Black Hat: A Nose for Backdoors

Friday, July 27, 2012 @ 02:07 PM gHale


By Jacob Kitchel
As truffle hunters across Europe use pigs to sniff out truffles, Ruben Santamarta uses his skills to sniff out backdoor accounts in industrial device firmware.

As part of his research demonstrated at the Black Hat USA 2012 security conference in Las Vegas, the Spanish security researcher showed hardcoded backdoors in vendor software and firmware which can remotely access embedded computing industrial devices such as PLCs, RTUs, media converters, and smart meters. Attackers can use these secret accounts to then attack and control the devices almost undetected.

RELATED STORIES
Black Hat: Persistent Threat Plan
Black Hat: Govt. Unplugged
Black Hat: Smart Meters Insecure
Black Hat: Sub-GHz Wireless Within Reach
Black Hat: Air Gap Myth Buster
Black Hat: New Security Paradigm

Santamarta, who works for security consulting firm IOActive, sees it as his mission to hunt out these hardcoded accounts and educate vendors and consumers on the presence of un-documented and hidden backdoors in these types of devices.

Additionally, it is Santamarta’s hope that by sharing his methods, tools, and process that other researchers will take up the cause of searching out and getting hardcoded backdoor accounts eliminated.

“I am where I am because of research shared by other security researchers and I want to be able to give back to the research community and share my knowledge with people – to give back to the community what the community gave to me,” he said.

The threat of backdoor accounts has always been a concern in software and hardware systems but it wasn’t until recently researchers started performing in-depth assessments of industrial device firmware for this type of vulnerability.

This newly found interest among researchers has led to an explosion of exposed backdoor accounts in recent years. Santamarta and five other researchers presented similar research earlier this year as part of SCADA security consulting company Digital Bond’s S4 conference in Miami, FL.

This research was presented as part of Digital Bond’s sponsored Project Basecamp which took aim at exposing the types of backdoors which Santamarta presented at Blackh Hat.

After coming to terms with the fact backdoors are in an increasing number of embedded industrial devices, users will be amazed to realize Santamarta performs the majority of his research without the actual devices that he is assessing. Through a process called reverse engineering, Santamarta examines the compiled code in the device firmware to reveal the inner workings of the device.

After understanding and exploring the device firmware, Santamarta focuses on the device’s authentication mechanisms and embedded file system to uncover its secrets. It is in these areas where Santamarta shines. In one example, Santamarta tricked smart meter update software by acting as the smart meter and convincing the software to reveal its embedded secrets – including the hard-coded account and password used to update the device.

“Industrial control systems have been living quietly and without scrutiny for a long time,” Santamarta said. “I think we’ll see a lot of these issues for a while before they begin to be addressed. It’s a matter of time to fix these issues and time will determine how long it takes to fix them.”



Leave a Reply

You must be logged in to post a comment.