In October, Nozomi Networks Labs took part in the No Hat security conference in Bergamo, Italy, marking our second consecutive year of participation. In its fifth iteration in 2023, No Hat is renowned as one of the largest events in the Italian security landscape and one of Europe's most rapidly expanding security conferences. At the conference, our Labs team delighted in showcasing the security research project “Codename I11USION,” details of which will be covered later in this blog.
At our booth, attendees could experience a live demo exploitation of a robotic port crane. This was done by using a Siemens SIMATIC S7-1500 PLC supervised by a browser-based HMI by Phoenix Contact, one of the targets of our research project and whose vulnerabilities were described in the 3-part series published in our blog (part 1, part 2, and part 3).
In the demo, we showed how, by exploiting a chain of vulnerabilities in the HMI, an unauthenticated attacker could drop the container in the sea while manipulating the view on the HMI to deceive operators into thinking that everything was running as normal. We also demonstrated the detection capabilities of Nozomi Networks’ Guardian and Vantage in detecting the exploitation of these issues as well as other kinds of attacks.
Codename I11USION: Eleven Practical Ways to Pwn Browser-Based HMIs in 2023
On stage, our security researcher Andrea Palanca presented one of the latest efforts from Nozomi Networks Labs, “Codename I11USION: Eleven Practical Ways to Pwn Browser-Based HMIs in 2023,” the result of a security analysis done on five different browser-based HMIs from five popular vendors in the OT sector. Both the presentation deck and recording of this presentation are publicly available from No Hat.
Industrial control systems have relied on human-machine interfaces for decades. As web technologies advance and web-based interfaces gain popularity in operational technology, browser-based HMIs have become a viable option for overseeing and managing industrial devices, thanks to their flexibility, scalability, and possibility to reuse the same components and skills applied to IT projects. However, the mere inclusion of a browser also comes with a unique set of risks to the OT device embedding it, that, if not properly addressed, may lead to dangerous security issues.
As we engaged with browser-based HMIs across multiple projects, we quickly identified a set of common flaws (listed in Figure 3) shared among devices from various vendors.
Each of these shortcomings was illustrated through a real-world vulnerability discovered by our team, presented as a case study. We systematically outlined the resulting impacts, supported by evidence, describing the root cause and potential exploitation. Remarkably, leveraging these issues enabled us to attain remote code execution (RCE) with root privileges on all five devices, leading to their full compromise.
Ultimately, we wrapped up our presentation by summarizing the key insights from our journey, giving advice to end users, vendors, and the community in general.
For more information on these vulnerabilities, please refer to our blogs on these vulnerabilities: Siemens, SEL, Phoenix Contact, Bosch Rexroth. The fifth one covering the AiLux issues will be released soon.
As the curtains draw on 2023’s edition of No Hat, our deepest thanks go to Berghem-in-the-Middle and the entire organizing team for their tireless efforts in bringing together a seamless blend of industry representatives, cybersecurity professionals, and enthusiasts. Their dedication and meticulous planning have elevated No Hat to new heights, making it a central event in the infosec scene.