Industrial control systems (ICS) security has become a serious concern over the past years. Indeed, threat to ICS systems has become reality and real world attacks have been observed. Many systems driving critical functions cannot be stopped to receive security upgrades, protecting those very sensitive assets is thus a tough challenge.
As ICS security market is growing fast, dedicated firewalls have appeared to address this problem by inspecting and filtering industrial control protocols. But what are those solutions worth? Are they really different from standard network firewalls? What are exactly their attack surfaces and what kind of bugs may we find there?
We propose to answer those questions on the Tofino Xenon case. We will present a methodology we used to reverse engineer equipment which uses a custom and encrypted administration protocol and has fully encrypted firmware. From reverse engineering a rich client to obtaining root shell on the appliance. Then we will cover the firewall internals, the attack surface it offers and the security features it provides to vulnerable ICS equipments. Finally, we will present the vulnerabilities we found (CVE-2017-11400, CVE-2017-11401 and CVE-2017-11402), their impact and the attack scenarios to exploit them.
Julien Lenoir is a member of the Airbus internal security evaluation team. He has ten years experience in cybersecurity doing reverse engineering, vulnerability research and vulnerability exploitation. Julien has been working for four years at Airbus, doing deep security evaluation of third party products as well as internal products. He is assessing embedded equipments' security, mostly aircraft systems. He was a speaker at HITB 2015 and at Ekoparty in 2016.
Benoît Camredon is a security engineer at Airbus, specialized in avionics audit. He has ten years experience in avionic cybersecurity. After several years spent in development and system administration, he began in 2008 writing high level security rules for aircraft embedded systems. Since 2011, he has specialized in security low level audits and penetration testing. In 2015, he developed a USB framework, presented in a french security conference, used to emulate USB peripherals and assess USB stacks and drivers robustness.