cyber sabotage

now browsing by tag


Could the computer in your car be hacked?

As vehicles are increasingly computerized, researchers and industry officials consider it inevitable that cars will face the same vulnerabilities as PCs. Internal computer networks monitor and control everything from brakes, engines and transmissions to air bags and keyless-entry functions. Wireless connections, meanwhile, are becoming more common in reporting a vehicle’s position or providing information about the car’s functions. Some auto companies are creating applications to allow users to control some features in their car with their smart phone.

On 10 March, 2011 there was a news update that “Researchers had found that Cars can be hacked and remotely controlled“. In this regard, these are some of the news collections that are covering it extensively:car-hack-to-the-future
Key findings of the research work carried out by Stefan Savage, a University of California, San Diego, computer science professor and Yoshi Kohno, a computer science professor at the University of Washington are:
  • able to “bypass rudimentary network security protections within the car”
  • “adversarially cont” adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine and so on”
  • an attack could embed malicious code in a vehicle and then erase any evidence of its presence after a crash
  • found ways to compromise security remotely, through wireless interfaces like Bluetooth, mechanics’ tools and even audio files.
  • In one example, a modified song in a digital audio format could compromise the car’s CD player and infect other systems in the vehicle.
  • Researchers were able to “obtain complete control” over the car by placing a call to the vehicle’s cell phone number and playing an audio signal that compromised the vehicle.
Key findings of Research teams at Rutgers University and the University of South Carolina:
  • showed vulnerabilities of in-car wireless networks that operate tire-pressure monitoring systems that tell motorists if their tire needs more air. From a distance of 40 meters, they bypassed security to tap into information identifying the tire and tire pressure of cars driving down the road.
Some important quotes to be noted are:
  • “I hope it’s more of a warning for the engineering groups that certain systems are vulnerable,” said Ivan Seskar, associate director for information technology at the Wireless Information Network Laboratory at Rutgers University.
  • “When people first started connecting their PCs to the Internet, there wasn’t any threat, and then over time it manifests,” said Stefan Savage, a University of California, San Diego, computer science professor who conducted the research. “The automotive industry, I think, has the benefit of the experience of what we went through.”
The United States Council for Automotive Research, a group funded by Detroit’s auto companies, is also forming a task force to study the issue, said spokeswoman Susan Bairley.
Research Papers can be accessed from here. The project Electronic Vehicle Controls and Unintended Acceleration has been completed and the reports have been generated that can be read from here:


Looking for a Solution


Security in automobile is becoming priority number one for the manufacturers. The share of electronic components inside cars is larger than ever and the reliability of these software components has become of prime concern. Consortia (Autosar, Jaspar,…) between manufacturers are created in order to standardize the management software of the electronic systems for the automobile industry.
Different security needs have been explored by the automobile industry including:
  • the need to secure the security software components on board the cars (starting system, braking system, and ABS urgency braking system…)
  • the securing of the control station updates for the manufacturer car dealers.
  • the need for quality control by software certification especially for subcontracted software.
Validy Technology, by ensuring the integrity of the embedded software, protects all the equipments from all possible forms of piracy.

[Series 01] Indian SCADA Systems – Current Status?

SCADA i.e., Supervisory Control And Data Acquisition is a real time industrial process control systems used to centrally monitor and control remote or local industrial equipment such as motors, valves, pumps, relays etc. SCADA is used to control:

  • chemical plant processes,
  • oil and gas pipelines,
  • electrical generation and transmission equipment,
  • manufacturing facilities,
  • water purification and distribution infrastructures etc.
On 31 July, 2012 a news broke relating to the blackout in 20 states of India due to Northern Electricity Grid Failure which subsequently led to the failure of Eastern and North Eastern Electricity Grid Failure. 

Although all the political parties and the news channels kept broadcasting the news that this was caused due to the excessive drawing of electrical power from few states but being an independent cyber security researcher and working in SCADA security, my intuition isn’t ready to accept the statements given by India’s Power Grid Corporation as: 
“There was overdrawing of power as the demand peaked. 
As a result, two to three grids tripped simultaneously.”
My query is:
In summer season (in 2012), there was a time when the demand for power supply was so high that most of the parts of cities in Northern India were not able to get the electricity for 8-10 hours a day (my personal experience). In such a critical demand time nothing happened! 
There was only load-shedding but no failure of any electricity grid. 
Why So?
Wasn’t the current blamed states by the Central Government 
were drawing the electricity in excess at that time? 
If Yes, then why the Power Grid failure didn’t occurred at that time?

to be continued…

Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

More SCADA Vulnerabilities Discovered by Italian Researcher Luigi Auriemma in Industrial Systems – A Brief Overview

SCADA vulnerabilities continue to surge as Italian Security Researcher Luigi Auriemma found holes in six different systems. Companies suffering the vulnerabilities range from Rockwell Automation to Beckhoff

The vulnerabilities found in such companies’ products include:

  1. AzeoTech DAQFactory Stack Overflow
  2. Beckhoff TwinCAT ‘TCATSysSrv.exe’ Network Packet Denial of Service Vulnerability
  3. Cogent DataHub Multiple Vulnerabilities
  4. Measuresoft ScadaPro Multiple Vulnerabilities
  5. Progea Movicon Multiple Vulnerabilities
  6. Rockwell RSLogix Overflow Vulnerability

All vulnerabilities came with proof-of-concept (PoC) code which can exploit the vulnerabilities. These vulnerabilities range from denial of service (DoS), to information disclosure, to complete remote code execution. 

Following is a breakdown on the individual vulnerabilities found in the above systems:

  1. AzeoTech DAQFactory Stack Overflow: There is one stack overflow vulnerability with PoC exploit code affecting AzeoTech DAQFactory, a SCADA/HMI Product. The vulnerability is exploitable via a service running on Port 20034/UDP, according to the report.
    DAQFactory is a SCADA and HMI software used in multiple industries including water, power, and manufacturing. DAQFactory installations are primarily located in the United States and Europe.
  2. Beckhoff TwinCAT ‘TCATSysSrv.exe’ Network Packet Denial of Service Vulnerability: There is a vulnerability with PoC exploit code affecting Beckhoff TwinCAT, a SCADA/HMI product. Services running on Port 48899UDP are vulnerable, according to the report.
    Beckhoff TwinCAT is a software system capable of controlling multiple PLCs in a system. This system sees use in industries including manufacturing, energy, water and wastewater, and building automation.
    Beckhoff’s headquarters is in Verl, Germany.
  3. Cogent DataHub Multiple Vulnerabilities: There are four vulnerabilities with PoC exploit code affecting Cogent DataHub. The vulnerabilities are remotely exploitable through the following ports: Stack Overflow, Remote – Ports 4052 and 4053; Integer Overflow, Remote – Port 80; Directory Traversal, Remote – Port 80; and Information Exposure, Remote – Port 80.Cogent DataHub is SCADA management software sees use in industries including manufacturing, energy, financial, and pharmaceuticals.
  4. Measuresoft ScadaPro Multiple Vulnerabilities: There are multiple vulnerabilities with PoC exploit code affecting Measuresoft ScadaPro. The vulnerabilities are remotely exploitable through Port 11234/UDP, according to the report.ScadaPro is a SCADA system used in power generation, oil and gas, pharmaceuticals, and manufacturing.Measuresoft Development Ltd. has headquarters in Louth, Ireland with an office in Missouri City, Texas.
  5. Progea Movicon Multiple Vulnerabilities: There are three vulnerabilities with PoC exploit code affecting Progea Movicon PowerHMI Version 11, a SCADA/HMI product.Movicon 11 is a HMI development system that uses a web-enabled architecture based on JAVA, including drivers for PLCs. PowerHMI Version 11 is based on SCADA HMI Movicon Version 11.
    Movicon see use primarily in Italy with a small percentage of installations in other European countries.
  6. Rockwell RSLogix Overflow Vulnerability: There is an overflow vulnerability with PoC exploit code affecting the Rockwell RSLogix 19. Services running on Port 4446 are vulnerable to a memory overflow, according to this report. Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries. The Rockwell RSLogix family is a group of ladder logic programming packages that operates on Microsoft Windows operating systems. RSLogix 5 supports the Allen-Bradley PLC-5 family of programmable controllers.

Note: All the full name of the abbreviations used above are given below for general user understanding.
  • PoC: Proof-of-Concept
  • SCADA: Supervisory Control and Data Acquisition
  • HMI: Human-Machine Interface
  • PLC: Programmable Logic Controller

      Neelabh Rai
      Cyber Entrepreneur
      Independent Cyber Security Researcher
      CYBER COPS India

      “Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

      Validy Technology: A program protection method that really works

      Validy Technology (VT) is a program protection method. It uses a secure coprocessor and manipulates variables mandatory for the correct execution of the program inside this coprocessor.

      The secure coprocessor uses a silicon chip which can take several different form factors: 

      • USB key, 
      • SIM Module, 
      • MMC Card, 
      • Smart card, 
      • SMD device…

      VT is effective against software piracy as well as against software and data tampering: it not only prevents illicit program execution but can also ensure that program execution is not altered and that program data is not copied or modified, even when execution is taking place in an hostile environment.

      VT is based on a “subtractive” protection method, hiding “critical portions” of the program in the coprocessor, but instead of securely executing “Remote Procedure Calls”, it secures part of the program state. In other words, it permanently keeps some of the program variables into the coprocessor and during execution of the program the values of the variables residing into the coprocessor are modified. VT ensures secure execution of the modifications by sending encrypted instructions to the coprocessor (instructions are encrypted at compilation time). Only when absolutely necessary, the value of one of the variables residing inside the coprocessor, or even better, information derived from one or several of those variables, is transmitted back to the main part of the program. VT security is based on the extreme difficulty for an attacker to regenerate correct values during those transmissions.

      For added security, the coprocessor continuously monitors the instruction flow conformance to what was planned at program compile time. To this means, the coprocessor architecture and
      instruction set are designed with the addition of special fields allowing automatic real-time monitoring of the chaining of the instructions. This security mechanism is simple to implement yet extremely powerful. If the coprocessor detects an anomaly, it can take
      retaliation measures forcing the program to stop: if the coprocessor stops working, part of the program state is suddenly missing and the program cannot continue working.

      With the execution of a few coprocessor “XOR” instructions or with the execution of a specially designed coprocessor “MutualCheck” instruction, this security mechanism is simply extended to mutually protect several different computations executed inside the coprocessor i.e. if one computation is modified or suppressed, another-one will fail. Mutual protection, in turn, greatly enhance VT protection abilities:

      • Mutual protection prevents an attacker to use a “divide and conquer” approach to gradually remove protections.
      • Mutual protection allows the coprocessor to verify program integrity during execution by executing integrity checks that cannot be removed. One very effective such check is to verify that the calling graph of the program is not modified.
      • Mutual protection allows a background thread to protect real time threads.
      • Mutual protection allows protected programs to mutually protect the others. For instance, to attack a client program, one must also attack the server program.
      • Mutual protection allows data protection by permitting effective generation/check of data authentication information or by permitting effective encryption/decryption of data.

      VT rests on well-known computer science principles. Its implementation doesn’t present major stumbling blocks and doesn’t require secret know-how. VT doesn’t require a secure machine to execute but just a secure coprocessor. It can work with any operating system or even with embedded systems.

      Protection of a program must be done by the software publisher creating or maintaining the program. During the protection of a program, most of the protection work is automatic because moving variables to the coprocessor and modifying them here is a classical compilation problem similar to the use of an arithmetic coprocessor. Also most of the program integrity verification (for instance verifying the chaining of the instructions  or protecting the calling graph) can be automated with a compiler.

      Several manufacturers already build secure microcontrollers that can be used for VT. Those components are generally designed for banking cards applications; they have a low price tag and a high security level. With an appropriate program runtime and microcontroller firmware, the microcontroller can be seen by the program as a “loosely coupled” coprocessor, plugged for instance on the USB bus, without requiring any hardware change to the machine.

      Despite the lose coupling between the main processor and the coprocessor, the execution inside the coprocessor takes place concurrently with the execution of the main part of the program
      and the program slowdown is minimal.

      We have gone all the path from inventing the concepts, protecting the intellectual property, implementing a USB coprocessor and the associated runtime for Windows, implementing two compilers (one for Java and one for .NET) to finally demonstrating that protected programs are running with acceptable performance. We now intend to grant licenses to interested parties. If anyone is interested in the Validy Technology, then feel free to contact. CYBER COPS India will be happy to provide expert services with the original inventors and the patent holders – Validy Net Inc. 

      Neelabh Rai
      Cyber Entrepreneur
      Independent Cyber Security Researcher
      CYBER COPS India

      “Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

      The Journey of Stuxnet – The Cyber Missile for Cyber Sabotage of Critical Infrastructure

      Stuxnet is a computer worm discovered in July 2010. It targets Siemens industrial software and equipment running on Microsoft Windows. While it is not the first time that crackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.

      The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.

      Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran.

      The worm was first reported by the security company VirusBlokAda in mid-June 2010. Journalist Brian Krebs’s 15 July 2010 blog posting was the first widely read report on the worm. Its name is derived from some keywords discovered in the software. analyzed the journey of Stuxnet and is provided here. Enjoy the journey of Stuxnet…

      TimeGlider Reference:
      Author: Kim Zetter

      Neelabh Rai
      Cyber Entrepreneur
      Independent Cyber Security Researcher
      CYBER COPS India

      “Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”