cRio + Metasploit = :D

[mobilegamer999]

Today I was scanning our local network for *reasons* and I noticed that the cRIO had some open open ports. So then I decided to run a vulnerability scan with nessus and it turned out to have 2!!!! high priority security vulnerabilities. The first was a FTP vulnerability to allow for un-authorized read/write access to the cRIO and the second was a vxworks vulnerability allowing for remote reading and writing of any sector of data and also remote code execution. From this, as a proof of concept, I then used Metasploit which had a BUILT-IN exploit for rebooting a VXWorks machine by the IP address alone. Not sure what SHOULD be done about this issue, I just thought I would bring it to the public's attention that it exists.

TL;DR version
cRIO Vulnerabilities = Un-Authorized FTP + Remote Code Execution
Tools = Metasploit + Nessus
5-Second Result = Reboot any robot without credentials

[EricVanWyk]

I'd like to point out a few quick things.

1) Both of these "exploits" are actually features. The FTP allows you to upload code. The remote reboot allows you to, well, remotely reboot.

2) Both of these require you to be part of the same network as the cRIO. In competition, the 6 robots are essentially on 6 separate networks.

3) Unless you hand out your wireless key, you are fine.

[mobilegamer999]

The FTP and Remote Reboot ARE both features, but what I found was exploits that allows you to remotely connect to the FTP and reboot WITHOUT having any kind of login credentials, granted the logins for all the robots are the same, so theres really no difference in the security, but it was just an interesting find.

[Trent B]

Where the Metasploit bit gets really interesting is the ability to reboot systems without authentication. With the amount of stuff that uses vx-works to run it is a little worrying what could possibly be done if someone hacked into a network.

A few wikipedia examples:

Robots
BMW iDrive
787 and 747-8 Planes
WRT54G Router
Apache Longbow Attack Helicopter
Lots of spacecraft.

Someone with the wrong motives could add something to get into a network (say of an Apache) and reboot it putting its operators or others in danger.

[Chris is me]

Quote:

Originally Posted by Trent B

Where the Metasploit bit gets really interesting is the ability to reboot systems without authentication. With the amount of stuff that uses vx-works to run it is a little worrying what could possibly be done if someone hacked into a network.

Have fun breaking WPA2 encryption in 3 days. (You can't.)

[EHaskins]

Quote:

Originally Posted by Chris is me

Have fun breaking WPA2 encryption in 3 days. (You can't.)

You could, but first you have to prove P = NP.

[Joe Ross]

Quote:

Originally Posted by Trent B

Someone with the wrong motives could add something to get into a network (say of an Apache) and reboot it putting its operators or others in danger.

I think if someone was able to walk up to an Apache Helicopter and plug a network cable in, undetected, the Army has much bigger problems then a single Apache being rebooted in flight.

[artdutra04]

Quote:

Originally Posted by Joe Ross

I think if someone was able to walk up to an Apache Helicopter and plug a network cable in, undetected, the Army has much bigger problems then a single Apache being rebooted in flight.

Several years ago, photos and videos from the Predator drone cameras were found on insurgents' computers in Iraq and Afghanistan.

The Predator drone used an unencrypted communication protocol so ground troops could view the video on portable video receivers.

They never counted on anyone else "flipping through the channels", and then googling how to fix a scrambled video feed.

The lesson? NEVER rely on security through obscurity.

[Chris is me]

Quote:

Originally Posted by artdutra04

Several years ago, photos and videos from the Predator drone cameras were found on insurgents' computers in Iraq and Afghanistan.

The Predator drone used an unencrypted communication protocol so ground troops could view the video on portable video receivers.

They never counted on anyone else "flipping through the channels", and then googling how to fix a scrambled video feed.

The lesson? NEVER rely on security through obscurity.

While I wholeheartedly agree, Joe Ross has a pretty good point. It's far easier to physically guard a wired router than it is to add security. If insurgents can get close enough to an Apache to connect to the network that vxworks resides on, they can disrupt its flight any number of other ways and someone made a terrible mistake

[GGCO]

Quote:

Originally Posted by Chris is me

While I wholeheartedly agree, Joe Ross has a pretty good point. It's far easier to physically guard a wired router than it is to add security. If insurgents can get close enough to an Apache to connect to the network that vxworks resides on, they can disrupt its flight any number of other ways and someone made a terrible mistake

Slightly off topic, but..

If the insurgents are close enough to the apache, why aren't they dead?

Anyways.....

[Trent B]

Quote:

Originally Posted by Joe Ross

I think if someone was able to walk up to an Apache Helicopter and plug a network cable in, undetected, the Army has much bigger problems then a single Apache being rebooted in flight.

I am not saying that someone walks in off the street into a base. What if someone in the assembly line or a mechanic for the army is really a double agent. I guess there are bigger problems to worry about at that point but it could still be costly.

And I thought WPA could be broken rather quickly if you see the handshake between the client and the host. Or does that only apply to WPA(1) not WPA2?

The Apache was just a random example, a disgruntled worker may be able to get into a cRio that would normally require authorization without it and cause a massive system to malfunction etc. With the number of things that run on it, anyone from a double agent to a disgruntled employee could cause issues.

[Zach O]

Quote:

Originally Posted by Trent B

And I thought WPA could be broken rather quickly if you see the handshake between the client and the host. Or does that only apply to WPA(1) not WPA2?

It's true for WPA2 also, but neither of them are quickly. You'd either have to brute force or run a dictionary/wordlist attack.