Hardware pentest

Defending the physical world from cyber threats

Ukatemi Technologies

09/23/2021

Background

With the evolution of factories, increasing the efficiency of the production line has become the key element to be competitive on the market. One such efficiency increaser measure is to digitize and automatize bigger and bigger parts of the factory. Producing an item no longer requires trained technicians to create it by hand, but highly qualified engineers who configure the Programmable Logic Controllers (PLC) from their work stations to do the work for them using robotic arms. However, these PLCs were not created to be resilient against attackers, thus protecting them poses challenges.

The problem

Usually, there are several layers of protection between the internet and the industrial network. Using well configured and regularly tested firewalls ensures that the industrial network is not, or just indirectly accessable from the internet. However, as all networked systems, industrial networks can also be misconfigured, and even if they are configured correctly, the devices can have vulnerabilities in them. A direct attack against a factory can lead to catastrophic damages in both the quality and quantity of the product as well as the safety of the employees and customers. For example, lets suppose an attacker overwrites a car manufacturer’s PLC to skip every second spot during welding. While the overall car would look like it has been properly assembled, it could not withstand the forces it was designed to, and recalling a large amount of already sold cars is insanely costly. Thus the goal is to make it as hard as possible for an attacker to access these devices, lowering the possibility of a potential attack.

Our solution

We pentested multiple well-established firewalls, specifically designed to protect industrial networks. During our penetration tests we found critical vulnerabilities which allowed us to gain privileged access to the device, dump its firmware and modify the policies or  completely bypass it altogether, thus, getting one step closer to demolish the production line protected by the device. The vulnerability we found did not require us to have local access to the device, we were able to perform it remotely. While our intentions were not harmful, the scale of the potential damage is indescribable thus patching security holes in hardware devices used in industrial environments is essential for the companies. Obviously, we informed the manufacturer about these vulnerabilities.