Total Flaw: Hacking Flow Computers for Fun and Free Gas

[Music] thank you [Applause] [Music]

I'm very excited to be here today how are you so I'm Vera and in this short talk we will talk about hack and flow computers but before we will talk about what flow computers are let me introduce myself so I'm very meant to vulnerability researcher at Team 82 a tim82 is a vulnerability research team by Clarity we are targeting mostly OT iot and medical sectors from the field devices themselves to the scada system while I mostly focusing on the embedded devices because that's what I enjoy doing I have been in beside city of team for three years now and I hope that you have enjoyed the city of this week so let's start a let's hope it works uh so what are the

flow computers so as the name suggests for computers performed from air flow measurements which is a calculates how much gas or liquid goes through the pipes in each moment and there is a lot of places that use this type of computers I'm sorry which is a Gaza and all a processing plants is one of the example or each other a plant water plant or something like that that takes substance from one point to another four pipes and the flow computers I'm sorry there's something wrong with this one and flow computers come in various shapes and sizes and they can be mounted on the wall and on the pipe as we can see here and a messing with those

computers it is pretty big deal uh not mentioning is the stuff that Marina talked about about them at the keynote but a flow of oil the more flow flow makes a means more money and for some reason people do care about oil prices so we would like to save those computer safe from the attackers right and that's what we would like to remember along this lecture so we are ready to meet our device this is abb's micro flow computer maybe I need to stand right here right so this is a bare PCB there's a arm CPU attached to it it can be connected to the a tiny LCD and the battery it has a metal enclosure in case

of rain and it it can be mounted directly on the pipe so we just need to put in mind so this is a computer that connected to the pipe and it will calculate the flow of any substance that come through that pipe especially gas and oil that is what it's made of right and let's look what is within the computer so we have our arm CPU 32 bits like any other similar device to it and we have ethernet and serial ports as I O ports we have an Linux operating system on that computer which is quite convenient for us and the main two protocols that implemented is modbus which is a fairly popular purple protocols that used in many

OT devices as well as a total flow protocol we will talk about it a little bit later it is proprietary protocol developed by the ABB itself and it uses it for configuring the device view flow measurements and many other stuff and the main component of this device the one that we will talk about today is the main application this is the application that comes on when the device boots up the tiny device that we saw earlier and it stays on along the devices on and what it does it is the main application of the computer which means some calculation for the flow that can be quite complicated in mathematical point of view and it can be it can do some

alarm management with a configuration interface and the configuration one is what we will care about and another important part of the system is the client the total flow client it is the client that can be downloaded from the website from a BBF website and the operator that um download the client can connect to any device that talks total flow protocol like our own to make a configuration to view flow measurement and so on and so there is two main features security features that are implemented within the device we have our security button security I'm sorry security switch that is mounted on the PCB itself it's a button that we can touch and what it does it enables or

disables the security passcode security passcode is a four digit number that is sent with every total flow Proto is every total solo payload total flow is a protocol it has payload header and like any other protocol and each prod H payload has its passcode along it and if the passcode is correct the one the device is expected to get the payload is received and the response is sent otherwise we will get an error so this is our security mechanism and this is a pretty cool computer right not the one that we used to see in every in everyday in life and it can be pretty cool to hack it and we need to set a

goal for uh for our research and as I said before the more flow means more money so it can be pretty cool if you could just to control the device and makes the device to report a little less flow or a part of the flow that release the within the pipe so we pay less and we send devices are located somewhere in the desert in the oil and gas plants we would like to do it remotely from our home no one wants to wait in the lion since then and debug so our goal here will be pre-authenticated remote code execution on the device and while this is a pretty common goal in those kind of

devices it's not always possible but I'm here today talking to you so it went pretty well so first thing first we need to read the document the manuals right it is not the device that we used to maybe it's the one that we first heard of and there is a lot of information to get from it and we would like to get the more information as we can from the manuals before we start to reverse engineer it and as the most important thing that we would like to get is house operators just bought the device would configure it right if you well understand how the operator configures how it connects the device from the client we will

understand our context of research and it will be a quite a good start and before before sorry I'll and before we will uh go to a building a setup and how could we need to get the femur uh so what is the femur femur is a merly package in our case that has everything that needs for the device to run for the magnification to run it means it has a bootloader the kernel the file system and any other files it needed and often those firmware packages are available online and the availability of the firmware is pretty critical if we don't have our firmware online and we don't have any other way to get it it pretty much can stop our

project altogether nothing to do from here but we were lucky the viewer were online and the time that we have from getting the firmware until we start to reverse engineer it it depends on various of things one of them is a whether the firmware is encrypted signed whether it works with an architecture that are disassemblers understand right whether it runs on operating systems that very familiar for us as researchers and in this project it's went quite well as you can see and in a matter of couple of hours we had all the files needed to start to reverse engineer it but before we start into reverse engineer it and understand what it is we need a setup

and the setup is pretty important we want to get a setup as soon as we like we want to know how the setup how our Target behaves on some payload and the first option and the obvious one is just to buy it right and it's a great option we will have all the peripherals we want we have the wall system emulation uh we want a need to worry is that interaction and also it's quite expensive in our team we sometimes it happens that we buy the toys that we are playing with like this one you have all the rocks each each advice here is a PLC or HMI is that we are happy to hack it every time

we get but the unfortunate thing that it's not every always possible right and for computers for gas are not that popular on eBay as USB cables and in this case we understood that we had to hug the computer without an actual device and luckily for us there is a pretty good alternative to it we essentially do not interested in bootloader and kernel research instead in this target we can just take the file system itself and just copy it to ready to use Arm machine and your machine we took a Raspberry Pi any other arm machine will do and this is a great choice it's easy it's easy to set up we are just copying One Directory

from one place to another but this is a really clear disadvantage our main binary will at some point we want to talk to visit peripherals and they just won't able to because our Raspberry Pi don't have the sensors and the pipes that the normal computer will be attached to and we will need to pack them and we will see how it's done so first and third first as I said we will just tag the file systems the a root file system within a leap and Bin directories that we are used to and we will copy them from the finger to the Raspberry Pi that's it that's the first step and the second step is to sorry

that went out okay and the second step is the quiet is important one we need to find the main binary it's not that obvious it's a first look and as if you remember I said that main binary is the one that starts at boot so any D is a really good place to look for those and this is where we found ours it doesn't have the pretty clarified name as main binary main binary around me but it's this step is quite a easy the much harder step is the next one so we have our main binary we found one and now we can truth to our file system and make a the root make a

root context be the new file system that we are just copied to Raspberry Pi and we are ready to run the device what will happen soon after we will it the main binary will crash why it's just trying to talk with its sensors visit peripherals and such our Raspberry Pi doesn't have some it will crush and in these cases we need to patch the binary okay so what do I mean by patching so our main binary is just an assembly code a it's a in an arm architecture so what we do in that case we will take the function that is responsible to a token with the peripherals and just remove the function from the binary remove the

assembly code and put some no operation instead of it we will pack the binary back and we will run it again and we will do it uh as long as needed until the main binary is up and running and waiting for connection from the client and in our case it went pretty good we patched only seven functions and within a couple of hours we had our setup which is quite nice so this is our flow computer no pipes or anything fancy but it won't stop us from hacking it and that's what is important so we are now commented a step in our research that we can review our attack vectors remember that I said that our attack should be

remotely remotely available we do not want to plug some USB within the device in some distant plant and only remotely available endpoints are relevant to us the first thing that we would like to look for is the web server right the ones that implemented within the device but unfortunately for for us non-exist SSH is a good option as well but it's disabled by default and we need a to call an operator support to obtain the key and now one likes them to make calls right now right modbus is pretty modbus protocol you remember we talked about it's a it's available option for us but this protocol is available people reviewed and it it has pretty narrow attack

surface so it's not that perfect for us but fortunately for us we have another option we have the total flow protocol which is a proprietary and not documented protocol that is used to configure the device and this is sounded a good way to go and it was so just to recap what we have up until now we have our client a totals of client we downloaded it from the app web server and it can connect to any device that supports total total flow of protocol right and we have our main binary that runs on our Raspberry Pi and it emulates the flow computers the real phone computer and it waits for the connection from the client and it's a

good time to just to connect them together and see what we got so this is what we got is this is a screenshot from uh from Wireshark and we see that the protocol is binary one it has some ASCII Adder which is good for us we know that we are reviewing the correct protocol that's nice but nothing else understood for us and our job is pretty clear we need to reverse engineer the protocol we need to understand it we need to find a bug within it and we need to exploit so that's fun fun and it is so let's start uh so right now we will look at two main approaches for reverse engineering the protocol the binary the

main binary that we got within the firmware was very binary no symbols whatsoever we don't know what's going on and to find the code base that is relevant for us it's not that obvious so we need to find something that will that will have a pretty good close that we are on the right track and there is some some places that we can look at one of them is a CRC lookup tables and some socket operations port numbers and another thing is that we can match our strengths from the binary from the client to the binary and see if there is a some matching strengths in order in order to find some functionalities that will be relevant for us and once we

found the functions that is relevant it's relevance for our protocol we can just run the main binary within a GDP we can break on this uh on those functions and look for uh investigative stock price back and forth until we understand the protocol so after many many hours that what we came up with and please note that not every beat and byte is tagged here we do not understand everything but we understand enough in order to construct the payload ourselves right now we can buy a we can write our own client in python or whatever just to be able to talk with a as a device without any client and there is only one thing that I want

to put your attention to it and these two bytes okay so remember the a four digit pass passcode that I talked about this is two bytes that uh our crc16 of that passcode so it's also two buyers that are indicates whether the client is authorized to make the request or not so I hope that you're getting wheels me here that we have our first vulnerability so we have an authentication bypass and let's talk about how it works so we just pick some a passcode for the digit passcode and we will put it in some aim in our client the client will perform the crc16 and we'll send it to the server to our Raspberry Pi and the

Raspberry Pi will check the CRC code if it's a ones that he expects the correct one he will receive the a payload and another case it will send an error so we have a pretty good indication if our passcode is the correct one and from here the attack is pretty straightforward with no rate limitation available we can just calculate all CRC 16 of all four digit space and just send the code one after another until we get a correct one something like one minute that's cool so being authenticated it's cool we are now able to do from our python client the same thing that our authenticated user can do from Windows machine from Windows client and that's pretty cool

but remember we want to execute arbitrary code on those devices and being authenticated is not enough we need it to find another bug and there is a good place to look for those and this is a file operations so unfortunately for us we have one an operator that maintains the device can download and upload the configuration files in case he wants to duplicate a configuration or maybe download some logs and let's just investigate how it looks like in Wireshark and as we see here we see that the wall path is forwarded within the payload of what a file wants to read so the question is pretty obvious can be a password can we just come back to the

root directory and read any other file maybe do they mitigate again against past reversal so let's find out so what we do is we have our client we understand the protocol we can write any payload that we want and the other things the obvious file to look for is a latest Shadow file and that's what we do we just put a path that Traverse back to the root and as for it is shadow I'm sorry that click here is quite bad so uh there is a spoiler within the uh within the slides I hope they didn't see it so we saw this one this is compressed payload we see it's from those two bytes and the moment it's gone but I will show

you again after we will decompress it in our current this is the file that we get and I hope that the file is familiar to you this is how it is a shadow looks like so it looks like we can read an arbitrary a file within the device this is a sensitive information a client and no one else should be able to get those files and the right right files a download to the device itself works pretty the same way and now we have arbitrary read and write primitive on the device in other words is it Target is ours it's now just a matter of how we exploit it and the easiest way to exploit it is just to turn on the SSH

remember that I told you that it is disabled by default so and has an authentication key so it's pretty simple we will just enable the SSH we'll put our key to the authorized Keys files and let's see how we did it so we used we need first to authenticate we authenticate with the general attacks the same way that I described before and then we use our past reversal vulnerability to ask for authorized Keys files not the files that that should be available to the attacker and any other client this is a file that will save all the keys that SSH will agree to to authenticate with and we will just generate our own keeper and put as a

file back and we will use the same password vulnerability in order to you know in order to put the file back and we will enable the SSH it just is the way the client would edit and we will have we have the SSH connection with root because what other user can do it right so this is a short demo is this is oh

does it work yay so this one takes some other approach with SSH configuration files but this is the same thing basically and we just uh took the SSH config we do some our magic to it

so now what we can do is to assess to our device

and we have wrote on the device

so that was quite quite cool right so there is a pretty large impact to it right morinda talked about it and let us think for it for a moment and for us I would like just just to go on the summary of what we saw we learned what flow computers are that we can hack them without the real device how to reverse engineer the proprietary protocol that we have not no knowledge about it and how to get a gas free free gas for life so that's it I hope that you enjoyed the talk

feel free to talk to reach me out and ask questions [Applause] [Music] [Applause] [Music] [Applause]