Wednesday, 04 May 2016
Project Basecamp - Attacking ControlLogix PDF Print
Written by Rubén   
Thursday, 19 January 2012

You can download my contribution to the Digitalbond's project basecamp by clicking on the image.

Extracted from the report "One of the most time consuming tasks I came across during this research was reading all the technical documentation gathered. Initially this fact may sound weird but it is nothing unusual at all; while researching into industrial devices, which commonly suffer from a lack of strong security measures implemented by design, the hardest part is not learning how to break things but understanding how it really works.

Therefore, the key point behind attacking this PLC was not how to circumvent its security but monitoring how the legitimate software performed valid operations in order to mimic them, in addition to the usual dose of reverse engineering and fuzzing to discover the ‘secrets’ behind the scenes. To sum up, any legit functionality supported by the controller could also be used by a malicious user in a malicious manner.

During this ‘journey’ we have identified problems that can be used to cause a DoS, load a trojanized firmware or leak information. Actually it’s not a bug, it’s a feature."

I'd say the underlying problem is that some of these 'attacks' are actually features documented in the CIP protocol, so again "any legit functionality supported by the controller could also be used by a malicious user".Within this context, the following article worths a read DHS Thinks Some SCADA Problems Are Too Big To Call "Bug"

Congrats to Reid and to all the researchers involved as well as thanks to Dale for counting on me for this project.

You can watch the following video, showing the results of the "Deep fried controller" exploit.

Last Updated ( Friday, 20 January 2012 )
Next >