Slashdot Mirror

← Back to Stories (view on slashdot.org)

Project Basecamp Adds Stuxnet-Like Attacks To Metasploit

Posted by timothy on from the for-good-measure dept.

Trailrunner7 writes "Project Basecamp, a volunteer effort to expose security holes in industrial control system software, unveiled new modules on Thursday to exploit holes in common programmable logic controllers (PLCs). The new exploits, which are being submitted to the Metasploit open platform, include one that carries out a Stuxnet-type attack on PLCs made by the firm Schneider Electric, according to information provided to Threatpost by Digital Bond, a private consulting firm that has sponsored the effort. It was the third major release from researchers working for Project Basecamp and included three new modules for the Metasploit platform that can exploit vulnerable PLCs used in critical infrastructure deployments. The exploits rely on a mix of software vulnerabilities and insecure 'features' of common PLCs, which serve a variety of purposes in industries as varied as power generation, water treatment, manufacturing and others."

2 of 17 comments (clear)

  1. Re:Good news, everybody! by PlusFiveTroll · · Score: 4, Insightful

    If I've pissed up enough to get equipment on the net that can be hacked, I prefer a script kiddie owning it rather then a 'hacker' with knowledge and patience. The script kid will tend to be impatient or plain dumb, such as flooding the machine with traffic or knocking it offline, in which a problem will be noticed pretty quickly. The patient hacker... you may never know he was in your machine until he's compromised the entire network. He'll hide or patch the original hack so others can't use it and it doesn't show up in a pen test done on the network.

    A script kiddie's like a flu, yea it can be deadly but you're running a fever and coughing so people see what's going wrong. A dedicated hacker is like HIV, by the time you notice it you likely have full blown AIDS and have spread it to all the partners around you.

  2. Re:Good news, everybody! by sapphire+wyvern · · Score: 5, Insightful

    As a matter of fact, I do know how severe the problem is - I work in this industry. Hence my comment about how PLCs should never be connected to the public internet. (It is a terrifying fact that internet scans have shown that, in fact, many PLCs *are* connected to the Internet. SCADA interface servers, too. My only hope is that those PLCs aren't controlling anything very sensitive. If I close my eyes and think happy thoughts, I can convince myself that they might just be telemetry data collectors with no field control capability...).

    Anyway, I am personally disgusted by the attitudes of the PLC manufacturers to the security situation. Many of them seem to regard this as just an opportunity to sell upgrades to new hardware - which isn't even going to be on the market for months!

    Let's look at what's actually changed as a result of adding these modules to Metasploit:
    1) The PLCs are just as shitfully insecure as they were before
    2) Exploitation of that crap security no longer requires the specialized knowledge and skillsets that it previously might have. It is now officially low-hanging fruit that any idiot can pluck. Script kiddies - and even most computer professionals - don't even know what ladder logic is. Now, they can erase the logic in a PLC - and still not even know what it is!

    Maybe, _maybe_, a few highly publicised "incidents" enabled by point 2 will cause the manufacturers to make some progress on point 1. If that's the only way to improve the state of industrial communications security, I would call that an even more bleak and cynical "silver lining" than my original sarcastic comment.

    In any case, you don't need Metasploit modules to know if a PLC with IP communications is insecure. Here is a simple process for detecting insecure IP PLCs on any network, based on Project Basecamp's presentation:
    1) Is it a PLC, using hardware & firmware that is currently available on the market, with an IP based network interface?
    2) Then it's insecure.
    None of the vendors passed their tests.

    Air-gapping the network, or at least ensuring that there are strong chokepoints isolating the control network from anything else, helps quite a bit. That won't stop the most motivated actors (Stuxnet proves that) but at least it will keep the script kiddies and automated exploiters out.

    To be perfectly clear, I think Project Basecamp is doing the world a huge service in identifying the security problems with PLCs. I think that creating Metasploit modules is going one step further than what's helpful, though. The world needs to know about exploitable holes in SCADA & control security, but it doesn't need easy ways to exploit them. Why do a vandal's work for them?