Flow computers measure and calculate volume and flow rates for oil and gas. These embedded computers are critical to process reliability and safety given that these critical measurements must not only fall within certain thresholds, but may also be used as inputs by other processes and therefore must be accurate to ensure their reliability.
Needless to say, these could be a prime target for a determined, experienced attacker, and operators must understand any vulnerabilities within flow computers and address them.
In this episode of the Aperture podcast, Team82 researcher Vera Mens discusses her extensive research into hacking flow computers. Today she delivered a presentation at BSides Tel Aviv on the subject, and shared some details about authentication bypass and path traversal vulnerabilities she discovered in one vendor’s flow computer.
“What we have discovered is that it was pretty easy to be able to control the write/read of files on the device,” Mens said. “Writing files anywhere on the device can be pretty dangerous. For example, I can just substitute some scripts or code that ransoms the boot and that’s it.”
Whether flow computers are reachable online is a key factor in determining their exploitability. Flow computers, for example, should not be connected online, but some are for remote maintenance and management. Also, however, an attacker with a foothold on the OT network already, can also exploit a vulnerable device.
“Device availability within the network is important from an attacker’s point of view,” Mens said.
Throughout the podcast, Mens explains her lab setup for this research, some of the security features native to the device that were easily beatable, and some details on the two vulnerabilities, both of which were addressed by the vendor in an update.
She also takes some time to describe her experience and participation in Team82’s Pwn2Own Miami entries. Team82 disclosed a number of zero-day vulnerabilities during the contest, including in the OPC UA protocol found throughout industrial environments. Mens wrote about this experience as well for README_security.