8 October 2009

Live demonstration teams on hacking, defending

By Ellen Fussell Policastro

“With the proliferation of wireless technologies in the industrial controls space, many people are quick to deploy wireless systems without thinking about the potential security threats and vulnerabilities to this type of installation,” said Jonathan Pollet, founder and principal consultant at Red Tiger Security, USA.

That is why he and his Red Tiger principal compatriot, Joe Cummins, hosted what they called the very first live wireless hacking and defending demonstration at any conference on Wednesday at ISA EXPO.

The Red Team (bad guys) represented the attacking group and focused on cracking the security in the wireless systems, jamming them, or causing a disruption in the wireless communications. The Blue Team (good guys) represented the wireless system owners and operators who were trying to ensure the wireless system was resilient, strong, and passing industrial control systems data.

The Red Team consisted of a group of wireless hackers from various SCADA and IT security backgrounds who attempted to break into the wireless networks. The Blue Team represented asset owners and managers of wireless systems who tried to maintain the wireless system as it was under attack from the Red Team.

‘Man in the middle’

You can look up a tool called Jasager, with which you can configure to a wireless man in the middle. “It will read your connection, and say, ‘Yes I am that access point—Starbucks or my home network—connect to me,’ ” Pollet said. “Then your laptop will connect to it, and it becomes the man in the middle.

“If I were to turn on my wireless card, it will search for networks it thinks it has connected to before it found the Blue Team and other access points.  If I were to connect to it, what will happen is the man in the middle should see my connection request and capture it.”

With the man in the middle, people who think they are connecting to the Blue Team are not. They are connecting to a man in the middle who sees all the connections trying to connect to the Blue Team. “It works very effectively with no encryption,” Pollet said. “You may think you’re on the Internet, and you are through the back side of that hacker card. If you see yourself connected to a network you know is not physically there, you’ll know there’s a man in the middle.”

As the Red Team man in the middle was de-authenticating, Pollet and the rest of the audience could see the names dropping from the Blue Team on the screen. Later, Pollet made it more difficult by adding encryption using wireless equivalent protocol. One audience member said, “It says it’s secure. I can’t get in. I need the password.”

Pollet’s goal was for attendees to “gain a better understanding of the risks of deploying wireless technology in an insecure way that exposes their control systems,” he said. “Conversely, they should have also gained a more comfortable feeling of knowing when wireless is deployed in a secure way; it can be as secure as wired systems.” He wanted to expose the risks, but also educate the attendees that they can implement wireless in a secure method.

Since Pollet and Cummins demonstrated wireless attacks on industrial wireless (traditional 900 MHz spread spectrum and Zigbee), as well as enterprise wireless (802.11 WiFi), anyone that used wireless technology in any way either at home or at work could gain value from this exercise. Pollet wanted to appeal to both the casual user of wireless technology, as well as those that deploy it and administrator wireless technology at the plant floor or corporate IT environment.

Pollet got his wish as attendees left the presentation. Michael DuFalla, Bechtel Bettis, Monongahela, Penn., learned that, “unless you take the right precautions in setting up your wireless, it can be very vulnerable to simple attacks,” he said. “I didn’t realize it was that easy.”

“I knew it was very easy to crack WEP but didn’t realize how open WPA and WPA2 are as well,” said Marty Van Der Sloot, Interstates Control Systems, Inc., Sioux Falls, S.D. “I would like to see how much work it takes to crack a network that isn’t broadcasting its SID. How much ‘protection’ does that give you?”