Recap of Season 1, Episode 5 - 'Reverse Engineering Our Connected Life with Waylon Grange'

For this episode of ‘Smarter Everything’ my guest is Waylon Grange, a seasoned security researcher and engineer with a rich background in cryptography, protocol analysis, and industrial control systems. Waylon has dedicated his career to safeguarding critical infrastructure, exposing threat actors, and understanding the intricacies of malware. 

We cover a variety of topics including what Industrial Control Systems are, Cryptography, and the benefits and dangers that come with them. In addition to these interesting topics, we will also talk about Waylon Grange's past experiences and try to learn something from them. 

Key Takeaways

• Reverse Engineering, or ‘RE’ is a critical tool for understanding, predicting and solving malware issues.
• Many Industrial Control Systems (ICS) such as the power grid, water systems and other pieces of critical infrastructure are connected to the internet and are at serious risk of being targeted by a malicious state sponsored threat actor. A successful attack against one of these systems has the capability to change our everyday lives. 
• ‘The scale of the security vulnerabilities of connected things is staggering. Even the solar panels on your roof are at risk. 
• Individual products may have an adequate level of security built in, but the cloud component of that interface may not, which still puts that product data at serious risk.
• The development of public security specifications and standards are exciting steps forward to help solve the widespread security issues associated with connected devices and sensors.

Episode Link:

https://www.afero.io/html/home/smartereverything.html

Some highlights from the conversation:

Bret Jordan: The idea of connecting products and systems to computers is not new, nor is it limited to light bulbs, ceiling fans, and garage door openers in the consumer space. In fact, back in the 1960s, industrial control applications started using the SCADA protocol as a means of connecting these industrial control systems or ICS systems. Today, nearly every aspect of critical infrastructure is controlled by an ICS system. These systems control power stations, water filtration systems, stop lights, hydroelectric and nuclear power plants, and much, much more. One concept that will come up today is the concept of reverse engineering or RE. This is often discussed in regards to malware analysis. It is the simple idea of taking the malware or malicious application, tearing it apart, and figuring out exactly how it works by inspecting every bit of the code. RE work can apply to many different things, including undocumented communication protocols or even cryptographic systems. 

Waylon Grange: I'm doing reverse engineering and looking at ICS devices trying to understand the protocol that they're speaking. A lot of times that's a proprietary protocol and it's not documented. So we're looking at how may an attacker use that to issue tasks to the ICS device, and then reversely as a defender, how can we then detect when somebody's trying to tell a device to do something nefarious, possibly hidden to the front end? ICS devices are industrial control systems. They have the capability to control various things, and the airline as well as hospitals utilize a substantial number of these devices. Critical infrastructure, including power, water, and public utilities, heavily relies on these types of devices. 

Bret Jordan: Yeah, so I think, for the listeners, the industrial control system, or ICS system, encompasses all vital infrastructure such as the power grid, water systems and telephone infrastructure. These elements are interconnected and have a smart and connected aspect, which relates to the topics discussed on this podcast. You are recognized as one of the foremost experts in reverse engineering within this field and are actively engaged in extensive analysis and assembly-level work. I know you have previously conducted significant research on cryptosystems and their different implementations. I recall you mentioning your experience with solar panels or a related area within the context of the smart and connected space. 

Waylon Grange: That was a project I did back in 2020. I found myself with some spare time at home, as many of us were home a lot that year. My neighbor had just gotten this new solar panel system installed, and he was describing all the features and how he can control it with his phone. As he kept describing things, I was intrigued, like that's interesting, but it doesn't quite sit well with me, so I wanna look at it. Thus, I found myself a similar model to his on eBay, (I didn't test on his system). I purchased similar solar panels and began conducting vulnerability analysis on it and trying to understand its communication with the cloud and its functionality. Once I had access to the firmware image, I started exploring potential attack vectors. It dawned on me that it had a hook on the authentication module, as if someone had implemented a custom authentication hook. This meant that changing the /etc/shadow or the /etc/passwd file wouldn't even be utilized. Instead, they were relying on this custom hook linked to the serial number. Intrigued, I delved into reverse engineering that process and discovered that the password was hard coded based on the serial number. It was derived from the serial number and couldn’t be altered, resulting in numerous vulnerabilities. Interestingly, the serial number was widely accessible. It was printed on the outside of the shipping box, and appeared in three different physical locations on the device. If you visit the webpage, it is on there as well. So it's pretty simple for an attacker once they've found this vulnerability to just SSH into anybody's solar panel controller and then muck with the settings or the features of the solar panel controller. 

Bret Jordan: It’s amazing how many of these companies just get this fundamental security stuff wrong. As you start contemplating the ways to compromise those systems and progress laterally within the home network to gain access to more sensitive or personally valued assets, it becomes unnerving. What’s truly alarming is the sheer number of individuals and companies that fail in this aspect. At times, they neglect even the basic security practices, which is genuinely concerning. When you access it, you realize that if they can’t accomplish the fundamentals, it’s evident that they aren’t implementing any of the more advanced security measures.

Waylon Grange: We conducted an additional audit for a security product designed as a local alert system in case of emergencies. It allowed users to receive radio signals or local messages. However, the device included a cloud component where it would connect to the cloud and retrieve messages. During our analysis, we discovered that the device had overly permissive cloud permissions. While the device itself was reasonably secure, its cloud counterpart wasn’t adequately protected. This presented a significant vulnerability. With those cloud permissions, we could navigate through the cloud and identify devices communicating with it. We also could determine their respective permissions. Essentially, by compromising a single device, I obtained access to the cloud, which in turn granted me permissions to all other devices connected to it. 

Bret Jordan: When I've examined numerous IOT devices available on the market, including smart and connected devices such as cameras, it's alarming to see how many of them utilize shared symmetric keys, or a common private key across all devices for their S3 bucket, where all videos are stored. It makes me wonder if people realize that if the cloud and the devices both possess the symmetric key, which is hard coded, then both parties can access all the activities. Similarly, if a shared private key is used across all of the devices, then each device can access recordings from all other devices. People desire privacy within their homes and expect confidentiality for their cameras and other devices, but when they unknowingly purchase such products, they inadvertently expose themselves to potential monitoring and surveillance. Do you have any thoughts on this IoT smart and connected space? What are you excited to see or worried about? What are you looking forward to in terms of where you think this is going to go?

Waylon Grange: I'm fairly excited going forward. There are concerns that are always going to be there for me, but we talked about some of them. I like that there are some public specs going forward. Having a baseline for what’s secure is exciting. Even vendors are realizing that they need to take this seriously. They can’t just throw on whatever the easiest solution is to get the job done. They actually have to consider the lifecycle of the device–how to update and repair it if there is an issue. One must try to have it secure from the start, right? It has to be planned into the development process, and we're seeing vendors start to do that. So overall, I feel like it's getting better. Generally, I think the future's optimistic for IoT.