Aperture Podcast: Sharon Brizinov on Hacking PLCs
By Michael Mimoso | April, 20, 2022
Remotely executing code on a programmable logic controller (PLC) is a holy grail type of attack for threat actors and researchers alike. PLCs control automation processes within critical industries, and successfully targeting and attacking them can disrupt service delivery and impact public safety.
In this episode of the Aperture podcast, Claroty Team82 vulnerability research lead Sharon Brizinov covers a presentation he’s giving this week at the S4 conference in Miami that explains a unique attack against Siemens SIMATIC 1200 and 1500 PLCs that enabled native code execution on the device.
Subscribe, rate, and review the Aperture podcast on all major platforms, including Apple Podcasts and Spotify.
The attack involved an exploit that could allow a threat actor to bypass a memory protection feature on Siemens PLCs to gain read and write access. The Team82 exploit bypasses existing protections within the execution environment of the PLC, including a sandbox where engineering code would normally run. The exploit allows the attacker to escape the sandbox in order to gain direct access to memory, then write and inject shellcode on the Siemens PLCs.
“Usually when people refer to executing code on PLCs, they refer to PLC logic or process logic that controls the entire manufacturing process. We were able to actually inject native shellcode, which means we’re able to actually execute native code on the device,” Brizinov said.
“We hacked our way into the internals of the device, the kernel, and were able to manipulate anything we wanted on the PLC,” he added. “We were able to escape the sandbox and not be limited to any functionality the vendor restricted.”
By executing native bytecode, Team82 had full control over the device and because they were so low on the stack—at the kernel level—detection was close to impossible without special forensic tools, Brizinov explained.
Also in this podcast, Brizinov explains his participation in the Pwn2Own contest. S4 hosts the only ICS-focused version of Pwn2Own, and this year there are four categories of targets in scope: control servers, OPC UA servers, data gateways, and HMIs.
“The goal in most cases is to achieve remote code execution, not only to find a vulnerability but achieve exploitation,” Brizinov said. “Usually we are able to find at least one vulnerability, but the real challenge is to exploit those vulnerabilities. Usually the difficulty around this is to bypass the different security mitigations that both the software, hardware, or operating system present.”
A gamified hacking competition may seem glitzy, especially with cash prizes being handed out to the winners, but it also serves to shine a light on not only the research being done to secure ICS products, but also demonstrates that vendors are maturing their vulnerability disclosure and remediation efforts.
“You can take this entire concept and make it a game and make a competition out of it, so people will have a monetary incentive, and a hacker-respect type of incentive to say out loud ‘I was able to demonstrate a full blown exploit on stage,’” Brizinov said. “The end [goal] is the same: A (zero day) vulnerability disclosed in a responsible manner and the security level of the product will rise. The end goal is the same to make sure the product is more secure for asset owners and customers.”