A security researcher at the Def Con hacking conference in Las Vegas has revealed a handful of new zero-day exploits in the Supervisory Control and Data Acquisition (SCADA) systems used to interface with industrial machinery. SCADA became a household name for security researchers after it was found that the Stuxnet worm had infected those systems to damage centrifuges at Iran's Natanz nuclear facility in 2010. But for these latest vulnerabilities, researcher Wesley McGrew presents an unusual Patient Zero: the universally loathed 17-year-old software, Microsoft Bob.
If you don't remember Bob, you're probably better off for it. But basically, the failed platform was meant to give Windows PCs a "user-friendly" interface composed of virtual "rooms" populated by cartoon characters (including, yes, the much-hated Clippy) in lieu of the usual drag-and-drop desktop. It also had a slew of laughable security flaws, like the fact that when you forgot your password, an overzealous cartoon dog would offer you the chance to simply change it.
"If a user can get out of that interface or run other code, it's over."
Bob may be long dead, but McGrew points out that the captive kiosk interface shares a few humorous (and horrifying) similarities with Human Machine Interfaces (HMIs) — the software "control panels" for SCADA systems — and demonstrates how they can be manipulated to allow unauthorized access.
McGrew says that the problem with special-use interfaces like Bob and HMI is that they rely on their ability to keep unauthorized users locked out of the multitasking operating systems they run on top of. "If a user can get out of that interface or run other code, it's over," he says. That usually leaves user authentication as the software's primary mode of defense.
An example of SCADA HMI software
A "challenge code" can be used to easily retrieve "emergency" passwords without authentication
Unfortunately, that's often not enough. In one example of vulnerable SCADA HMI software, Iconics Genesis32, McGrew found that a "challenge code" at the bottom of the login screen can be easily used to retrieve "emergency" passwords in two ways: either by simply requesting it from the vendor by phoning technical support (the challenge codes aren't tied to any specific user account) or by decoding it manually, which as McGrew demonstrates is actually far easier than it sounds. McGrew also notes that HMI passwords are commonly stored within a static XOR key that persists for all users and across every installation, making unauthorized access easier for intruders.
Interestingly, McGrew's Def Con talk was a stand-in for another presentation, in which two other security experts were slated to reveal a whopping 20 zero-day vulnerabilities found in various SCADA systems including Siemens Simatic WinCC, one of the systems targeted by the Stuxnet worm. The presentation was quietly replaced by McGrew's, and though it's still not clear why at the time of this writing, it wouldn't be a stretch to assume that given the nature of the bugs, the presenters may have been contacted by one of the affected vendors and asked to disclose privately in order to minimize potential danger.
"These are not Pwnie Award-winning attacks," McGrew says of his own findings, referring to the computer security awards ceremony held annually at Def Con's sister conference, Black Hat. "But they require some level of access and are part of a larger attack."