Monday, 21 April 2014
Project Basecamp - Attacking ControlLogix
Written by Rubén   
Thursday, 19 January 2012

You can download my contribution to the Digitalbond's project basecamp by clicking on the image.

Extracted from the report "One of the most time consuming tasks I came across during this research was reading all the technical documentation gathered. Initially this fact may sound weird but it is nothing unusual at all; while researching into industrial devices, which commonly suffer from a lack of strong security measures implemented by design, the hardest part is not learning how to break things but understanding how it really works.

Therefore, the key point behind attacking this PLC was not how to circumvent its security but monitoring how the legitimate software performed valid operations in order to mimic them, in addition to the usual dose of reverse engineering and fuzzing to discover the ‘secrets’ behind the scenes. To sum up, any legit functionality supported by the controller could also be used by a malicious user in a malicious manner.

During this ‘journey’ we have identified problems that can be used to cause a DoS, load a trojanized firmware or leak information. Actually it’s not a bug, it’s a feature."

I'd say the underlying problem is that some of these 'attacks' are actually features documented in the CIP protocol, so again "any legit functionality supported by the controller could also be used by a malicious user".Within this context, the following article worths a read DHS Thinks Some SCADA Problems Are Too Big To Call "Bug"

Congrats to Reid and to all the researchers involved as well as thanks to Dale for counting on me for this project.

You can watch the following video, showing the results of the "Deep fried controller" exploit.

Last Updated ( Friday, 20 January 2012 )
Reversing Industrial firmware for fun and backdoors I
Written by Rubén   
Monday, 12 December 2011

Update:ICS-CERT alert

Update:Schneider alert


Everybody knows I'm commited to hack into the LHC and then blow up the world, my first try was 4 months ago, as you can see below this post, I published “The power of reading: the CERN case” where I explained the method used to obtain confidential information about the LHC that lead me to 'hack' into the CERN (not really). Anyway, if you carefully take a look at the picture that contains some PLCs modules, you'll distinguish their names; one of them was “NOE 771”.

Last Updated ( Thursday, 19 January 2012 )
The power of reading: The CERN case.
Written by Rubén   
Thursday, 18 August 2011

First of all my respect and admiration to the people working at CERN and to scientists in general. Humanity has evolved thanks to minds like theirs. I guess we all would agree that the most useful advice commonly received, or given, in this sector is: read, read everything that you can, and more...and that's how this story begins.

Some time ago, I spent a few hours compiling all the documentation/software I could find about UNICOS (Unified Industrial Control System ), which is the SCADA system of the CERN's Large Hadron Collider. Finally I managed to grab +2 GB of related stuff. Yes, there are quite a few information and software available, it's the good thing about the academic world, on the other side some of that information shouldn't be publicly available. This is a problem inherent to the academia: a lot of people accessing a lot of systems from a lot of places. A security nightmare for network administrators. I.e Did you ever try to navigate public AFS folders? oh boy...

Last Updated ( Monday, 12 December 2011 )
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Results 1 - 4 of 64