Blog del CCI

viernes, 17 de enero de 2014

Review of Master Serial Killer. Project Robus S4x14

One of the most awaited keynotes in S4x14 congress was "Master Serial Killer" by Adam Crain y Christ Sistrunk from Project Robus.

Project Robus has as its main objective the disclosure of vulnerabilities in the implementation of industrial systems communication protocols. The project started last april and has been focused on researching the DNP3 protocol, producing 15 advisories and 28 tickets over the implementation of several vendors.

DNP3 is a set of communication protocols for automation processes. It is mainly used in system components in the electric and water industry. DNP3 specifications are much more complex than other similar protocols due to the huge amount of features it contains. DNP3 is awfully popular and hundreds of thousands (even millions) worldwide employ it in the communications of every kind of control process, including many critical infrastructures.

The research in the Robus Project employs fuzzing techniques where especially forged data is fed to the devices and their response analysed for unexpected behaviour. Researcher generates hundreds of thousands of test cases and systematically  analyse the responses of the evaluated systems.

Ever system evaluated so far, but two, has had vulnerabilities. This means hundreds of thousands of vulnerable systems, many of them connected to the Internet.

These results suggest that the implementations of the protocol just guarantee functionality without any security testing. This could be justified by saving development resources, provided that the DNP3 systems would be isolated. But we know that this is not the case.

Researchers, when discover a vulnerability, report it to the vendor for solving. The attitude of vendors are assorted, ranging from prompt response and patch release to no response at all.


DNP3 implementations has been the subject of the experiment, but probably other implementations of other protocols would have similar vulnerabilities. This kind of research doesn't need many resources, anyone with technical knowledge can do it. A similar research could have been done by someone malicious who could affect the proper working affected devices. Given the number and kind of systems using these protocols, the impact and spread of the attack would be the biggest ever seen.

The responsibility of mitigating these problems is shared among vendors and end users. The formers shall release patches and corrected versions of their products. End users shall update their systems (probably not easy); correctly configure their devices disabling not used potentially dangerous functions; and providing a healthy physical and logical environment deploying physical security measures, raising awareness on their employees and setting up traffic control measures able to understand DNP3 communications.

It is highly significant that right now we are starting to discover vulnerabilities in protocols that we have been using for decades. This means that the community is worried about these security issues and that there exists the intention to solve them. Robus is a necessary step forward, but it is not enough. We need more initiatives like this that involve every stakeholeder (end users, researchers, vendors, CERTs, etc).

S4 keynote slides.

No hay comentarios :

Publicar un comentario