Zoetermeer, 22 April 2022 - Dutchmen Daan Keuper and Thijs Alkemade are ethical hackers working for Computest Security. Recently they identified serious vulnerabilities in various systems used to control and manage industrial production processes. During the international hacker contest Pwn2Own in Miami they showed that through these vulnerabilities malicious parties can gain access to systems and take over, which can seriously disrupt production processes. Keuper and Alkemade won the competition and received a bug bounty of 90.000 USD. This is the second time the Dutch hacker duo has won Pwn2Own. Last year they were rewarded 200,000 USD by Zoom for the vulnerabilities found in its video conferencing platform.
During Pwn2Own, hackers must demonstrate that they can take over systems through vulnerabilities that are not yet known (zero-day). If the vulnerabilities prove to be unknown and the discovery is significant, the hackers have a chance to win rewards. This edition of Pwn2Own was all about Industrial Control Systems (ICS). In a process called Smart Industry the manufacturing industry is being digitized at an accelerated pace. Hackers were therefore invited to search for vulnerabilities in various categories of industrial software and systems.
Middle: Thijs Alkemade and Daan Keuper receive their 'Master of Pwn' award.
Vulnerabilities in Iconics, Inductive Automation and Aveva systems
In the course of their research, Keuper and Alkemade found vulnerabilities in the Control Server solutions category for connectivity, monitoring and management of various industrial systems. The vulnerabilities were demonstrated in the control servers Iconics Genesis64 and Inductive Automation Ignition. Hackers could use these vulnerabilities to fully take over systems.
Weaknesses were also found in the OPC Unified Architecture (UA) category. This is the universal translation protocol used by almost all ICS products to transmit data between systems from different vendors. Within the .NET implementation, Keuper and Alkemade demonstrated how unauthorized access can be obtained which can affect the possible operation of systems. In the C++ implementation, a Denial-of-Service (DoS) was found. As a result, systems may no longer be able to communicate with each other and could be brought to a standstill.
Also, the Computest Security hackers identified vulnerabilities in AVEVA Edge. This system was the target of research in the Human Machine Interface (HMI) category. An HMI allows administrators to access various hardware components. If an HMI is taken over by hackers, administrators no longer have insight into the status and any problems with the hardware. As a result, production processes can be seriously disrupted without immediate detection.
Left: Daan Keuper and Thijs Alkemade revealed a serious vulnerability during the final round of Pwn2Own Miami 2022 hacking competition.
Manufacturing plants interesting targets for hackers
Keuper and Alkemade's findings show that although digitalization in the industrial world is catching up, security is still not getting proper attention.
Keuper: "What we saw in these ICS systems is comparable to the vulnerabilities found before in corporate IT systems. You could see them as the growing pains of software evolution, but they can have major consequences for production processes that in turn affect the entire supply chain. For organizations using these systems, it is important to realize that now factories are becoming more and more software-driven, they are also an interesting target for hackers."
Louis Priem, consultant at ICT Group, observes the big difference between security in IT systems and in industrial technology, the sector that his organization specializes in. "Although the impact of security incidents in this environment is potentially very high, there is less security awareness and insufficient knowledge to effectively deal with internal and external threats. Systems in factory environments typically run 24/7 so there is very little opportunity to patch vulnerabilities. In addition, there is a lot of legacy, as machines are purchased for the long term, and there is usually no opportunity to install antivirus applications. All these make the industrial sector vulnerable to malicious parties," says Priem.
Awareness of Security Connected Systems must be increased
Last year, Keuper and Alkemade’s research on Zoom was winner of Pwn2Own. They managed to take over the Zoom client and perform actions such as switching on the camera and microphone and reading emails. Investigations of Computest Security are carried out in their own lab, Sector 7. Keuper: "By continuously looking for vulnerabilities in connected systems for companies and consumers, we keep challenging ourselves. But we also want to create awareness among users and prevent them from working with systems without taking security seriously."
Founded in 2005, Computest are experts in Cybersecurity, Performance and DevOps. It consists of two divisions: Computest Security and Computest DevOps. Computest Security provides customers with independent advice & implementation in the field of risk management, continuous preventive security, performance, information security and governance control. Computest DevOps covers all possible roles and specialisations within DevOps. This is to guide organisations to a higher level of maturity in DevOps. Computest has about 200 specialists and is located in Zoetermeer.
Ethical hacker - Daan Keuper
t. 06 519 973 09
Communications & PR - Chantal Schepers
t. 06 235 099 23