image of breaking badness
Breaking Badness
Breaking Badness

145. Me, Myself, and API


Firmware and Tear

  • Security researchers have disclosed multiple architectural vulnerabilities in Siemens programmable logic controllers models that could be exploited by a malicious actor to stealthily install firmware on affected devices and take control of them
  • Let’s first talk about what a programmable logic controller (PLC) is for those who aren’t ICS or OT experts
    • Programmable Logic Controllers are a bedrock technology of industrial automation. They’re little magic computer boxes that do things like open and close valves, tell gadgets like motors when to run and how fast, they control elevators or other building automation systems, that sort of thing. So as you can imagine, these are things that you really, really want doing the exact thing they’re supposed to, and not some other thing
    • We have certainly seen breaches of ICS environments in the past—a fair number of them. A famous example was when a malware dubbed TRISIS shut down safety systems at a petrochemical plant in Saudi Arabia a few years back. Fortunately that attack didn’t succeed—the malware authors actually made a mistake that prevented what could have been a disaster
    • Siemens products themselves were the target of what was probably the most famous ICS breach in history, which was when Stuxnet destroyed Iranian uranium centrifuges that were Siemens controlled
    • We’re not aware of any exploits in the wild of these specific PLCs based on these vulnerabilities
  • The vulnerabilities found have to do with very low-level cryptographic boot sequence protection, and more specifically…well, it all comes down to trust
    • They have this system on a chip – the other kind of SOC – which “does not establish an indestructible Root of Trust (RoT) in the early boot process. This includes lack of asymmetric signature verifications for all stages of the bootloader and firmware before execution.”
    • So basically what this means is that an attacker with physical access to the device – which we’ll come back to in a minute – could possibly exploit these flaws to load their own firmware onto the devices, or modify the Siemens firmware, and thus could ultimately take over the PLC
    • Now, what we said I would come back to is very important—you need physical access to the PLC to exploit this. So this is NOT something that a hacker out there on the Internet is going to be able to just execute over the network
    • The way it would happen would have to involve something like a hostile insider or some kind of person-in-the-middle of the supply chain, getting hold of the PLCs and modifying them before they were installed. So it’s a low-likelihood but high consequence type of scenario
  • These types of vulnerabilities could absolutely affect other organizations
    • When we think of ICS manufacturers, there’s a long and storied history of vulnerabilities – it’s history, it’s present day, and the future
    • This may sound terrifying, but there are quite a few vulnerabilities in the wild that are unresolved 
    • The good news is that there are some imperfections in the vulnerability writeups themselves – a history of misunderstanding and accuracy problems, if you will
    • Additionally, not all vulnerabilities are as severe as they seem and another piece of good news is that it’s generally hard to get into an ICS environment to actually manipulate the devices
      • There are protections in place and we shouldn’t be panicking, but Siemens is not alone, that’s for sure 
  • Siemens has issued a response to these findings, but they’re in German, so we don’t know what they say
    • Just kidding of course 😁
    • They have responded they will fix this, but it’s in future physical hardware iterations – it’s a flaw in the hardware, so there’s no way to patch it
    • What we can tell you is that if this was something that could be exploited without physical access, it would be a massive problem
    • Siemens has urged customers to limit access to these PLCs to reduce the risk of tampering 
  • Finally, let’s talk about the group that made this discovery – Red Balloon Security
    • There’s definitely 98 other iterations of this company 🎈
    • Like other companies out there, they love tearing apart these embedded devices 
    • They were founded in 2011, so they’ve been at it for a while (in this world, as you likely know, is a long time)

NYCTrainSigns of Life

  • Here’s a look at how Kevin Chung spent his New Years taking over the defunct IoT company, NYCTrainSign
  • If anyone has visited New York City (NYC) and took the subway, there are distinctive signs that tell you when the next train is arriving and where it’s heading
    • They’re pretty iconic and in 2016/2017, a company tried to create mini ones for people to have in their homes or businesses 
    • This company put together a few hundred signs, but eventually found themselves out of business, leaving some customers with unfulfilled orders
    • 5 years later, Kevin found someone on Reddit selling one of these signs and decided to reverse-engineer it to see what the cost to create one would be and where this company failed, with the intended hope of possibly selling his own signs
  • The components of the sign weren’t too surprising when he took it apart
    • LED panels, a Raspberry Pi driving the whole thing, a micro SD card, additional power supply materials, etc. 
    • What he found was, this thing was likely over engineered and they could have gotten away with fewer materials
    • He estimated the bill of materials (BOM) was about $150, and at cost they would have needed to sell for $600 – however this company was selling them far below that price, which is likely what got them in trouble
  • When Kevin resurrected the sign, it worked just fine, but the API that pushed data to the sign was defunct
    • The company let their domain registration lapse, so Kevin purchased it and in Iris Investigate, you can see the historical data 
  • Ultimately, the Kevin’s findings included the following:
    • This sign was a good product, but it’s important to get your BOM in line with pricing 
    • He believes the company didn’t have ill will, but simply lacked the experience needed to create a product and go to market 
    • While Kevin took this on with the idea he may sell his own signs, he ultimately felt he’s not the right person for the job
      • He is, however, maintaining the new NYCTrainSign server for the time being

This Week’s Hoodie/Goodie Scale

Firmware and Tear

[Taylor]: 4.7245/10 Hoodies
[Tim]: 3.0006/10 Hoodies

NYCTrainSigns of Life

[Taylor]: 10/10 Goodies
[Tim]: 5/10 Goodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!