Today I was scanning our local network for reasons and I noticed that the cRIO had some open open ports. So then I decided to run a vulnerability scan with nessus and it turned out to have 2!!! high priority security vulnerabilities. The first was a FTP vulnerability to allow for un-authorized read/write access to the cRIO and the second was a vxworks vulnerability allowing for remote reading and writing of any sector of data and also remote code execution. From this, as a proof of concept, I then used Metasploit which had a BUILT-IN exploit for rebooting a VXWorks machine by the IP address alone. Not sure what SHOULD be done about this issue, I just thought I would bring it to the public’s attention that it exists. :yikes:
TL;DR version
cRIO Vulnerabilities = Un-Authorized FTP + Remote Code Execution
Tools = Metasploit + Nessus
5-Second Result = Reboot any robot without credentials
The FTP and Remote Reboot ARE both features, but what I found was exploits that allows you to remotely connect to the FTP and reboot WITHOUT having any kind of login credentials, granted the logins for all the robots are the same, so theres really no difference in the security, but it was just an interesting find.
Where the Metasploit bit gets really interesting is the ability to reboot systems without authentication. With the amount of stuff that uses vx-works to run it is a little worrying what could possibly be done if someone hacked into a network.
A few wikipedia examples:
Robots
BMW iDrive
787 and 747-8 Planes
WRT54G Router
Apache Longbow Attack Helicopter
Lots of spacecraft.
Someone with the wrong motives could add something to get into a network (say of an Apache) and reboot it putting its operators or others in danger.
I think if someone was able to walk up to an Apache Helicopter and plug a network cable in, undetected, the Army has much bigger problems then a single Apache being rebooted in flight.
While I wholeheartedly agree, Joe Ross has a pretty good point. It’s far easier to physically guard a wired router than it is to add security. If insurgents can get close enough to an Apache to connect to the network that vxworks resides on, they can disrupt its flight any number of other ways and someone made a terrible mistake
I am not saying that someone walks in off the street into a base. What if someone in the assembly line or a mechanic for the army is really a double agent. I guess there are bigger problems to worry about at that point but it could still be costly.
And I thought WPA could be broken rather quickly if you see the handshake between the client and the host. Or does that only apply to WPA(1) not WPA2?
The Apache was just a random example, a disgruntled worker may be able to get into a cRio that would normally require authorization without it and cause a massive system to malfunction etc. With the number of things that run on it, anyone from a double agent to a disgruntled employee could cause issues.
