a software developer in Raviv Technologies. And I would just like to add concerning the level for safety level. Yes. Which is against failure. Yes. Everything which is currently in railway technology implemented is against failer, not against sabotage. If if it would, maybe we can talk later about. I understand. Yeah, you're absolutely right there. Safety. You don't think about the people. If if if you know how ravier technology works, you can support everything from exer Countach to point machines. You can crash any train. Yes. Because at least to go into the hardware and disconnect the wires here. So it's about detecting fateless, not about being able to prevent sabotage, not get there working on it. But that's another. Yeah, yeah, yeah. I understood you. Absolutely. Because, you know, which is why I when I talk to you, for people who work in the industrial system with industrial system, I prefer the use, not the safety or security or in the information security. I prefer to use term cybersecurity. It's like a combination of safety, industry, security and information security. And you can demonstrate how information security can broad security features, safety features. Put it on the. So just let's let's let's talk afterwards, OK? Thank you. Yeah, OK, thank you. Any more questions from the room? Nobody lined up at the microphone. Well, this is the time to say thank you very much again. Thank you to Alex Undersaturated.