Luigi Auriemma, of yesterday’s 34 0day ICS vulnerabilities, was kind enough to answer some questions we had. I would have preferred a podcast, but neither my Italian nor his English allowed that. I have slightly edited his responses for English/clarity, but I’ve been very careful not to affect the content and meaning of his answers. 1. How did you get access to the software you tested? Were they all free downloads?
Unfortunately not all are free to download, but with a certain effort it was possible to find them, although sometimes retrieving the latest patch is really impossible. 2. What experience did you have in SCADA / control systems prior to this effort?
Absolutely zero. I have never used the products I tested, and the situation has not changed much after the tests. I didn’t go deeper into the software that I tested, after all it was just an experiment.
3. How much time did you spend with each product?
I didn’t spend more than 2 days on each one, including the reversing of the protocol, the auditing, the fuzzing and the analysis. This also includes the writing of the advisories and the proof-of-concept code, because for me it’s normal to provide this code for anyone wants to verify the bugs I report.
4. Can you provide an overview of the tools or techniques you used to find these vulnerabilities in such a short time?
I performed a simple auditing of the main operations by following them with a debugger. Just the classical watching of what the program does with the bytes of the incoming packet. This is necessary mainly for figuring out the protocol (for example some of the softwares use checksums) and noticing some bugs directly with the eyes.Then there is the fuzzer part where an automated tool modifies the original sample packet or builds it from scratch till the finding of an exception like a crash. 5. On your site you say “contacting or not the vendor/developers is now at my discretion (for various reasons)”. Did you contact the vendors in advance this time? Also could you briefly explain why you chose this disclosure path and timeline?
The vendors have not been contacted because I no longer follow the so called “responsible disclosure” guidelines that I used until the end of the 2007. The fact is that finding a vulnerability and releasing it publicly is already a “huge” job that the researcher does for free (finding the bug is the major part of the patching process) and contacting a vendor that doesn’t even credit him in the patches is just like becoming a slave and it’s offensive to the researcher … I have many horrible experiences with responsible disclosure.
For these specific bugs I have waited some months between the finding and the releasing because I wanted first to see if was possible to get some funds by reporting them to specific security companies that make responsible disclosure. 6. Do you plan to do any additional work on control systems in the future?
I guess no because I have noticed that there is no interest in these vulnerabilities so there are no funds for my research. This situation has been confirmed also by the same ICS-CERT (http://www.us-cert.gov/control_systems/ics-cert/) where the resulting concept of our discussion can be summarized in “SCADA is a so critical field that if I find a security bug I must do it for free”, and I must also cooperate (forever for free) to fixing it. So spending my time and effort for free is something I would limit, I have already done this for 10 years and “glory” leads to nothing, although I must admit that a full-disclosure release is ever a pleasure. 🙂
Anyway I have some other SCADA vulnerabilities in my pocket and 3 of them are about a very big vendor, but at the moment I have still not planned the releasing of these additional security bugs or if they will be under full or responsible disclosure.
Image by @TimStratPhoto