Preview only show first 10 pages with watermark. For full document please download

Homeplugav Plc: Practical Attacks And Backdooring

   EMBED

Share

Transcript

Hom ePlugAV PLC : Practical attacks and backdooring Sebastien Dudek 19/10/2014 ESEC □ SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC W h o am I Sébastien Dudek (©FlUxIuS) ■ Has joined the E S E C R & D lab in 2012 after his internship (subject: Attacking the G SM Protocol Stack) ■ Interests: radiocommunications (W iF i, RFID , G SM , PLC ...), network, web, and Linux security. ■ M y story with PLCs: ■ moved out to a shared apartment; ■ angry with my room mate's W iF i (obstacles, perturbations...) —> PLCs are cheap and could solve my problem; ■ and I’ve wanted to learn more about these little devices... HomePlugAV PLC: Practical attacks and backdooring 2/45 E SOGETI Context The electrical signal The targets Summary 1 Introduction Context The electrical signal The targets 2 Previous work on PLCs 3 Network analysis 4 The K O DAK attack 5 Inside the PLC HomePlugAV PLC : Practical attacks and backdooring 3/45 Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Context The electrical signal The targets Introduction ■ PLC: Powerline Communication = Programmable Logic Controller (known on S C A D A and other Apocalypse things...) ■ Principle discovered by Edward Davy in 1838 ■ Released in the early 2000s for home applications ■ Evolves a lot in term of speed ■ Other systems like Cenélec (3-148.5 kHz low voltage) are used : meter readings, intruder alarms, fire detection, gaz leak detection, and so on But how does it looks like at home? HomePlugAV PLC : Practical attacks and backdooring 4/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC P L C at home The following pictures shows a house equipped with PL C devices: Source: devolo Only one PL C is connected to internet and distributes it to other PLC ^ a user shouldn't worry about it‘s network topology. HomePlugAV PLC: Practical attacks and backdooring 5/45 SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC Context The electrical signal The targets P L C layers A PLC uses layer 1 and 2 of the OSI model => IEEE Application Application Presentation Presentation Session Session Transport Transport Network Network Data link Data link Physical Physical I 1 Data link Data link Physical Physical 802.3 Collision avoidance ■ Use of C S M A /C A (Carrier Sence Multiple Access/Collision Avoidance) ■ T D M A —> ■allocate a period of transmission time for each station ■ 1 T D M A frame used for C SM A / C A frames that don't need QoS HomePlugAV PLC: Practical attacks and backdooring 6/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The hardware: divided in two parts Vendor part HomePlugAV PLC : Practical attacks and backdooring P L C part 7/45 SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC Communications HomePlugAV PLC: Practical attacks and backdooring Context The electrical signal The targets Computer PLC ■ Communicate through Ethernet on M AC layer ■ Clear text (no ciphering) P LC PLC ■ Communicate through powerline ■ Data is encrypted (using A E S C BC 128 bits on new PLC s) 8/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC Electrical properties: the power-line AC voltage ■ AC voltage at 50 Hz ->■ signal do 50 cycles/s ■ Could be represented by the formula: P s = A \/2 sin (271 ft) A is 220V in Europe, or 100V in US/Japon, f the number of cycles/sec (50 Hz in Europe for example). HomePlugAV PLC: Practical attacks and backdooring 9/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC Electrical properties: adding our signal To transport our data on electrical power we use superposition: Superposition ■ Suppose the carrier is 60 kHz: Ca = 2\/2sin (27r60000t) ■ Sum the power supply with the carrier: P s T Ca = 220\/2sin (27r50t) + 2V/2 sin (2 7r60000t) But we need error detection, code mapping and multi-carrier modulation! HomePlugAV PLC: Practical attacks and backdooring 10/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC Context The electrical signal The targets Digital Signal Processing (D S P ) Steps in brief 1. data scrambling; 2. turbo encoding; 3. modulation of control and data frames; 4. form O FD M symbols by constellation; 5. windowing. sourcce: G3-PLC HomePlugAV PLC: Practical attacks and backdooring 11/45 r r SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC Context The electrical signal The targets Electrical network In france, the distribution network is similar to the telephony network (R T C ) HomePlugAV PLC: Practical attacks and backdooring 12/45 □ SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC Context The electrical signal The targets Public and private network: myths and reality Myth Counters restrict PLC data spreading. Reality ■ No choc-coil —> we can communicate: source: P L C in Practice by Xavier Carcelle ■ from one appartment to another; ■ from the building lobby to someone’s flate (3rd and 4th floor). Old choc-coils are mostly ineffective to block M F / H F frequencies. HomePlugAV PLC: Practical attacks and backdooring 13/45 □ SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Context The electrical signal The targets Our devices: Model Max Speed Chipset Extra features XAV5401 XWN5001 500 Mb/s 500 Mb/s Qualcomm Atheros 7420 Qualcomm Atheros 7420 Smart Plug + W iF i N300 TL-PA6030 FreeplugV1 FreeplugV2 600 Mb/s 200 Mb/s 200 Mb/s Qualcomm Atheros 7450 INT6300 INT6400 HomePlugAV PLC : Practical attacks and backdooring 14/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Context The electrical signal The targets PLC s embedded in power supply: example with Freeplugs ■ An ethernet cable is joined with the power supply cable ■ Normally, a ’’default” user will connect everything everything will work fine... just to be sure that ¡mg m ontage-www.busyspider.fr HomePlugAV PLC : Practical attacks and backdooring 15/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Publications Tools Summary 1 Introduction 2 Previous work on PLCs Publications Tools 3 Network analysis 4 The K O DAK attack 5 Inside the PLC HomePlugAV PLC : Practical attacks and backdooring 16/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Publications ■ Power Line Communications in Practice by Xavier Carcelle ^ a must read! ■ HomePlug AV Security Mechanisms by Richard Newman, Larry Younge, Sherman Gavette, and Ross Anderson, published in 2007 ■ M ISC #37 HomePlug Security by Xavier Carcelle ■ HomePlug Security by Axel Puppe and Jeroen Vanderauwera otherview of key bruteforcing for old devices gives an These publications give an overview of HomePlug security mechanisms. But just one paper really focuses on possible and pratical attacks... HomePlugAV PLC : Practical attacks and backdooring 17/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Publications Tools Tools ■ plconfig ^ manage PLCs over the network ■ FAIFA by Xavier Carcelle (similar to plconfig) ■ Vendors software (that we used at first) ■ Wireshark has a dissector for HomePlugAV But no scapy Layer exists for HomePlugAV to mess with the HomePlugAV protocol. HomePlugAV PLC : Practical attacks and backdooring 18/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC The ethernet interface Basic attacks Summary 1 Introduction 2 Previous work on PLCs 3 Network analysis The ethernet interface Basic attacks 4 The K O DAK attack 5 Inside the PLC HomePlugAV PLC : Practical attacks and backdooring 19/45 □ SO G ETI The ethernet interface Basic attacks Vendors utility: example with Netgear 3 different ways to configure our P LC network ■ default configuration (open network/default key); ■ pairing button (easy way); ■ or with a custom key (paranoid way —> our case). The software retrieves P L C information as follows: n NETGEAR Powerline Utility D 3.1.0.3 0 ChoucrouteSu XWN5Q01 £*Modèle:XWN5001 l>Adresse MAC: fc*Statut du voyant: DESACTIVE > Version du micrologitiel (firmware): NETGEAR XWN5001 v0,3,0,9CE (MAC-QCA7420-1,1,0.838-00-20120803-FINAL ) (»Adresse IP: 172,16.49.41 fc'SSID: SuperChoucroute ^•Type de sécurité sans fil : WPA-PSK/WPA2-PSK HomePlugAV PLC: Practical attacks and backdooring 20/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The ethernet interface Basic attacks Analysis with our scapy Layer: Device Type message To retrieve devices type, the software broadcasts a “ Get Device Type Request”. I Ethernet] iff u t m v n f i oo oo oo oo oo oo ss n i Eä dst src type [H o m e P lu g A V | version H P ty p e Fra g m en tln fo OUI The software uses a Atheros broadcast address, but just to be sure it will work with all devices (IN T E L L O N , Atheros, Qualcomm...), we can broadcast it with f f : f f : f f : f f : f f : f f address. HomePlugAV PLC: Practical attacks and backdooring 21/45 E SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC The ethernet interface Basic attacks Device Type message: the confirmation If the type request exists, you get a confirmation message with a “ Status” field (0x0 = Success) followed with data: B P 01 a 0 00 bO 52 H o m e P lu g A V version 1 0 ------- _ H P ty p e ‘G et D e vice / sw v e rf...} . Fra g m en tln fo OUI 0xb052 I Get D eviceV ersion | u p 20 [5B] 4d 41 43 2 d 51 43 41 37 34 32 3 0 2d 31 2e 31 2 e 30 2e 38 3 3 3 8 2d 30 30 2d 32 3 0 31 32 30 38 30 33 2d 46 4 9 4 e 41 4 c 00 c c c c c c c c c c c c flft a a oo M 00 00 00 00 00 00 0 0 ooliööl M t>a a o a o a a S ta tu s 0x0------ ------------ 00 00 00 00 00 00 / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D e vice lD Q C A 7 4 5 0 /Q C A 7 4 2 0 ' 4jQ— ____ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D eviceV ersion M A C - Q C A 7 4 2 0 - 1 .1 .0 [...]^ ’ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D e viceV ers ion .pad ’\ x cc \ x cc\ x cc\ x cc\ (...)---------------- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Upgradab le False 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 load \x00 \x 00 \x00 \x0 0 \ (...) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f c f c l c 00 00 00 3 f HomePlugAV PLC : Practical attacks and backdooring 00 00 00 00 00 00 00 00 00 00 00 00 00 22/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC The ethernet interface Basic attacks Network information To get information about the CCo (Central Coordinator) and stations connected, the software send a "Network Information Request then we get a “ Network Information Confirmation” packet. I Eth ern et type 00:0c:29:64:ea:21. 4494:69:69:69:69 0x88el_____ -____ _ H o m e rlu g A V H P ty p ’N etw ork In form atif...] Fra g m en tln fo ; I □ CÜ 0xb052 [N etw ork lnfoC on firm a tion | reserved _n 1 \x00\x00:’ Logica INetw orksN urrtbdr — Netw orks Infos Sta tion sN u ::er [< N e tw o r k ln fo V ll (...) ,I reserverd_sl 5t a t ions Infos [< S t a tio n ln fo V ll (...) IRaw I bad \x00 HomePlugAV PLC : Practical attacks and backdooring 23/45 ea SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC The ethernet interface Basic attacks A typical P L C network ■ The CCo manages contention-free streams time allocation, period for C SM A access + defines a AVLN node ■ W e can talk with other P L C of the same AVLN The software can change the N M K passphrase, sending it to the targeted PLC. HomePlugAV PLC : Practical attacks and backdooring 24/45 SETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The ethernet interface Basic attacks Change the passphrase: SetEncryption Key Request W e change local device’s N M K passphrase: I Ethernet! dst src type [HomePlugAV ] version HPtype Fragmentlnfo OUI 1.0 'Set Encryption [ SetE ncrypti on Key Req uest I "ERS Sxl NM K Pay load EncKeySelecOxf--DestinationMAC 4454:00:00:00:00 DAK |Raw| load '\x00\x00\x00\x00‘ Remotely In remote, we need to precise a D A K (Direct Access Key) to change the N M K (Network Membership Key). This could be interesting... HomePlugAV PLC: Practical attacks and backdooring 25/45 E SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC The ethernet interface Basic attacks N M K and D A K generation ■ The N M K and D A K keys are generated the same way ■ They use the Password-Based Derivation Function 1 (P B K D F 1 ): ■ DAK or NMK= P BK D F1(P, S, HF, c, dkLen); ■ P ^ the passphrase; ■ S ^ the salt; ■ H F ^ the hash function; ■ c ^ the number of iterations; ■ dkLen ^ the digest key length. ■ The main parameters are known: ■ ■ ■ ■ S = 0x08856DAF7CF58185 for DAK, S = 0x08856DAF7CF58186 for NMK; H F is SHA-256; c = 1000; dkLen = 16 (bytes). HomePlugAV PLC : Practical attacks and backdooring 26/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The ethernet interfs Basic attacks Attacks on N M K Interception 1. Listen for broatcasted packets, M IT M the administrator or fake the MAC address 2. and sniff the “ Set Key Encryption Key” packet _______________________________________________________________ ) LAN attack i Bruteforce the NM K HomePlugAV PLC: Practical attacks and backdooring 27/45 E SOGETI The ethernet interi^ Basic attacks Attacks on N M K Interception LAN attack ■ a local device can be configured without any D AK ■ But also: every device is connected to a switch/router are considered as local device in the network (don't need D A K ). u HomePlugAV PLC: Practical attacks and backdooring 27/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The ethernet interfs Basic attacks Attacks on N M K Interception LAN attack Bruteforce the NM K 1. Bruteforce the N M K from a dictionnary; 2. Change local device N M K by the interated one; 3. Send discovery packet to see if we joined any network. HomePlugAV PLC: Practical attacks and backdooring 27/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The ethernet interfs Basic attacks Attacks on N M K Interception J LAN attack J Bruteforce the NM K 1. Bruteforce the N M K from a dictionnary; 2. Change local device N M K by the interated one; 3. Send discovery packet to see if we joined any network. NM K bruteforce ^ good Bruteforcing the N M K could be long and difficult depending on user’s password policy. HomePlugAV PLC: Practical attacks and backdooring 27/45 E SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC DAK passphrase pattern "smart” bruteforce Summary 1 Introduction 2 Previous work on PLCs 3 Network analysis 4 The K O DAK attack DAK passphrase pattern "smart” bruteforce 5 Inside the PLC HomePlugAV PLC : Practical attacks and backdooring 28/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC D A K passphrase pattern "smart” bruteforce Market researches First we need an overview of possible D A K passphrase generation. In the markets HomePlugAV PLC : Practical attacks and backdooring 29/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC D A K passphrase pattern "smart” bruteforce Market researches First we need an overview of possible D A K passphrase generation. In the markets At ebay, leboncoin.fr... ■ there people take pictures of every possible positions of the device ■ these information could be helpful to study the pattern HomePlugAV PLC : Practical attacks and backdooring 29/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC D A K passphrase pattern "smart” bruteforce Market researches First we need an overview of possible D A K passphrase generation. In the markets At ebay, leboncoin.fr... ■ there people take pictures of every possible positions of the device ■ these information could be helpful to study the pattern Found pattern The D A K passphrase pattern can be represented with this simple regex: [A -Z ] { 4 > - [ A - Z ] { 4 > - [ A - Z ] { 4 > - [ A - Z ] { 4 > . HomePlugAV PLC : Practical attacks and backdooring 29/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC D A K passphrase pattern "smart” bruteforce Market researches First we need an overview of possible D A K passphrase generation. In the markets At ebay, leboncoin.fr... Found pattern The D A K passphrase pattern can be represented with this simple regex: [A -Z ] { 4 > - [ A - Z ] { 4 > - [ A - Z ] { 4 > - [ A - Z ] { 4 > . Pattern bruteforce The bruteforce of this pattern is painful! Is there any other way? HomePlugAV PLC : Practical attacks and backdooring 29/45 E SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC DAK passphrase pattern "smart” bruteforce TP-Link utility seems to recover D A K passphrases HomePlugAV PLC : Practical attacks and backdooring 30/45 □ SO G ETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC DAK passphrase pattern "smart" bruteforce A little packet analysis... : ReadModuleDataConfirmation Analysing the packet, the only thing we see are the hash of D A K at offset 0x12 (hidden here), and N M K at offset 0x64 with value=0x50d3e4933f 855b7040784df 815aa8db7(=HomePlug). » > hexdump (pkt.ModuleData) [. • •] 0020 14 D1 00 00 41 74 68 0030 50 6C 75 67 20 41 56 0040 00 00 00 00 00 00 00 0050 00 00 00 00 00 00 00 0060 00 00 00 00 50 D3 E4 0070 15 AA 8D B7 74 70 76 5F 31 33 31 32 31 37 0080 65 20 00 00 93 65 5F 72 44 00 00 3F 72 30 6F 65 00 00 85 5F 30 73 76 00 00 5B 36 32 20 69 00 00 70 30 00 48 63 00 00 40 33 00 6F 65 00 00 78 30 00 6D 00 00 00 4D 31 00 65 00 00 00 F8 31 00 ,,Atheros Home Plug AV D e v i c e .. ___ P. . .[?]. [pSxM. ....tpver_603011 131217 0 0 2 .... The question? How this software can possibly recover this passphrase in a second? Is it derivated from somewhere? HomePlugAV PLC : Practical attacks and backdooring 31/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC DAK passphrase pattern "smart" bruteforce Analysing vendor D LLs Looking on vendor software we can found a very interesting string y„02xy„02xy„02xy„02xy„02xy„02x (.rdata MACProcess: movzx ecx, movzx edx, ecx push movzx ecx, push edx movzx edx, section) in “ PLCO perApi.dll” file. byte ptr [eax+5] byte ptr [eax+4] byte ptr [eax+3] byte ptr [eax+2 ] movzx ecx, byte ptr [eax+l] push edx, byte ptr [eax] ecx lea push call add mov lea eax, [esp+38h+var 14] offset a02x02x02x02x02 ; l, we win! HomePlugAV PLC : Practical attacks and backdooring 33/45 Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC DAK passphrase pattern "smart" bruteforce How powerful is K .O .D A K ? Here is a summary table of bruteforcing techniques difficulties: Bruteforce technique Possibilities D AK passphrase K .O .D A K classic K .O .D A K with vendor bytes "2 6 15 2566 2563 Devices with a Qualcomm chip are affected W e have also found a PLC toolkit in githuba, and we can be sure that most of the device could be attacked this way as long as vendors use Qualcomm Atheros D AK passphrase generator. ah t t p s :/ / g i t h ub .c om /q ca /o pen -p lc -u ti ls HomePlugAV PLC : Practical attacks and backdooring 34/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC DAK passphrase pattern "smart" bruteforce Our results Here is a summary table of possible attacks on different PLCs: PLC Providers Ethernet N M K bruteforce K .O .D A K Attack Qualcomm Atheros PLC IN T E L L O N YES YES YES YES YES M AYBE IS P PLC YES YES N O T A L L Devices Freeplugs not affected Freeplugs don't use Qualcomm D A K generator. This is reasuring because Free.fr serves more than 5 702 000 users in France a, and provides PLCs with their router and S T B s for years. afr a n c o i s 04 .free.fr HomePlugAV PLC : Practical attacks and backdooring J 35/45 E SOGETI Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! Summary 1 Introduction 2 Previous work on PLCs 3 Network analysis 4 The K O DAK attack 5 Inside the PLC Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! HomePlugAV PLC : Practical attacks and backdooring 36/45 Introduction Previous work on PLCs Network analysis The K.O.DAK attack Inside the PLC The hardware: remember? Vendor part HomePlugAV PLC : Practical attacks and backdooring P L C part 37/45 SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! The strange ports? ■ The two previous ports M II (Media Independent Interface), or G PSI (General Purpose Serial Interface) ■ They connect the P L C M A C / P H Y transceiver to IEEE802.3 Ethernet MAC controllers UART/serial ports could be present on old models, to respond with A T commands1________________________ 1h t t p s : / / g i t h u b . c o m /qc a/ op en -p lc -u ti ls /t ree /m as te r/ se ri al HomePlugAV PLC : Practical attacks and backdooring 38/45 □ SO G ETI Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! JT A G /seria l/U A R T /... accesses —> • forget about it! W ith the vendor part, we have read/write accesses to the P IB and IM G parts on the N V M ! 3 parameters for the “Read Data Module Request” 1. part of the memory : “ M AC Soft-Loader Image” (0x0), “ M AC Software Image” (0x01), “ P I B ” (0x02); 2. offset; 3. and the length. ###[ HomePlugA V ]### version =1.0 HPtype 'Read Module Data Request' OUI 0xb052 ###[ ReadModuleData ]### ModulelD = PIB reserved = 0x0 Length = 1024 Offset = 5120 HomePlugAV PLC : Practical attacks and backdooring 39/45 E SOGETI Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! W riting into the memory example ###[ HomePlugAV ]### version HPtype 0 UI =1.0 'Write Module Data Request' 0xb052 ###[ WriteModuleData ]### ModulelD = reserved = DataLen = Offset = checksum = ModuleData= PIB 0x0 1024 0 975459083 '\x05\x07\x00\x008@\x00\x00\xbl\xl5)# [...] Tip For the P IB region, you need to overwrite it‘s P IB checksum32 (at offset 0x8) and send a “ W riteM oduleDataToNVM Request” to apply the configuration. HomePlugAV PLC : Practical attacks and backdooring 40/45 E SOGETI Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! Other cool functionnalities! The Sniff command that gives details about frame control and beacon. 140 141 142 143 158.140775000 158.141081000 158.141474000 158.153746000 W is t r o n lJ T p -Lin k T _ f Tp-i_inkT_i T p -Lin k T _ f B roa dca st W istro n I_ b 3 W istro n I_ b 3 W istro n I_ b 3 W i s t r ni 11 W istro n I_ b 3 W istro n I_ b 3 W istro n I_ b 3 145 158.233831000 T p -Lin k T _ f 146 158.273699000 T p -Lin k T _ i 147 158.313759000 T p -Lin k T _ f cl SH HomePlug HomePlug HomePlug HomePlug HomePluq HomePlug HomePlug HomePlug 21 60 186 186 186 186 186 186 MAC MAC MAC MAC MAC MAC MAC MAC Management, Management, Management, Management, Management, Management, Management, Management, S n if f e r S n if f e r S n if f e r S n if f e r S n if f e r S n if f e r S n if f e r S n if f e r Request Confirm a tio n I n d ic a t e I n d ic a t e I n d ic a t e I n d ic a t e I n d ic a t e I n d ic a t e Work in progress Other commands could be interesting to discover like V S _ W R IT E _ A N D _ E X E C U T E _ A P P L E T or V S _ M IC R O C O N T R O L L E R _ D IA G . W e will dig a little more to know if we can execute any other applet or try to communicate with the microcontroller. _ _____ _ _ _________________________________ HomePlugAV PLC : Practical attacks and backdooring 41/45 E SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! Gathering CCos M A C address Enabling the Sniff command we can recover M AC addresses of CCos close to us2: ###[ SnifferIndicate ]### 1 2 3 4 5 6 7 8 9 L0 L1 L2 L3 L4 SnifferType= Regular Direction = Tx SystemTime= 399103809 BeaconTime= 43033 ShortNetworkID= 0x80 [...] ###[ Raw ]### load = |J\x01\xfd40[...] [...] >>> hexdump(pkt.load) 0000 XX XX XX XX XX XX XX XX XX XX XX XX XX XX E8 94 0010 F6 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX [...] XXXXXXXXXXXXXX.. .XXXXXXXXXXXXXXX One CCo M AC address is present at address 0xe (begining with bytes: E8 94 F6). independently discovered by Ben Tasker: https://www.bentasker.co.uk/documentation/security/2 8 2 -infiltratmg-a-network-via-powerlmehomeplugav-adapters HomePlugAV PLC : Practical attacks and backdooring 42/45 □ SO G ETI Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! Demos ■ Discovery in and out of a AVLN node ■ Monitoring and targeting CCos ■ Remote CCo configuration to infiltrate a LAN ■ Reading target’s memory HomePlugAV PLC : Practical attacks and backdooring 43/45 Introduction Previous work on PLCs Network analysis The K.O .DAK attack Inside the PLC Hardware stuff Arbitrary read/write accesses Demos Conclusion work in progress Thank you! Archievement ■ W e have made a scapy Layer that helps us to mess with HomePlugAV protocol (to be completed) and parse the P IB ■ This layer can be used to fuzz the client side (vendor’s utility) ■ HomePlugAV sold in the market are vulnerable to K .O .D A K attack, but not the most used Freeplugs (for the moment) ■ If we know the D A K passphrase or we have any access to the device by it‘s ethernet interface —> arbitrary read/write access Work in progress ■ Firmware disassembling —> add other cool functions => W e could mess with the authentication messages ■ Learn more about “ applets” that PLC executes HomePlugAV PLC : Practical attacks and backdooring 44/45 E SOGETI Introduction Previous work on PLCs Network analysis The K O DAK attack Inside the PLC Hardware stuff Arbitrary read/write accesses Demos Conclusion & work in progress Thank you! Thank you! ;) Any questions? HomePlugAV PLC : Practical attacks and backdooring 45/45 □ SO G ETI