Exposing SCADA to the Internet: Nobody expects the shodan inquisition!

There's an industrial standard called Supervisory control and data acquisition (SCADA). Its used in factory control environments, running programmable logic controllers etc. In these environments, you often make certain assumptions. First, all the software is custom, and usually done by a single system integrator who has tested it all. Second, security is partly physical, you know who is allowed in. What you don't expect is the great unwashed to come and read and write your systems.

Enter the Internet. Making stuff Internet enabled is great right? I mean, the great Internet coffee pot of 1991 was useful. But what information are you leaking out that you don't expect? Or allowing people to control?

Enter shodan.io. A search engine for the Internet of Things. Lets do a quick query, e.g. port 502 (modbus), used by SCADA systems. Here we go. OK, ~11K results. Not bad. Some will be false positives, lets drill into one. OK, this one is real.

Unit ID: 0
-- Device Identification: Schneider Electric BMX NOE 0100 V2.90 
-- CPU module: BMX P34 1000
-- Memory card: BMXRMS008MP
-- Project information: accutrac 360i v8.10.8.1 - 60i v8.10.8.1         V8.0   MIKE-P50 C:\Users\mike\Documents\Current\accutrac 3
-- Project revision: 0.3.27
-- Project last modified: 2017-02-22 09:47:26

OK, that was fun. What else does it expose? Well, we can see how much gas is in its tanks as of right now:

NOV 24, 2017  1:06 PM

57 BP


  1  NE UNLEADED      2553      2570   7447  32.60  0.00    50.18
  2  PREMIUM          1600      1609   3400  38.51  0.00    51.01
  3  SOUTH UNLEADED   2585      2604   7415  32.89  0.00    49.05
  4  DIESEL           1859      1867   3141  42.82  0.00    49.74

and we know exactly where this is (here). We can even Google Street View it to get a picture. Seems like a nice spot.

Its running a Schneider Electric BMX NOE 0100 Ethernet module, like this. In turn that is running version 2.90. I hope that one is secure, lets have a quick look on the CVE search engine @ mitre... Oh no, its vulnerable! To CVE-2014-0754. Well that's not good. It seems that we can use it for lateral traversal through their firewall (if they have one) and fetch any URL.

What else do we know? Well, seems they have a car wash, an Accutrac 360-i. And it seems that we can likely control it. I won't provide details here, but it seems not unlikely we can turn the various bits on/off (fans, brushes, chemicals, water). That could be a safety issue, we could cause damage to equipment, etc. I wonder who Mike is, perhaps that same system integrator?

So in ~15 minutes, with $0 and public accessible resources, I got enough information to harass and or damage a business a long way from me.

This relates to a field of security called 'critical infrastructure'. You have devices that are important, perhaps running water filtration, power generation, etc. And they are Internet accessible. And they are not updated daily by things like Microsoft Update, they are hard-wired industrial platforms meant for a long life and low maintenance. What could go wrong?

2 comments on “Exposing SCADA to the Internet: Nobody expects the shodan inquisition!
  1. db Yuval says:

    I guess gas pump and car wash are not as bad as Uranium enrichment centrifuges 🙂 Apparently, even though Stuxnet was uncovered in 2012, you can still find many of these Siemens S7 industrial controllers in shodan

  2. db Michael Hennessy says:

    This is Mike. Whoops A Daisy.

Leave a Reply

Your email address will not be published. Required fields are marked *