Security researchers release exploits that target the programmable logic controllers at the heart of critical infrastructure.
Stuxnet is credited with being the first worm to successfully target large industrial systems, in this case, the centrifuges in Iran's uranium enrichment plants in 2010. While security researchers had been warning for years that threats to critical infrastructure, such as power grids, should be a huge concern, it wasn't until Stuxnet arrived on the scene that the message reached a wider audience.
Wired.com reports today that security researchers have released two different modules to Metasploit that have the potential to attack programmable logic controllers (PLCs), which are the components that control functions for some critical infrastructure such as refineries, large factories, water and waste water management plants, and other production facilities. These exploits both target Modicon Quantum PLC made by Schneider-Electric.
The exploits take advantage of the fact that the Modicon Quantum PLC doesn't require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC - essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a "stop" command to halt the system from operating.
Metasploit's own blog update for the week announces the addition of these two modules plus four others:
We've also reviewed and revised four of DigitalBond's previously released Basecamp Metasploit modules for this release:
- d20_tftp_overflow : Triggers a Denial of Service condition due to a buffer overflow vulnerability in GE's D20ME PLC TFTP server.
- koyo_login : Bruteforces the authentication passcode on a Koyo DirectLogic PLC
- modicon_password_recovery : Given default FTP credentials, extracts the "write" password to the HTTP interface of the Schneider Modicon Quantum as well as the VxWorks hashes of all supervisory users.
- multi_cip_command : Issues up to four unauthenticated stop and reset commands to a variety of PLCs which implement the Ethernet/IP Common Industrial Protocol.
From the perspective of security researchers, the point of releasing these modules is to continue to hammer home the potential for catastrophic effects on industrial systems if PLC makers do not improve their security measures and to make owners and operators of vulnerable components aware of the risks. Of course, malicious hackers can also use sites like Metasploit to learn more about where vulnerabilities exist as they design attacks of their own to exploit them.