New PLC Exploits Comming to a Metasploit /scada folder near you
Dale and Reed at Digital Bond have taken some of their basecamp research and weaponized several Metasploit exploints for point-click-shoot PLC mayhem. This includes the “modiconstux” module, which implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC.
The other basecamp exploit modules released yesterday are:
1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.
2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.
More information can be found at the Dark Reading site.
While it is nice to have the ability to demonstrate how easy it is to subvert PLCs, RTUs, and embedded control system devices, I struggle with how asset owners will be able to react to this to quickly close the risk associated with releasing this capability into the public domain. It is one thing to show this in a training class or security conference for effect or to raise awareness, but it is another thing to release the capability to anyone with an Internet connection and latest BackTrack release.
One thing that we all agree with is that keeping one’s head in the sand is no longer an option for those tasked with securing SCADA and Industrial Control Systems. The spotlight has shifted from IT Enterprise systems to SCADA systems, and new SCADA vulnerabilities are cropping up like weeds in a summer garden. It is going to get worse before it gets better.