PLC for Home Automation and How It Is as Hackable as a Honeypot

Philip is going to give us a great talk now um PLC for home automation and how to make it a Honeypot with about further Ado please uh come in a little silently turn off your phones and enjoy hi hi works okay thank you okay first of all I would like to thank bid for having me here oops it's echoing and uh I would like to thank my mentor Scott Irvin from productivity they have their boost just outside so please check it out and thanks for everyone who's sitting in this room okay so today I'm going to talk about PC for home automation and how to make it like a honey poot um it may not be what you have imagined uh

it's not about uh how to crack a PC not about how to uh how to break it because you know Tren micro is not playing red team so um it's about having fun okay so this is how how you might imagine about home automation a like an open Hab project with Rasberry pie some neat modules that you can purchase on seeds or um other online retail stores and and you put something like your mailbox Checker your washing machine on or yeah to monitor the temperature humidity in of your house but um just a friend of mine has had this idea of making it a little bit more robust um like using an industrial level PLC you can have something that works

for 20 years you don't you don't even have to upgrade the firmware and that's part of the problem well and so just install and forget and it will run forever and they even nowadays they even have some inter user interfaces like ictt uh very beautiful HMI so you don't even need to TW on a Rasberry pie it's the interface is like this so um if something then something and you you you still have to understand a little bit how PC works for example you have to configure a timer that sends heartbeat uh otherwise if someone just D do your PC um you're dead so PC is just not like a a modern computer it's a little bit

weak I mean the CPU is weak so uh if you does it it stops to work and everything's gone and there's no security anymore so this is how my friends house is designed as you enter the house there's an IR IR INF sensor as the sensor is activated within 1 minute you have to push the key keyless key to um unarm this rolling code remote controller otherwise there's a siren with a 100 DB with first very loud to alert everyone scare your out sorry sorry for dirty words okay and then there there's a there's a uh read switch on the main door so you cannot just come in and try to unlock uh pick lock the lock pick the

door it doesn't work it will um the siren will bu so uh it's how the bus looks like and he a freak he he has designed all this Circle it's like a modb TCP GPRS with GPRS module so if anybody enters his house there's a SMS sent to his cell phone and there's an external module that goes talks rs485 so he has additional digital ends and there are backup Powers uh it's a double looped uh Power circuit so when anything fails on the main circuit there's a backup power powered by ups and this alarm 16 di that he is just having fun and he even kind of tricked a bit and use a heater and a backup alarm

so the thing is uh he has to configure a timer to send hard bit to this back alarm uh here uh if there's no heart bit within 3 minutes there's another SMS will be sent to his mobile phone so he knows something's wrong and just some peripherals patro helicopter for example know that's just for fun so um here's how things are wired um well I will leave it to you because you can download all the the slides and all the programs uh in this talk on GitHub everything's open sourced so you can check it out on yourself and you can probably try to implement that with your Rasberry pie uh that's how I did it

here no no my pleasure to share everything yeah okay so uh here's how to break into the house um you yeah you might try to trigger the IR sensor without key lock bomb uh you open the door without the key lock bombs um you cut up AC power and there's uh ups and you want to a short circuit because it's triggered by it's uh it's slow triggered so you might want to ground something um maybe or you can hack into a VPN like send some pornography and get his IP address hack into his home router um sorry that's not what I want to talk about today you can do that I'm pretty sure and that's what we do every month

so and I yeah I know you can do that but the thing is you should not stop sending the heartbeat you have to be very careful otherwise he knows it yep so so um the only thing that might break this design is a failed uh Power rail on both powers and it happened once so that's Murphy's Law well what can be wrong will be wrong so and you cannot just Smash and grab because he has his he he's really a paranoid freak he has his um wire wire mesh glass installed so maybe uh the robbers uh want to just go to next door um sorry for his neighbor but um yeah it's how it works or you might want

to break this uh rolling code thing uh with a that that that comes with a really good prng so you might want to follow Sam camers talk in Def count3 that's last year it just record uh the this uh wireless radio signal and Playback that might work um I haven't tried it or just use asine heater to break his M door and yeah that works very well so what's next now we have a um armed house we have a POC that talks mod bus on Port 53 sorry 52 and like everybody knows so U we can make it the first level honey poot what's a first level hot it just copies uh the readings out of this PLC and

um use some like um use a open source library that runs on Rasberry Pi um to try to expose itself on the internet so that someone might uh find your PC through show then uh if you went to the the session this afternoon there's a uh dor key uh so it's it's scans show then for exposed PC's so maybe the bad guys might be interested by the PLC Exposed on the internet and you just but it's a fake one you just copy the real time value so it's updated every minute you open a door something change to one you close a door something change to zero so it's it looks like really authentic so the bad guy might think

this is a real thing and he want to he might want to change something that you can uh log so this is the uh archit Ure so of course Smith K wants to change some coils or some holding registers and feel happy and I have even made a um web interface a very simple web interface I cannot call it HMI because it's just flask on yeah so he might be caught Smith K if everyone knows that's out of cfast Novel okay and we can make it the second level hyot just by adding a little bit imagination uh it's a self- adapted hpot um for example some some State changes in this uh in this ground choose

PC and you add some delays to procrastinate this change or um for example something changes in the Hing register you just um don't make a copy a direct copy uh you put it on some polinomial function to make it match the value slowly to make look like a real thing and the good thing is that you can change the parameters and deploy this hyot worldwide out of the same ground truth So eventually you can have 10 Hots 100 Hots that act differently y so and um yeah python is really a simple script language that's really powerful you can also find a pseudo pump onto it uh and this is the architecture just some fuzzy function um this is how it

looks like uh I have a live demo but unfortunately I don't have a PC at hand I yeah limited by budget there's only one PC and I cannot leave my friend's house unarmed so so this is a very vague copy uh I apologize for it okay so um this co9 is a hardbeat pin you can see it change every uh every second and um if someone just took some like uh flip the switch you can see something changed here yeah or you can see that uh readings of this holding register changes little by little so that's how it works or just wire this di with some coil and uh you set Co to enable a studo

pump or a real pump if you want to make fun of yourself yeah so things like that so um so recap of what's in this talk so we have a PC secur uh fasten the a house uh sorry we have a house securely fastened by a PC with a double Loop circul it and we can make it a simple level one honey pot and we can make it uh a little bit complic ated second level honey poot and we can add some uh simulated pump to the Circuit very easily and you have the code here just download it Fork it have fun and if you want to send me some PR I will be very

grateful yeah so that's it you can add me on Twitter or for the code or just write me I work for T micro and thanks T micro for fly me here and uh here here's some sorry I know I should not do live demo because you see live demo never works exception exception yeah so um sorry bear me for a second yep you see here uh the co9 is a heartbeat pain it changes every second and I have made a Rasberry pie that uh monitors the heartbeat if anything's wrong um if there's no heartbe within 3 seconds a simplified version of the original one um a red light turns on so that's just and imitate a very bad imitate of the

original thing and yeah this is how you do things uh if you happen to Fork it you see the value stomped and something listening and oh okay so I know what's going wrong um it's something mysterious with rasper berry pie just I have config for two more Network and things should be going okay level one level two and uh HMI it's not really HMI I just called HMI for yeah for nothing okay so this is the underlying one oh sorry reloading y yep you should not do a live demo awesome ready for questions yeah any questions

anybody to start experimenting with the plcs would you recommend any particular families or types or manufacturers or protocols or anything like that um actually we're using ICP DK just because it's very cheap it's like um $200 or $400 if you buy it at stock price but I I I believe you can find something cheaper on eBay um please don't try those zman ones it's uh super hardcore much more expensive but it works thank you yes please is there any interactivity uh back to the attacker or is it just you know data goes in and dies and gets logged uh are they getting any feedback back to MH you know to think that they're interacting with an actual PLC I

guess well you can do that but uh actually I haven't done this until one month ago so there's no field experiment sorry for that I will try to and maybe keep you updated on Twitter yes please do you have any recordings of sessions of people in the machine in the Honeypot um yes let's see if it works so um

besides so thank you for the question I almost forgot this thing um so let's see swap

coil okay you see someone has set the values and you can put this log onto uh elastic search or any any um any database that you want so we record it yes anybody else anybody else have questions going once going twice all right sorry Z thank you philli