Exposing SCADA to the Internet: Nobody expects the shodan inquisition!
There’s an industrial standard called Supervisory control and data acquisition (SCADA). Its used in factory control environments, running programmable logic controllers etc. In these environments, you often make certain assumptions. First, all the software is custom, and usually done by a single system integrator who has tested it all. Second, security is partly physical, you know who is allowed in. What you don’t expect is the great unwashed to come and read and write your systems.
Enter the Internet. Making stuff Internet enabled is great right? I mean, the great Internet coffee pot of 1991 was useful. But what information are you leaking out that you don’t expect? Or allowing people to control?
Enter shodan.io. A search engine for the Internet of Things. Lets do a quick query, e.g. port 502 (modbus), used by SCADA systems. Here we go. OK, ~11K results. Not bad. Some will be false positives, lets drill into one. OK, this one is real.
Unit ID: 0 -- Device Identification: Schneider Electric BMX NOE 0100 V2.90 -- CPU module: BMX P34 1000 -- Memory card: BMXRMS008MP -- Project information: accutrac 360i v184.108.40.206 - 60i v220.127.116.11 V8.0 MIKE-P50 C:\Users\mike\Documents\Current\accutrac 3 -- Project revision: 0.3.27 -- Project last modified: 2017-02-22 09:47:26
OK, that was fun. What else does it expose? Well, we can see how much gas is in its tanks as of right now:
I20100 NOV 24, 2017 1:06 PM 57 BP 4127 CHAMPION RD GREEN BAY, WI 54311 IN-TANK INVENTORY TANK PRODUCT VOLUME TC VOLUME ULLAGE HEIGHT WATER TEMP 1 NE UNLEADED 2553 2570 7447 32.60 0.00 50.18 2 PREMIUM 1600 1609 3400 38.51 0.00 51.01 3 SOUTH UNLEADED 2585 2604 7415 32.89 0.00 49.05 4 DIESEL 1859 1867 3141 42.82 0.00 49.74
and we know exactly where this is (here). We can even Google Street View it to get a picture. Seems like a nice spot.
Its running a Schneider Electric BMX NOE 0100 Ethernet module, like this. In turn that is running version 2.90. I hope that one is secure, lets have a quick look on the CVE search engine @ mitre… Oh no, its vulnerable! To CVE-2014-0754. Well that’s not good. It seems that we can use it for lateral traversal through their firewall (if they have one) and fetch any URL.
What else do we know? Well, seems they have a car wash, an Accutrac 360-i. And it seems that we can likely control it. I won’t provide details here, but it seems not unlikely we can turn the various bits on/off (fans, brushes, chemicals, water). That could be a safety issue, we could cause damage to equipment, etc. I wonder who Mike is, perhaps that same system integrator?
So in ~15 minutes, with $0 and public accessible resources, I got enough information to harass and or damage a business a long way from me.
This relates to a field of security called ‘critical infrastructure’. You have devices that are important, perhaps running water filtration, power generation, etc. And they are Internet accessible. And they are not updated daily by things like Microsoft Update, they are hard-wired industrial platforms meant for a long life and low maintenance. What could go wrong?